Commit 2ab51823 authored Jun 05, 2024 by Roded Zats Committed by Ziyang Xuan Jun 05, 2024

rtnetlink: Correct nested IFLA_VF_VLAN_LIST attribute validation

stable inclusion
from stable-v5.10.217
commit 6c8f44b02500c7d14b5e6618fe4ef9a0da47b3de
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9TLS8
CVE: CVE-2024-36017

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6c8f44b02500c7d14b5e6618fe4ef9a0da47b3de



--------------------------------

[ Upstream commit 1aec77b2bb2ed1db0f5efc61c4c1ca3813307489 ]

Each attribute inside a nested IFLA_VF_VLAN_LIST is assumed to be a
struct ifla_vf_vlan_info so the size of such attribute needs to be at least
of sizeof(struct ifla_vf_vlan_info) which is 14 bytes.
The current size validation in do_setvfinfo is against NLA_HDRLEN (4 bytes)
which is less than sizeof(struct ifla_vf_vlan_info) so this validation
is not enough and a too small attribute might be cast to a
struct ifla_vf_vlan_info, this might result in an out of bands
read access when accessing the saved (casted) entry in ivvl.

Fixes: 79aab093 ("net: Update API for VF vlan protocol 802.1ad support")
Signed-off-by: Roded Zats <rzats@paloaltonetworks.com>
Reviewed-by: Donald Hunter <donald.hunter@gmail.com>
Link: https://lore.kernel.org/r/20240502155751.75705-1-rzats@paloaltonetworks.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>

parent 623051c7

net/core/rtnetlink.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2365,7 +2365,7 @@ static int do_setvfinfo(struct net_device dev, struct nlattr *tb)

		nla_for_each_nested(attr, tb[IFLA_VF_VLAN_LIST], rem) {
		if (nla_type(attr) != IFLA_VF_VLAN_INFO \|\|
		nla_len(attr) < NLA_HDRLEN) {
		nla_len(attr) < sizeof(struct ifla_vf_vlan_info)) {
		return -EINVAL;
		}
		if (len >= MAX_VLAN_LIST_LEN)