git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Lin Ma <linma@zju.edu.cn>
	Mon, 3 Jul 2023 11:08:42 +0000 (19:08 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 27 Jul 2023 06:37:24 +0000 (08:37 +0200)
commit	67a67e2584075042864ad83124bd03c771bf0e01
tree	1fc679b1202a31953bd908cfe1b259f06a548252	tree \| snapshot
parent	ab0085bd7902abb8b62a6c6ae931fe5e29e38c31	commit \| diff

net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX

[ Upstream commit 30c45b5361d39b4b793780ffac5538090b9e2eb1 ]

The attribute TCA_PEDIT_PARMS_EX is not be included in pedit_policy and
one malicious user could fake a TCA_PEDIT_PARMS_EX whose length is
smaller than the intended sizeof(struct tc_pedit). Hence, the
dereference in tcf_pedit_init() could access dirty heap data.

static int tcf_pedit_init(...)
{
  // ...
  pattr = tb[TCA_PEDIT_PARMS]; // TCA_PEDIT_PARMS is included
  if (!pattr)
    pattr = tb[TCA_PEDIT_PARMS_EX]; // but this is not

  // ...
  parm = nla_data(pattr);

  index = parm->index; // parm is able to be smaller than 4 bytes
                       // and this dereference gets dirty skb_buff
                       // data created in netlink_sendmsg
}

This commit adds TCA_PEDIT_PARMS_EX length in pedit_policy which avoid
the above case, just like the TCA_PEDIT_PARMS.

Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to the conventional network headers")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Link: https://lore.kernel.org/r/20230703110842.590282-1-linma@zju.edu.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>