Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp2229980ybz; Thu, 30 Apr 2020 13:14:59 -0700 (PDT) X-Google-Smtp-Source: APiQypL1VepOcG5XoyCFRze1EtqIdCRbCBZmlEZet/U1rDfucb0QIuVA9UZn6VkFMM0KRtdb6wi0 X-Received: by 2002:a05:6402:1597:: with SMTP id c23mr689878edv.353.1588277699594; Thu, 30 Apr 2020 13:14:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588277699; cv=none; d=google.com; s=arc-20160816; b=G2OIj5LiOh48ugqjTNTPw4dkZ7q+6tRXVSQ1H7LQXJnvBeHaSI6SLr62yO2q22Uyds lXb1Bje0Hizdr/fErmu4OOJ6ud9nWngL3anjCS2K6KeNMgcGuBKqMZ8dZb639AqUrJvJ DBNNKKPCzawnyIT67PvrGCPzJmYjdsnSpEJAulz+joG2B4VBLw+Q3xBKxzOzxAymnuKf w5GSZoPluYbIWHFcRMwF5NDU8ztdUIRwtW8mt+CPlFQf4+5XBD+iHrWCcLgUGcSHTF9E lDN6GHBtIEND2cqNcW7lKveO6oz4z0OneTqYEsMYu5I6QuF9t2U5cGfGiaTmsyK/ska6 snAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=NDKH1GRXdpEPgnoVLJym6mQ6V5SHpLmpQKRvFtn5HFI=; b=tzAbsl97LO54wrBniZBRaApCgxgEprISgmOcuFlqJK+o1js+SVFtbzSUpF1Sfnha3i 1pUGRB6yx129LidBffSNdpSUVhM7ANbwcu06tLcmk5Kgw4uv//7A1nBBF99fCPX9Xm6g I6eE6ri2QajG80K7gyOXjmlyqdvM/59GGq0L1zKfhRUVvam4nQM0K7Np8cRIXzuBfNnO tILwVfdcOHMHk/1GfNhA0k17tiemLXixrZp9fTsF+DAl3YziDma0kcIBJ5DXZB/FQkAr my2WuDUrce6bxXfyvsBsHGrty7tTEnKeVCQW9LXEs0WU9Kh6/GJcUe3+PuLkGqIwPSom 3nDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e8si436011ejd.76.2020.04.30.13.14.35; Thu, 30 Apr 2020 13:14:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727097AbgD3UNZ (ORCPT + 99 others); Thu, 30 Apr 2020 16:13:25 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58722 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726338AbgD3UNY (ORCPT ); Thu, 30 Apr 2020 16:13:24 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4B8C6C035494; Thu, 30 Apr 2020 13:13:24 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) (envelope-from ) id 1jUFYg-002qzz-5J; Thu, 30 Apr 2020 22:13:22 +0200 From: Johannes Berg To: netdev@vger.kernel.org Cc: Antonio Quartulli , linux-wireless@vger.kernel.org, Johannes Berg Subject: [PATCH v2 2/8] netlink: limit recursion depth in policy validation Date: Thu, 30 Apr 2020 22:13:06 +0200 Message-Id: <20200430221106.15d3c6ea53ac.Iddcc303b711eabe6cb41f1647c49714d8792bd55@changeid> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200430201312.60143-1-johannes@sipsolutions.net> References: <20200430201312.60143-1-johannes@sipsolutions.net> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Johannes Berg Now that we have nested policies, we can theoretically recurse forever parsing attributes if a (sub-)policy refers back to a higher level one. This is a situation that has happened in nl80211, and we've avoided it there by not linking it. Add some code to netlink parsing to limit recursion depth. Signed-off-by: Johannes Berg --- lib/nlattr.c | 46 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/lib/nlattr.c b/lib/nlattr.c index 3df05db732ca..7f7ebd89caa4 100644 --- a/lib/nlattr.c +++ b/lib/nlattr.c @@ -44,6 +44,20 @@ static const u8 nla_attr_minlen[NLA_TYPE_MAX+1] = { [NLA_S64] = sizeof(s64), }; +/* + * Nested policies might refer back to the original + * policy in some cases, and userspace could try to + * abuse that and recurse by nesting in the right + * ways. Limit recursion to avoid this problem. + */ +#define MAX_POLICY_RECURSION_DEPTH 10 + +static int __nla_validate_parse(const