From patchwork Sat Jan 23 04:53:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Edwin Peer X-Patchwork-Id: 12041097 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-18.9 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CA10DC433DB for ; Sat, 23 Jan 2021 04:54:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7EEEF23AA1 for ; Sat, 23 Jan 2021 04:54:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726694AbhAWEyT (ORCPT ); Fri, 22 Jan 2021 23:54:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40662 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726426AbhAWEyK (ORCPT ); Fri, 22 Jan 2021 23:54:10 -0500 Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 95EABC0613D6 for ; Fri, 22 Jan 2021 20:53:30 -0800 (PST) Received: by mail-pf1-x429.google.com with SMTP id y205so5172694pfc.5 for ; Fri, 22 Jan 2021 20:53:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version; bh=h7VPruB668G7g5/SHWgIuv8gpm2uLDqUmzfEvcvvW90=; b=iG69MaHjvgRumTR94d6RYcAhIJ6aQV+bMIO2wNQAw9J7AOdXwvyKEVbtrrLT87O7zm GNSXlguoaF4IsPVCpGcn/2JWN5Yf7UZbednoHt7ego4nwLXR05jIw2DG3intLMTpk50P ZPF5J+cCDkdIDMT6pnn6zhqng02CAf6+o+Nao= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version; bh=h7VPruB668G7g5/SHWgIuv8gpm2uLDqUmzfEvcvvW90=; b=YjR/ZxgWxtDrft1Q1rECkDdgH8I7KdaS3GL5RWmuu6oNO5agbsxx6RQ/ACTFaPdddM i1MAd/U2FBEO5lrOvn71st/AoejbyRUFZlCmLnoLz4yg0uYG9jvpViIC+RqDQSGnGsu1 Gu6SozHTmFVc9CnLF29uEXpsH9eI239EPHAGi4JVfjUB/wzx0+5M3GlyRrglkK/sAsEi aBUkddF1g/p1bF/zwsKnT1/Rr1hvgdQBTK789vNWD4sqHyvKzXSNy/afulss9nbFBYIP mSx2T3Yzjmk/ieFSK0oAJb58WwnaYSjBz+2ukwW/vlJQW++goY46Pu6mWkAnPz66o662 RJ+w== X-Gm-Message-State: AOAM530iey/fW/aZZ4xxF8ugKys10sSrJ1T6taDfJkqVi8jFhH66wfDN 7OjMkyXEj2v9vi6UvARlUlLCxtsbHN2/IvuUWFY4FcQnz4Bl4ACL0e+IORp99/6H4r3FJnvu7US FXegcwYrsXvJbEa59L3NC7RWSGMSwqmjY00c45gXxPjpQ5izckFwxL1gfZvbmeOSY0rDn1vbx X-Google-Smtp-Source: ABdhPJw+4Yh1sHiUlRpUnv16S72bwaklF4sSmvr7Q90atuyIeCdGhyMj/4gL50mk//zzuJuE6leAjw== X-Received: by 2002:a62:e30e:0:b029:1b9:3823:4b3a with SMTP id g14-20020a62e30e0000b02901b938234b3amr1994914pfh.15.1611377609441; Fri, 22 Jan 2021 20:53:29 -0800 (PST) Received: from hex.swdvt.lab.broadcom.net ([2600:8802:d04:de02::77c]) by smtp.gmail.com with ESMTPSA id d2sm10725832pjd.29.2021.01.22.20.53.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Jan 2021 20:53:28 -0800 (PST) From: Edwin Peer To: netdev@vger.kernel.org Cc: Edwin Peer , Jakub Kicinski , Andrew Gospodarek , Michael Chan , Stephen Hemminger , Michal Kubecek , David Ahern Subject: [PATCH net-next 1/4] netlink: truncate overlength attribute list in nla_nest_end() Date: Fri, 22 Jan 2021 20:53:18 -0800 Message-Id: <20210123045321.2797360-2-edwin.peer@broadcom.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210123045321.2797360-1-edwin.peer@broadcom.com> References: <20210123045321.2797360-1-edwin.peer@broadcom.