[thirdparty/kernel/stable-queue.git] / releases / 3.19.2 / rtnetlink-ifla_vf_policy-fix-misuses-of-nla_binary.patch

From foo@baz Wed Mar 11 11:44:33 CET 2015
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Thu, 5 Feb 2015 18:44:04 +0100
Subject: rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY

From: Daniel Borkmann <daniel@iogearbox.net>

[ Upstream commit 364d5716a7adb91b731a35765d369602d68d2881 ]

ifla_vf_policy[] is wrong in advertising its individual member types as
NLA_BINARY since .type = NLA_BINARY in combination with .len declares the
len member as *max* attribute length [0, len].

The issue is that when do_setvfinfo() is being called to set up a VF
through ndo handler, we could set corrupted data if the attribute length
is less than the size of the related structure itself.

The intent is exactly the opposite, namely to make sure to pass at least
data of minimum size of len.

Fixes: ebc08a6f47ee ("rtnetlink: Add VF config code to rtnetlink")
Cc: Mitch Williams <mitch.a.williams@intel.com>
Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/rtnetlink.c |   18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1237,18 +1237,12 @@ static const struct nla_policy ifla_vfin
 };
 
 static const struct nla_policy ifla_vf_policy[IFLA_VF_MAX+1] = {
-	[IFLA_VF_MAC]		= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_mac) },
-	[IFLA_VF_VLAN]		= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_vlan) },
-	[IFLA_VF_TX_RATE]	= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_tx_rate) },
-	[IFLA_VF_SPOOFCHK]	= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_spoofchk) },
-	[IFLA_VF_RATE]		= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_rate) },
-	[IFLA_VF_LINK_STATE]	= { .type = NLA_BINARY,
-				    .len = sizeof(struct ifla_vf_link_state) },
+	[IFLA_VF_MAC]		= { .len = sizeof(struct ifla_vf_mac) },
+	[IFLA_VF_VLAN]		= { .len = sizeof(struct ifla_vf_vlan) },
+	[IFLA_VF_TX_RATE]	= { .len = sizeof(struct ifla_vf_tx_rate) },
+	[IFLA_VF_SPOOFCHK]	= { .len = sizeof(struct ifla_vf_spoofchk) },
+	[IFLA_VF_RATE]		= { .len = sizeof(struct ifla_vf_rate) },
+	[IFLA_VF_LINK_STATE]	= { .len = sizeof(struct ifla_vf_link_state) },
 };
 
 static const struct nla_policy ifla_port_policy[IFLA_PORT_MAX+1] = {
Commit	Line	Data
373f9370 GKH	1	From foo@baz Wed Mar 11 11:44:33 CET 2015
	2	From: Daniel Borkmann <daniel@iogearbox.net>
	3	Date: Thu, 5 Feb 2015 18:44:04 +0100
	4	Subject: rtnetlink: ifla_vf_policy: fix misuses of NLA_BINARY
	5
	6	From: Daniel Borkmann <daniel@iogearbox.net>
	7
	8	[ Upstream commit 364d5716a7adb91b731a35765d369602d68d2881 ]
	9
	10	ifla_vf_policy[] is wrong in advertising its individual member types as
	11	NLA_BINARY since .type = NLA_BINARY in combination with .len declares the
	12	len member as max attribute length [0, len].
	13
	14	The issue is that when do_setvfinfo() is being called to set up a VF
	15	through ndo handler, we could set corrupted data if the attribute length
	16	is less than the size of the related structure itself.
	17
	18	The intent is exactly the opposite, namely to make sure to pass at least
	19	data of minimum size of len.
	20
	21	Fixes: ebc08a6f47ee ("rtnetlink: Add VF config code to rtnetlink")
	22	Cc: Mitch Williams <mitch.a.williams@intel.com>
	23	Cc: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
	24	Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
	25	Acked-by: Thomas Graf <tgraf@suug.ch>
	26	Signed-off-by: David S. Miller <davem@davemloft.net>
	27	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	28	---
	29	net/core/rtnetlink.c \| 18 ++++++------------
	30	1 file changed, 6 insertions(+), 12 deletions(-)
	31
	32	--- a/net/core/rtnetlink.c
	33	+++ b/net/core/rtnetlink.c
	34	@@ -1237,18 +1237,12 @@ static const struct nla_policy ifla_vfin
	35	};
	36
	37	static const struct nla_policy ifla_vf_policy[IFLA_VF_MAX+1] = {
	38	- [IFLA_VF_MAC] = { .type = NLA_BINARY,
	39	- .len = sizeof(struct ifla_vf_mac) },
	40	- [IFLA_VF_VLAN] = { .type = NLA_BINARY,
	41	- .len = sizeof(struct ifla_vf_vlan) },
	42	- [IFLA_VF_TX_RATE] = { .type = NLA_BINARY,
	43	- .len = sizeof(struct ifla_vf_tx_rate) },
	44	- [IFLA_VF_SPOOFCHK] = { .type = NLA_BINARY,
	45	- .len = sizeof(struct ifla_vf_spoofchk) },
	46	- [IFLA_VF_RATE] = { .type = NLA_BINARY,
	47	- .len = sizeof(struct ifla_vf_rate) },
	48	- [IFLA_VF_LINK_STATE] = { .type = NLA_BINARY,
	49	- .len = sizeof(struct ifla_vf_link_state) },
	50	+ [IFLA_VF_MAC] = { .len = sizeof(struct ifla_vf_mac) },
	51	+ [IFLA_VF_VLAN] = { .len = sizeof(struct ifla_vf_vlan) },
	52	+ [IFLA_VF_TX_RATE] = { .len = sizeof(struct ifla_vf_tx_rate) },
	53	+ [IFLA_VF_SPOOFCHK] = { .len = sizeof(struct ifla_vf_spoofchk) },
	54	+ [IFLA_VF_RATE] = { .len = sizeof(struct ifla_vf_rate) },
	55	+ [IFLA_VF_LINK_STATE] = { .len = sizeof(struct ifla_vf_link_state) },
	56	};
	57
	58	static const struct nla_policy ifla_port_policy[IFLA_PORT_MAX+1] = {