Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp3492114rdb; Wed, 27 Dec 2023 09:03:15 -0800 (PST) X-Google-Smtp-Source: AGHT+IHqOAzbG8LrkV9LMiRJ7jxGIh9TXceXUR4lJifox5gcI14iUKnHVIBs9JPZwpnok5n0pmqd X-Received: by 2002:a17:906:4f:b0:a27:19e4:e98b with SMTP id 15-20020a170906004f00b00a2719e4e98bmr1436964ejg.114.1703696595422; Wed, 27 Dec 2023 09:03:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1703696595; cv=none; d=google.com; s=arc-20160816; b=dV4IWUA4B/FZSQ1o1VnMCkJPnb58j6/SSCgumeSZuFCo73mnbVZ0V4LftAG5uWKglx cYfqapIG4Tn7hiveO5SB2oWVmvBgPPnmOIXmsQsf3qGUI7ultZJPNYiv22zt4nNRNXMh K7NG6qNeeHLVWCfAFaSC5sQBJDgbadCvgZLRjjz7qNVBkrQBjK2eE2XqHZPDh7xZnZSp h5/6asEaxx2EH4s4ezU0wd4DWCSAqd6WHSTSPh8Q0xfJusgkMgVhm0+mQroexZk0AAyN j3B8Ao0ijh69ZEnU3nSBte4F9rzSvITC++EIqU73476xPYz8GQYIKIWokFCVCBXgASDc WAIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=LGGpmDyCOAVTfPuNyeaql2/nHGZzSIk1f0fzagp9sTE=; fh=xGUG4bxbEtxvcn+hh8+eVtkF39yWYRbGig56Rc7I06Q=; b=NKCpE+f8AaEMkpnVbwugzOKZ3BXsetYjqsiKnSbzT5zOLz0KvX8wbRd17TSy2xcJnj ENVrPPMjqL6NPCvp3oxjgBQeZVn5zjbRoM7+xD9nSsclqHvU5PPCrbJZ2JyYtPxuJ1JK sAY3BKSfJ/Cu82at7wKZshvXZIvYEMKdLD/CqJ9V5z/I/L1YHnmCytijrCem32WiZ6Jx ChBNE+TZnQYTwVijtEk6Pire9/Jk+E9k5NOetN3YVUepmbEEayD59KAUIeW6Tj0pnEmS +js7mDKlKk8b3rM9lDDMygjoS4mHT5c6SMUXJfiYSLFH3d3C078JY9Sp1lVGOYRNrB1G opDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mojatatu-com.20230601.gappssmtp.com header.s=20230601 header.b=RbgWAKUF; spf=pass (google.com: domain of linux-kernel+bounces-12154-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-12154-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id h4-20020a1709063b4400b00a269fa0dd09si6280281ejf.242.2023.12.27.09.03.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Dec 2023 09:03:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-12154-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@mojatatu-com.20230601.gappssmtp.com header.s=20230601 header.b=RbgWAKUF; spf=pass (google.com: domain of linux-kernel+bounces-12154-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-12154-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 2FBD71F22FA2 for ; Wed, 27 Dec 2023 17:03:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 99DA14643F; Wed, 27 Dec 2023 17:03:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=mojatatu-com.20230601.gappssmtp.com header.i=@mojatatu-com.20230601.gappssmtp.com header.b="RbgWAKUF" X-Original-To: linux-kernel@vger.kernel.org Received: from mail-yb1-f170.google.com (mail-yb1-f170.google.com [209.85.219.170]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4EE7745C0A for ; Wed, 27 Dec 2023 17:03:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=mojatatu.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=mojatatu.com Received: by mail-yb1-f170.google.com with SMTP id 3f1490d57ef6-dbdb8e032f7so4265482276.1 for ; Wed, 27 Dec 2023 09:03:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mojatatu-com.20230601.gappssmtp.com; s=20230601; t=1703696581; x=1704301381; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=LGGpmDyCOAVTfPuNyeaql2/nHGZzSIk1f0fzagp9sTE=; b=RbgWAKUFmDHOkoAFKurx+OYuL0dcskN7eTAQZ2pfoH15mz2grBFy81e791IqdWOi/d XA/mkaDbeMBoPXPywbESXtPvra4p0NGG7istnFBZgHR0zp/+t56Uhhvbf2GwIvH+cx+K Hsyq8TqJG9qgWdvVkaOl69OkDIL8SG0GQVSdK3XjUe4mG4lG4ZQLSaj+EcGwi3W1tA7d puNNWrFNQD0NUHE7vKFNkdmPgN/8BRxSZHgxn4uhrLtPiesz/iCgi223Q3ngTqCQ2yHz yCocBvHbJ5jR8tr2dzxdHwIJ9JKN/N6LUdYz0SmCtrIbyw/ZZnqbCS4fQkINOeQT2PqN 