struct nlattr *head, int len, int maxtype, + const struct nla_policy *policy, + unsigned int validate, + struct netlink_ext_ack *extack, + struct nlattr **tb, unsigned int depth); + static int validate_nla_bitfield32(const struct nlattr *nla, const u32 valid_flags_mask) { @@ -70,7 +84,7 @@ static int validate_nla_bitfield32(const struct nlattr *nla, static int nla_validate_array(const struct nlattr *head, int len, int maxtype, const struct nla_policy *policy, struct netlink_ext_ack *extack, - unsigned int validate) + unsigned int validate, unsigned int depth) { const struct nlattr *entry; int rem; @@ -87,8 +101,9 @@ static int nla_validate_array(const struct nlattr *head, int len, int maxtype, return -ERANGE; } - ret = __nla_validate(nla_data(entry), nla_len(entry), - maxtype, policy, validate, extack); + ret = __nla_validate_parse(nla_data(entry), nla_len(entry), + maxtype, policy, validate, extack, + NULL, depth + 1); if (ret < 0) return ret; } @@ -156,7 +171,7 @@ static int nla_validate_int_range(const struct nla_policy *pt, static int validate_nla(const struct nlattr *nla, int maxtype, const struct nla_policy *policy, unsigned int validate, - struct netlink_ext_ack *extack) + struct netlink_ext_ack *extack, unsigned int depth) { u16 strict_start_type = policy[0].strict_start_type; const struct nla_policy *pt; @@ -269,9 +284,10 @@ static int validate_nla(const struct nlattr *nla, int maxtype, if (attrlen < NLA_HDRLEN) goto out_err; if (pt->nested_policy) { - err = __nla_validate(nla_data(nla), nla_len(nla), pt->len, - pt->nested_policy, validate, - extack); + err = __nla_validate_parse(nla_data(nla), nla_len(nla), + pt->len, pt->nested_policy, + validate, extack, NULL, + depth + 1); if (err < 0) { /* * return directly to preserve the inner @@ -294,7 +310,7 @@ static int validate_nla(const struct nlattr *nla, int maxtype, err = nla_validate_array(nla_data(nla), nla_len(nla), pt->len, pt->nested_policy, - extack, validate); + extack, validate, depth); if (err < 0) { /* * return directly to preserve the inner @@ -358,11 +374,17 @@ static int __nla_validate_parse(const struct nlattr *head, int len, int maxtype, const struct nla_policy *policy, unsigned int validate, struct netlink_ext_ack *extack, - struct nlattr **tb) + struct nlattr **tb, unsigned int depth) { const struct nlattr *nla; int rem; + if (depth >= MAX_POLICY_RECURSION_DEPTH) { + NL_SET_ERR_MSG(extack, + "allowed policy recursion depth exceeded"); + return -EINVAL; + } + if (tb) memset(tb, 0, sizeof(struct nlattr *) * (maxtype + 1)); @@ -379,7 +401,7 @@ static int __nla_validate_parse(const struct nlattr *head, int len, int maxtype, } if (policy) { int err = validate_nla(nla, maxtype, policy, - validate, extack); + validate, extack, depth); if (err < 0) return err; @@ -421,7 +443,7 @@ int __nla_validate(const struct nlattr *head, int len, int maxtype, struct netlink_ext_ack *extack) { return __nla_validate_parse(head, len, maxtype, policy, validate, - extack, NULL); + extack, NULL, 0); } EXPORT_SYMBOL(__nla_validate); @@ -476,7 +498,7 @@ int __nla_parse(struct nlattr **tb, int maxtype, struct netlink_ext_ack *extack) { return __nla_validate_parse(head, len, maxtype, policy, validate, - extack, tb); + extack, tb, 0); } EXPORT_SYMBOL(__nla_parse); -- 2.25.1