From 45d00abf27d72f30ae12dd29f10ca7c1f12ce405 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 18 Oct 2022 19:17:15 +0200 Subject: [PATCH] drop netlink-bounds-check-struct-nlmsgerr-creation.patch --- ...ounds-check-struct-nlmsgerr-creation.patch | 81 ------------------- queue-5.19/series | 1 - ...ounds-check-struct-nlmsgerr-creation.patch | 81 ------------------- queue-6.0/series | 1 - 4 files changed, 164 deletions(-) delete mode 100644 queue-5.19/netlink-bounds-check-struct-nlmsgerr-creation.patch delete mode 100644 queue-6.0/netlink-bounds-check-struct-nlmsgerr-creation.patch diff --git a/queue-5.19/netlink-bounds-check-struct-nlmsgerr-creation.patch b/queue-5.19/netlink-bounds-check-struct-nlmsgerr-creation.patch deleted file mode 100644 index 432466a0183..00000000000 --- a/queue-5.19/netlink-bounds-check-struct-nlmsgerr-creation.patch +++ /dev/null @@ -1,81 +0,0 @@ -From c206ca228f9a8b60b3f0ba74a86d2df71f7f77d1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 2 Sep 2022 21:37:49 -0700 -Subject: netlink: Bounds-check struct nlmsgerr creation - -From: Kees Cook - -[ Upstream commit 710d21fdff9a98d621cd4e64167f3ef8af4e2fd1 ] - -In preparation for FORTIFY_SOURCE doing bounds-check on memcpy(), -switch from __nlmsg_put to nlmsg_put(), and explain the bounds check -for dealing with the memcpy() across a composite flexible array struct. -Avoids this future run-time warning: - - memcpy: detected field-spanning write (size 32) of single field "&errmsg->msg" at net/netlink/af_netlink.c:2447 (size 16) - -Cc: Jakub Kicinski -Cc: Pablo Neira Ayuso -Cc: Jozsef Kadlecsik -Cc: Florian Westphal -Cc: "David S. Miller" -Cc: Eric Dumazet -Cc: Paolo Abeni -Cc: syzbot -Cc: netfilter-devel@vger.kernel.org -Cc: coreteam@netfilter.org -Cc: netdev@vger.kernel.org -Signed-off-by: Kees Cook -Link: https://lore.kernel.org/r/20220901071336.1418572-1-keescook@chromium.org -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/netfilter/ipset/ip_set_core.c | 8 +++++--- - net/netlink/af_netlink.c | 8 +++++--- - 2 files changed, 10 insertions(+), 6 deletions(-) - -diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c -index 16ae92054baa..6b31746f9be3 100644 ---- a/net/netfilter/ipset/ip_set_core.c -+++ b/net/netfilter/ipset/ip_set_core.c -@@ -1719,11 +1719,13 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb, - skb2 = nlmsg_new(payload, GFP_KERNEL); - if (!skb2) - return -ENOMEM; -- rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid, -- nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); -+ rep = nlmsg_put(skb2, NETLINK_CB(skb).portid, -+ nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); - errmsg = nlmsg_data(rep); - errmsg->error = ret; -- memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); -+ unsafe_memcpy(&errmsg->msg, nlh, nlh->nlmsg_len, -+ /* Bounds checked by the skb layer. */); -+ - cmdattr = (void *)&errmsg->msg + min_len; - - ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, cmdattr, -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 0cd91f813a3b..d8d3ed2096a3 100644 ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -2440,11 +2440,13 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, - return; - } - -- rep = __nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq, -- NLMSG_ERROR, payload, flags); -+ rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq, -+ NLMSG_ERROR, payload, flags); - errmsg = nlmsg_data(rep); - errmsg->error = err; -- memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh)); -+ unsafe_memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) -+ ? nlh->nlmsg_len : sizeof(*nlh), -+ /* Bounds checked by the skb layer. */); - - if (nlk_has_extack && extack) { - if (extack->_msg) { --- -2.35.1 - diff --git a/queue-5.19/series b/queue-5.19/series index 113e4178fc3..d41cf20455a 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -650,7 +650,6 @@ net-next-fix-ip_unicast_if-option-behavior-for-conne.patch xfrm-update-ipcomp_scratches-with-null-when-freed.patch wifi-ath11k-register-shutdown-handler-for-wcn6750.patch rtw89-ser-leave-lps-with-mutex.patch -netlink-bounds-check-struct-nlmsgerr-creation.patch net-ftmac100-fix-endianness-related-issues-from-spar.patch iavf-fix-race-between-iavf_close-and-iavf_reset_task.patch wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch diff --git a/queue-6.0/netlink-bounds-check-struct-nlmsgerr-creation.patch b/queue-6.0/netlink-bounds-check-struct-nlmsgerr-creation.patch deleted file mode 100644 index 584db828b4f..00000000000 --- a/queue-6.0/netlink-bounds-check-struct-nlmsgerr-creation.