7u8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1703696581; x=1704301381; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=LGGpmDyCOAVTfPuNyeaql2/nHGZzSIk1f0fzagp9sTE=; b=NtbZV/nUDHMxTbRpjue0KSovDtbLWG+45unVkm/CqdhLy/kNGOSXr+e8Y2e562ASFk Mw5T9mK0HPzKchkVbZo0KuYlSDXpoJvp7D2LAU1OlutOeESPlBNu/e1wotpCfnFQmgsV 0nR4y+D9VUOWJRgA92E1pX7PLL8uSrRh641VNeIVSAsSs01og3ZrXGBIOqyM55VuTMEi Fw5E3d4Qm2hXBPy4VOdGcKpR8Zv0o5A4X6ZKc97400MW0gd4MPPCd5a1tvfQOOPevkz9 hgelxCvlHGArfyXC7PvysiqUvyfRf34hWbF7WkjBcbIG046//I3vco9lvDx34RQ1OLkO tPLw== X-Gm-Message-State: AOJu0YxsZ392WkBedhyKM62kCN5AtCak3vQO4RCOODlUMv8O3jPXFbZI 1HDl4qOFCANqLqeRHwlLlfJth+nvJPFXUyXvbA3ehlsHCDrP X-Received: by 2002:a5b:9d1:0:b0:db7:daec:ec5a with SMTP id y17-20020a5b09d1000000b00db7daecec5amr6380156ybq.33.1703696581102; Wed, 27 Dec 2023 09:03:01 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20231224165413.831486-1-linma@zju.edu.cn> <6aab36aa.56337.18ca3c6af7a.Coremail.linma@zju.edu.cn> In-Reply-To: <6aab36aa.56337.18ca3c6af7a.Coremail.linma@zju.edu.cn> From: Jamal Hadi Salim Date: Wed, 27 Dec 2023 12:02:49 -0500 Message-ID: Subject: Re: [PATCH net v1] net/sched: cls_api: complement tcf_tfilter_dump_policy To: Lin Ma Cc: xiyou.wangcong@gmail.com, jiri@resnulli.us, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Dec 25, 2023 at 8:39=E2=80=AFPM Lin Ma wrote: > > Hello Jamal, > > > > > Can you clarify what "heap data leak" you are referring to? > > As much as i can see any reference to NLA_TCA_CHAIN is checked for > > presence before being put to use. So far that reason I dont see how > > this patch qualifies as "net". It looks like an enhancement to me > > which should target net-next, unless i am missing something obvious. > > > > Sure, thanks for your reply, (and merry Christmas :D). > I didn't mention the detail as I consider the commit message in > `5e2424708da7` could make a point. In short, the code > > ``` > if (tca[TCA_CHAIN] && nla_get_u32(tca[TCA_CHAIN]) > ``` > > only checks if the attribute TCA_CHAIN exists but never checks about > the attribute length because that attribute is parsed by the function > nlmsg_parse_deprecated which will parse an attribute even not described > in the given policy (here, the tcf_tfilter_dump_policy). > > Moreover, the netlink message is allocated via netlink_alloc_large_skb > (see net/netlink/af_netlink.c) that does not clear out the heap buffer. > Hence a malicious user could send a malicious TCA_CHAIN attribute here > without putting any payload and the above `nla_get_u32` could dereference > a dirty data that is sprayed by the user. > > Other place gets TCA_CHAIN with provide policy rtm_tca_policy that has a > description. > > ``` > [TCA_CHAIN] =3D { .type =3D NLA_U32 }, > ``` > > and this patch aims to do so. > > Unfortunately, I have not opened the exploit for CVE-2023-3773 > (https://access.redhat.com/security/cve/cve-2023-3773) yet but the idea > is similar and you can take it as an example. > Sorry, still trying to follow your reasoning that this is a "net issue": As you point out, the skb will have enough space to carry the 32 bit value. Worst case is we read garbage. And the dump, using this garbage chain index, will not find the chain or will find some unintended chain. Am i missing something? Can you send me a repro (privately) that actually causes the "heap data leak" if you have one? cheers, jamal > > cheers, > > jamal > > > > Regards > Lin