linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 05:44:11 +00:00

History

Ido Schimmel d8a21070b6 nexthop: Fix out-of-bounds access during attribute validation Passing a maximum attribute type to nlmsg_parse() that is larger than the size of the passed policy will result in an out-of-bounds access [1] when the attribute type is used as an index into the policy array. Fix by setting the maximum attribute type according to the policy size, as is already done for RTM_NEWNEXTHOP messages. Add a test case that triggers the bug. No regressions in fib nexthops tests: # ./fib_nexthops.sh [...] Tests passed: 236 Tests failed: 0 [1] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x1e53/0x2940 Read of size 1 at addr ffffffff99ab4d20 by task ip/610 CPU: 3 PID: 610 Comm: ip Not tainted 6.8.0-rc7-custom-gd435d6e3e161 #9 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x8f/0xe0 print_report+0xcf/0x670 kasan_report+0xd8/0x110 __nla_validate_parse+0x1e53/0x2940 __nla_parse+0x40/0x50 rtm_del_nexthop+0x1bd/0x400 rtnetlink_rcv_msg+0x3cc/0xf20 netlink_rcv_skb+0x170/0x440 netlink_unicast+0x540/0x820 netlink_sendmsg+0x8d3/0xdb0 ____sys_sendmsg+0x31f/0xa60 ___sys_sendmsg+0x13a/0x1e0 __sys_sendmsg+0x11c/0x1f0 do_syscall_64+0xc5/0x1d0 entry_SYSCALL_64_after_hwframe+0x63/0x6b [...] The buggy address belongs to the variable: rtm_nh_policy_del+0x20/0x40 Fixes: `2118f9390d` ("net: nexthop: Adjust netlink policy parsing for a new attribute") Reported-by: Eric Dumazet <edumazet@google.com> Closes: https://lore.kernel.org/netdev/CANn89i+UNcG0PJMW5X7gOMunF38ryMh=L1aeZUKH3kL4UdUqag@mail.gmail.com/ Reported-by: syzbot+65bb09a7208ce3d4a633@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/00000000000088981b06133bc07b@google.com/ Signed-off-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: David Ahern <dsahern@kernel.org> Link: https://lore.kernel.org/r/20240311162307.545385-4-idosch@nvidia.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>		2024-03-11 20:35:20 -07:00
..
accounting
arch	work around gcc bugs with 'asm goto' with outputs	2024-02-09 15:57:48 -08:00
bootconfig
bpf	libbpf: Recognize __arena global variables.	2024-03-11 15:43:35 -07:00
build
certs
cgroup	samples: introduce new samples subdir for cgroup	2023-12-10 16:51:54 -08:00
counter	tools/counter: Remove unneeded semicolon	2023-12-20 11:43:31 -05:00
crypto	crypto: tcrypt - add script tcrypt_speed_compare.py	2023-12-29 11:25:55 +08:00
debugging
edid
firewire
firmware
gpio
hv
iio	iio: add modifiers for A and B ultraviolet light	2023-12-04 13:57:24 +00:00
include	for-netdev	2024-03-11 18:06:04 -07:00
kvm/kvm_stat
laptop
leds
lib	libbpf: Recognize __arena global variables.	2024-03-11 15:43:35 -07:00
memory-model
mm
net/ynl	netlink: specs: support generating code for genl socket priv	2024-03-11 15:15:42 -07:00
objtool	Address a GCC-14 warning: there's no real bug, but indeed the calloc order doesn't match	2024-01-08 18:31:27 -08:00
pci
pcmcia
perf	perf evlist: Fix evlist__new_default() for > 1 core PMU	2024-01-30 11:40:28 -03:00
power	tools cpupower bench: Override CFLAGS assignments	2024-01-21 16:57:51 -07:00
rcu
scripts
spi
testing	nexthop: Fix out-of-bounds access during attribute validation	2024-03-11 20:35:20 -07:00
thermal	tools/thermal/tmon: Fix compilation warning for wrong format	2024-01-02 09:33:19 +01:00
time
tracing	tools/rtla: Exit with EXIT_SUCCESS when help is invoked	2024-02-12 10:59:09 +01:00
usb
verification	tools/rv: Fix curr_reactor uninitialized variable	2024-02-12 09:58:36 +01:00
virtio	tools: virtio: introduce vhost_net_test	2024-03-05 11:38:14 +01:00
wmi
workqueue
Makefile