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 6149fbd4cbf5170fd911954d98385f53cbb7453e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 2 Sep 2022 21:37:49 -0700 -Subject: netlink: Bounds-check struct nlmsgerr creation - -From: Kees Cook - -[ Upstream commit 710d21fdff9a98d621cd4e64167f3ef8af4e2fd1 ] - -In preparation for FORTIFY_SOURCE doing bounds-check on memcpy(), -switch from __nlmsg_put to nlmsg_put(), and explain the bounds check -for dealing with the memcpy() across a composite flexible array struct. -Avoids this future run-time warning: - - memcpy: detected field-spanning write (size 32) of single field "&errmsg->msg" at net/netlink/af_netlink.c:2447 (size 16) - -Cc: Jakub Kicinski -Cc: Pablo Neira Ayuso -Cc: Jozsef Kadlecsik -Cc: Florian Westphal -Cc: "David S. Miller" -Cc: Eric Dumazet -Cc: Paolo Abeni -Cc: syzbot -Cc: netfilter-devel@vger.kernel.org -Cc: coreteam@netfilter.org -Cc: netdev@vger.kernel.org -Signed-off-by: Kees Cook -Link: https://lore.kernel.org/r/20220901071336.1418572-1-keescook@chromium.org -Signed-off-by: David S. Miller -Signed-off-by: Sasha Levin ---- - net/netfilter/ipset/ip_set_core.c | 8 +++++--- - net/netlink/af_netlink.c | 8 +++++--- - 2 files changed, 10 insertions(+), 6 deletions(-) - -diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c -index 16ae92054baa..6b31746f9be3 100644 ---- a/net/netfilter/ipset/ip_set_core.c -+++ b/net/netfilter/ipset/ip_set_core.c -@@ -1719,11 +1719,13 @@ call_ad(struct net *net, struct sock *ctnl, struct sk_buff *skb, - skb2 = nlmsg_new(payload, GFP_KERNEL); - if (!skb2) - return -ENOMEM; -- rep = __nlmsg_put(skb2, NETLINK_CB(skb).portid, -- nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); -+ rep = nlmsg_put(skb2, NETLINK_CB(skb).portid, -+ nlh->nlmsg_seq, NLMSG_ERROR, payload, 0); - errmsg = nlmsg_data(rep); - errmsg->error = ret; -- memcpy(&errmsg->msg, nlh, nlh->nlmsg_len); -+ unsafe_memcpy(&errmsg->msg, nlh, nlh->nlmsg_len, -+ /* Bounds checked by the skb layer. */); -+ - cmdattr = (void *)&errmsg->msg + min_len; - - ret = nla_parse(cda, IPSET_ATTR_CMD_MAX, cmdattr, -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 0cd91f813a3b..d8d3ed2096a3 100644 ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -2440,11 +2440,13 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err, - return; - } - -- rep = __nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq, -- NLMSG_ERROR, payload, flags); -+ rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq, -+ NLMSG_ERROR, payload, flags); - errmsg = nlmsg_data(rep); - errmsg->error = err; -- memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) ? nlh->nlmsg_len : sizeof(*nlh)); -+ unsafe_memcpy(&errmsg->msg, nlh, payload > sizeof(*errmsg) -+ ? nlh->nlmsg_len : sizeof(*nlh), -+ /* Bounds checked by the skb layer. */); - - if (nlk_has_extack && extack) { - if (extack->_msg) { --- -2.35.1 - diff --git a/queue-6.0/series b/queue-6.0/series index 86196174686..c647eac25d1 100644 --- a/queue-6.0/series +++ b/queue-6.0/series @@ -724,7 +724,6 @@ net-next-fix-ip_unicast_if-option-behavior-for-conne.patch xfrm-update-ipcomp_scratches-with-null-when-freed.patch wifi-ath11k-register-shutdown-handler-for-wcn6750.patch rtw89-ser-leave-lps-with-mutex.patch -netlink-bounds-check-struct-nlmsgerr-creation.patch net-ftmac100-fix-endianness-related-issues-from-spar.patch iavf-fix-race-between-iavf_close-and-iavf_reset_task.patch wifi-brcmfmac-fix-use-after-free-bug-in-brcmf_netdev.patch -- 2.47.2