[net,v3] cls_flower: call nla_ok() before nla_next()

Message ID	20210114210749.61642-1-xiyou.wangcong@gmail.com (mailing list archive)
State	Superseded
Delegated to:	Netdev Maintainers
Headers	show Return-Path: <netdev-owner@kernel.org> From: Cong Wang <xiyou.wangcong@gmail.com> To: netdev@vger.kernel.org Cc: Cong Wang <cong.wang@bytedance.com>, syzbot+2624e3778b18fc497c92@syzkaller.appspotmail.com, Jamal Hadi Salim <jhs@mojatatu.com>, Xin Long <lucien.xin@gmail.com>, Jiri Pirko <jiri@resnulli.us>, Jakub Kicinski <kuba@kernel.org> Subject: [Patch net v3] cls_flower: call nla_ok() before nla_next() Date: Thu, 14 Jan 2021 13:07:49 -0800 Message-Id: <20210114210749.61642-1-xiyou.wangcong@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[net,v3] cls_flower: call nla_ok() before nla_next() \| expand [net,v3] cls_flower: call nla_ok() before nla_next()

Context	Check	Description
netdev/cover_letter	success	Link
netdev/fixes_present	success	Link
netdev/patch_count	success	Link
netdev/tree_selection	success	Clearly marked for net
netdev/subject_prefix	success	Link
netdev/cc_maintainers	warning	3 maintainers not CCed: pieter.jansenvanvuuren@netronome.com davem@davemloft.net simon.horman@netronome.com
netdev/source_inline	success	Was 0 now: 0
netdev/verify_signedoff	success	Link
netdev/module_param	success	Was 0 now: 0
netdev/build_32bit	success	Errors and warnings before: 131 this patch: 131
netdev/kdoc	success	Errors and warnings before: 0 this patch: 0
netdev/verify_fixes	success	Link
netdev/checkpatch	success	total: 0 errors, 0 warnings, 0 checks, 51 lines checked
netdev/build_allmodconfig_warn	success	Errors and warnings before: 123 this patch: 123
netdev/header_inline	success	Link
netdev/stable	success	Stable not CCed

Cong Wang Jan. 14, 2021, 9:07 p.m. UTC

From: Cong Wang <cong.wang@bytedance.com>

fl_set_enc_opt() simply checks if there are still bytes left to parse,
but this is not sufficent as syzbot seems to be able to generate
malformatted netlink messages. nla_ok() is more strict so should be
used to validate the next nlattr here.

And nla_validate_nested_deprecated() has less strict check too, it is
probably too late to switch to the strict version, but we can just
call nla_ok() too after it.

Reported-and-tested-by: syzbot+2624e3778b18fc497c92@syzkaller.appspotmail.com
Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
Fixes: 79b1011cb33d ("net: sched: allow flower to match erspan options")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Xin Long <lucien.xin@gmail.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
---
 net/sched/cls_flower.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

Jakub Kicinski Jan. 14, 2021, 9:36 p.m. UTC | #1

On Thu, 14 Jan 2021 13:07:49 -0800 Cong Wang wrote:
> -			if (msk_depth)
> -				nla_opt_msk = nla_next(nla_opt_msk, &msk_depth);
>  			break;
>  		default:
>  			NL_SET_ERR_MSG(extack, "Unknown tunnel option type");
>  			return -EINVAL;
>  		}
> +
> +		if (!nla_opt_msk)
> +			continue;

Why the switch from !msk_depth to !nla_opt_msk?

Seems like previously providing masks for only subset of options 
would have worked.

Cong Wang Jan. 14, 2021, 9:57 p.m. UTC | #2

On Thu, Jan 14, 2021 at 1:36 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu, 14 Jan 2021 13:07:49 -0800 Cong Wang wrote:
> > -                     if (msk_depth)
> > -                             nla_opt_msk = nla_next(nla_opt_msk, &msk_depth);
> >                       break;
> >               default:
> >                       NL_SET_ERR_MSG(extack, "Unknown tunnel option type");
> >                       return -EINVAL;
> >               }
> > +
> > +             if (!nla_opt_msk)
> > +                     continue;
>
> Why the switch from !msk_depth to !nla_opt_msk?

It is the same, when nla_opt_msk is NULL, msk_depth is 0.
Checking nla_opt_msk is NULL is more readable to express that
mask is not provided.

>
> Seems like previously providing masks for only subset of options
> would have worked.

I don't think so, every type has this check:

                        if (key->enc_opts.len != mask->enc_opts.len) {
                                NL_SET_ERR_MSG(extack, "Key and mask
miss aligned");
                                return -EINVAL;
                        }

which guarantees the numbers are aligned.

Thanks.

