Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp1947582rdb;
        Sun, 24 Dec 2023 08:54:56 -0800 (PST)
X-Google-Smtp-Source: AGHT+IHiTt191+NEBSwMNFqnoNxrsdiQI2wMGFXDHG2xdGlvw4LGprq4BUUyBYmgg3knySMIHt0q
X-Received: by 2002:a17:906:d183:b0:a23:6c6a:41a5 with SMTP id c3-20020a170906d18300b00a236c6a41a5mr2122764ejz.45.1703436896138;
        Sun, 24 Dec 2023 08:54:56 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1703436896; cv=none;
        d=google.com; s=arc-20160816;
        b=Ge1xRG0HyjoZrfYc7yGwX4NNinfYQwAz74Wal3TGLneQNC7eFhze5Q1jatpZ+dgRG5
         rOMfDpSbJhTxBT02RUtS/IeECXN2p/NHyKjF4/BJL4ik9jCe4IKELeWXbsQrjzKkBvPD
         gciDAFUG1J03ojIE98J8UDs44Kpgxu8jvxV6ZoDEZoDqjLAOARMK18y7fmWytimtA2gV
         VrqxOOHRgiVlOYlWy9hkm9vDZVwSZyrzy0KyGXiaTdFYH1izusHVgRLRFehFp/+Zpqdr
         bo0+Q+8hPVDlqgrMGcXFYGS2HCRjeZcOyPVr88HYzyBAy/NynEaRe/pq7A7yCpc7APOq
         +30A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-subscribe:list-id:precedence:message-id:date
         :subject:cc:to:from;
        bh=/Z3Qg6fLNCmLSPiVc3bzJGjW2+t5ieVraWONlMkamqY=;
        fh=KYovjcnz99Uc/wxgCfEKehITcqlb+4FKQ/03gJzLrs4=;
        b=zYh0YBaRpP3f1+hpZZ9vnIAL7/spLZNwvXVWqqVELDj/T5ORfnu4Wjwza6aoKesaw2
         BcWmPxAMrUjniO84JPK+ssPmJ+QAAT8v93hs0hAbYoY1+W8c7FKFK6qtEhwaxySCax3P
         hXTq+xiOBuqz7a2c3u5aYAg7l09wiHmoA31+CeylK88SNHbmqAJF+Vo1xV52fydGA4ci
         /NVz6SK4SLIyDEtJ3nioq7bKp0KF+3AwkQy8McaDSX2yaqhMsjk2KOzhl46K/p+NydIB
         CN2EH6s+1kjwHJpfTBvC29Gz2L/RkQkm52g2aFDfS/Ts5+sGuBi/KCIZLvf5KgM0U+KJ
         WEVA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel+bounces-10773-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10773-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-10773-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249])
        by mx.google.com with ESMTPS id gh15-20020a1709073c0f00b00a26aea0b71csi3011376ejc.245.2023.12.24.08.54.56
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 24 Dec 2023 08:54:56 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-10773-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel+bounces-10773-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-10773-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id E11041F21AF6
	for <linux.lists.archive@gmail.com>; Sun, 24 Dec 2023 16:54:55 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 50EA0CA69;
	Sun, 24 Dec 2023 16:54:45 +0000 (UTC)
X-Original-To: linux-kernel@vger.kernel.org
Received: from zg8tmtu5ljg5lje1ms4xmtka.icoremail.net (zg8tmtu5ljg5lje1ms4xmtka.icoremail.net [159.89.151.119])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id CA8E1CA68;
	Sun, 24 Dec 2023 16:54:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=zju.edu.cn
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=zju.edu.cn
Received: from localhost.localdomain (unknown [39.174.92.167])
	by mail-app4 (Coremail) with SMTP id cS_KCgA3OaRAYohlOrPzAA--.30851S4;
	Mon, 25 Dec 2023 00:54:26 +0800 (CST)
From: Lin Ma <linma@zju.edu.cn>
To: jhs@mojatatu.com,
	xiyou.wangcong@gmail.com,
	jiri@resnulli.us,
	davem@davemloft.net,
	edumazet@google.com,
	kuba@kernel.org,
	pabeni@redhat.com,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: Lin Ma <linma@zju.edu.cn>
Subject: [PATCH net v1] net/sched: cls_api: complement tcf_tfilter_dump_policy
Date: Mon, 25 Dec 2023 00:54:13 +0800
Message-Id: <20231224165413.831486-1-linma@zju.edu.cn>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID:cS_KCgA3OaRAYohlOrPzAA--.30851S4
X-Coremail-Antispam: 1UD129KBjvJXoW7CFW7Aw1fAr43ZF1UXw17GFg_yoW8WF1xpF
	ZrW348C34DXFyUJws7G3Z7ZF9IgrZxZw4UWrZYk34IvwnxWrnxGayftayak3ZFkF48Arsx
	tF98t3yDWa1DuF7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDU0xBIdaVrnRJUUUv014x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
	rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
	1l84ACjcxK6xIIjxv20xvE14v26F1j6w1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4j
	6r4UJwA2z4x0Y4vEx4A2jsIE14v26r4UJVWxJr1l84ACjcxK6I8E87Iv6xkF7I0E14v26F
	4UJVW0owAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I80ewAv
	7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCjc4AY6r
	1j6r4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IErcIFxwACI402YVCY1x02
	628vn2kIc2xKxwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c
	02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_Jw0_
	GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7
	CjxVAFwI0_Jr0_Gr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v2
	6r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Jr0_GrUvcSsGvfC2KfnxnUUI43ZEXa7VUb
	XdbUUUUUU==
X-CM-SenderInfo: qtrwiiyqvtljo62m3hxhgxhubq/
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>

In function `tc_dump_tfilter`, the attributes array is parsed via
tcf_tfilter_dump_policy which only describes TCA_DUMP_FLAGS. However,
the NLA TCA_CHAIN is also accessed with `nla_get_u32`. According to the
commit 5e2424708da7 ("xfrm: add forgotten nla_policy for
XFRMA_MTIMER_THRESH"), such a missing piece could lead to a potential
heap data leak.

The access to TCA_CHAIN is introduced in commit 5bc1701881e3 ("net:
sched: introduce multichain support for filters") and no nla_policy is
provided for parsing at that point. Later on, tcf_tfilter_dump_policy is
introduced in commit f8ab1807a9c9 ("net: sched: introduce terse dump
flag") while still ignoring the fact that TCA_CHAIN needs a check. This
patch does that by complementing the policy.

Note that other functions that access TCA_CHAIN, like tc_new_tfilter,
are not vulnerable as they choose rtm_tca_policy as the parsing policy
which describes the TCA_CHAIN already.

Fixes: 5bc1701881e3 ("net: sched: introduce multichain support for filters")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
---
 net/sched/cls_api.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 1976bd163986..2b5b8eca2ee3 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -2732,6 +2732,7 @@ static bool tcf_chain_dump(struct tcf_chain *chain, struct Qdisc *q, u32 parent,
 }
 
 static const struct nla_policy tcf_tfilter_dump_policy[TCA_MAX + 1] = {
+	[TCA_CHAIN]      = { .type = NLA_U32 },
 	[TCA_DUMP_FLAGS] = NLA_POLICY_BITFIELD32(TCA_DUMP_FLAGS_TERSE),
 };
 
-- 
2.17.1