Jakub Kicinski Jan. 14, 2021, 10:30 p.m. UTC | #3

On Thu, 14 Jan 2021 13:57:13 -0800 Cong Wang wrote:
> On Thu, Jan 14, 2021 at 1:36 PM Jakub Kicinski <kuba@kernel.org> wrote:
> >
> > On Thu, 14 Jan 2021 13:07:49 -0800 Cong Wang wrote:  
> > > -                     if (msk_depth)
> > > -                             nla_opt_msk = nla_next(nla_opt_msk, &msk_depth);
> > >                       break;
> > >               default:
> > >                       NL_SET_ERR_MSG(extack, "Unknown tunnel option type");
> > >                       return -EINVAL;
> > >               }
> > > +
> > > +             if (!nla_opt_msk)
> > > +                     continue;  
> >
> > Why the switch from !msk_depth to !nla_opt_msk?  
> 
> It is the same, when nla_opt_msk is NULL, msk_depth is 0.
> Checking nla_opt_msk is NULL is more readable to express that
> mask is not provided.
> 
> >
> > Seems like previously providing masks for only subset of options
> > would have worked.  
> 
> I don't think so, every type has this check:
> 
>                         if (key->enc_opts.len != mask->enc_opts.len) {
>                                 NL_SET_ERR_MSG(extack, "Key and mask
> miss aligned");
>                                 return -EINVAL;
>                         }
> 
> which guarantees the numbers are aligned.
> 
> Thanks.

static int fl_set_vxlan_opt(const struct nlattr *nla, struct fl_flow_key *key,
			    int depth, int option_len,
			    struct netlink_ext_ack *extack)
{
	struct nlattr *tb[TCA_FLOWER_KEY_ENC_OPT_VXLAN_MAX + 1];
	struct vxlan_metadata *md;
	int err;

	md = (struct vxlan_metadata *)&key->enc_opts.data[key->enc_opts.len];
	memset(md, 0xff, sizeof(*md));

	if (!depth)
		return sizeof(*md);
		^^^^^^^^^^^^^^^^^^^

The mask is filled with all 1s if attribute is not provided.

Cong Wang Jan. 14, 2021, 10:50 p.m. UTC | #4

On Thu, Jan 14, 2021 at 2:30 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Thu, 14 Jan 2021 13:57:13 -0800 Cong Wang wrote:
> > On Thu, Jan 14, 2021 at 1:36 PM Jakub Kicinski <kuba@kernel.org> wrote:
> > >
> > > On Thu, 14 Jan 2021 13:07:49 -0800 Cong Wang wrote:
> > > > -                     if (msk_depth)
> > > > -                             nla_opt_msk = nla_next(nla_opt_msk, &msk_depth);
> > > >                       break;
> > > >               default:
> > > >                       NL_SET_ERR_MSG(extack, "Unknown tunnel option type");
> > > >                       return -EINVAL;
> > > >               }
> > > > +
> > > > +             if (!nla_opt_msk)
> > > > +                     continue;
> > >
> > > Why the switch from !msk_depth to !nla_opt_msk?
> >
> > It is the same, when nla_opt_msk is NULL, msk_depth is 0.
> > Checking nla_opt_msk is NULL is more readable to express that
> > mask is not provided.
> >
> > >
> > > Seems like previously providing masks for only subset of options
> > > would have worked.
> >
> > I don't think so, every type has this check:
> >
> >                         if (key->enc_opts.len != mask->enc_opts.len) {
> >                                 NL_SET_ERR_MSG(extack, "Key and mask
> > miss aligned");
> >                                 return -EINVAL;
> >                         }
> >
> > which guarantees the numbers are aligned.
> >
> > Thanks.
>
> static int fl_set_vxlan_opt(const struct nlattr *nla, struct fl_flow_key *key,
>                             int depth, int option_len,
>                             struct netlink_ext_ack *extack)
> {
>         struct nlattr *tb[TCA_FLOWER_KEY_ENC_OPT_VXLAN_MAX + 1];
>         struct vxlan_metadata *md;
>         int err;
>
>         md = (struct vxlan_metadata *)&key->enc_opts.data[key->enc_opts.len];
>         memset(md, 0xff, sizeof(*md));
>
>         if (!depth)
>                 return sizeof(*md);
>                 ^^^^^^^^^^^^^^^^^^^
>
> The mask is filled with all 1s if attribute is not provided.

Hmm, then what is the length comparison check for?

fl_set_vxlan_opt() either turns negative or sizeof(*md), and negitve
is already checked when it returns, so when we hit the length comparison
it is always equal. So it must be redundant.

(Note, I am only talking about the vxlan case you pick here, because the
geneve case is different, as it returns different sizes.)

Thanks.

Jakub Kicinski Jan. 14, 2021, 10:56 p.m. UTC | #5

On Thu, 14 Jan 2021 14:50:04 -0800 Cong Wang wrote:
> > static int fl_set_vxlan_opt(const struct nlattr *nla, struct fl_flow_key *key,
> >                             int depth, int option_len,
> >                             struct netlink_ext_ack *extack)
> > {
> >         struct nlattr *tb[TCA_FLOWER_KEY_ENC_OPT_VXLAN_MAX + 1];
> >         struct vxlan_metadata *md;
> >         int err;
> >
> >         md = (struct vxlan_metadata *)&key->enc_opts.data[key->enc_opts.len];
> >         memset(md, 0xff, sizeof(*md));
> >
> >         if (!depth)
> >                 return sizeof(*md);
> >                 ^^^^^^^^^^^^^^^^^^^
> >
> > The mask is filled with all 1s if attribute is not provided.  
> 
> Hmm, then what is the length comparison check for?
> 
> fl_set_vxlan_opt() either turns negative or sizeof(*md), and negitve
> is already checked when it returns, so when we hit the length comparison
> it is always equal. So it must be redundant.
> 
> (Note, I am only talking about the vxlan case you pick here, because the
> geneve case is different, as it returns different sizes.)

Good question

[net,v3] cls_flower: call nla_ok() before nla_next()

Checks

Commit Message

Comments

Patch