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org X-Patchwork-Delegate: kuba@kernel.org If a nested list of attributes is too long, then the length will exceed the 16-bit nla_len of the parent nlattr. In such cases, determine how many whole attributes can fit and truncate the message to this length. This properly maintains the nesting hierarchy, keeping the entire message valid, while fitting more subelements inside the nest range than may result if the length is wrapped modulo 64KB. Marking truncated attributes, such that user space can determine the precise attribute truncated, by means of an additional bit in the nla_type was considered and rejected. The NLA_F_NESTED and NLA_F_NET_BYTEORDER flags are supposed to be mutually exclusive. So, in theory, the latter bit could have been redefined for nested attributes in order to indicate truncation, but user space tools (most notably iproute2) cannot be relied on to honor NLA_TYPE_MASK, resulting in alteration of the perceived nla_type and subsequent catastrophic failure. Failing the entire message with a hard error must also be rejected, as this would break existing user space functionality. The trigger issue is evident for IFLA_VFINFO_LIST and a hard error here would cause iproute2 to fail to render an entire interface list even if only a single interface warranted a truncated VF list. Instead, set NLM_F_NEST_TRUNCATED in the netlink header to inform user space about the incomplete data. In this particular case, however, user space can better ascertain which instance is truncated by consulting the associated IFLA_NUM_VF to determine how many VFs were expected. Fixes: bfa83a9e03cf ("[NETLINK]: Type-safe netlink messages/attributes interface") Signed-off-by: Edwin Peer --- include/net/netlink.h | 11 +++++++++-- include/uapi/linux/netlink.h | 1 + lib/nlattr.c | 27 +++++++++++++++++++++++++++ 3 files changed, 37 insertions(+), 2 deletions(-) diff --git a/include/net/netlink.h b/include/net/netlink.h index 1ceec518ab49..fc8c57dafb05 100644 --- a/include/net/netlink.h +++ b/include/net/netlink.h @@ -1785,19 +1785,26 @@ static inline struct nlattr *nla_nest_start(struct sk_buff *skb, int attrtype) return nla_nest_start_noflag(skb, attrtype | NLA_F_NESTED); } +int __nla_nest_trunc_msg(struct sk_buff *skb, const struct nlattr *start); + /** * nla_nest_end - Finalize nesting of attributes * @skb: socket buffer the attributes are stored in * @start: container attribute * * Corrects the container attribute header to include the all - * appeneded attributes. + * appeneded attributes. The list of attributes will be truncated + * if too long to fit within the parent attribute's maximum reach. * * Returns the total data length of the skb. */ static inline int nla_nest_end(struct sk_buff *skb, struct nlattr *start) { - start->nla_len = skb_tail_pointer(skb) - (unsigned char *)start; + int len = skb_tail_pointer(skb) - (unsigned char *)start; + + if (len > 0xffff) + len = __nla_nest_trunc_msg(skb, start); + start->nla_len = len; return skb->len; } diff --git a/include/uapi/linux/netlink.h b/include/uapi/linux/netlink.h index 3d94269bbfa8..44a250825c30 100644 --- a/include/uapi/linux/netlink.h +++ b/include/uapi/linux/netlink.h @@ -57,6 +57,7 @@ struct nlmsghdr { #define NLM_F_ECHO 0x08 /* Echo this request */ #define NLM_F_DUMP_INTR 0x10 /* Dump was inconsistent due to sequence change */ #define NLM_F_DUMP_FILTERED 0x20 /* Dump was filtered as requested */ +#define NLM_F_NEST_TRUNCATED 0x40 /* Message contains truncated nested attribute */ /* Modifiers to GET request */ #define NLM_F_ROOT 0x100 /* specify tree root */ diff --git a/lib/nlattr.c b/lib/nlattr.c index 5b6116e81f9f..2a267c0d3e16 100644 --- a/lib/nlattr.c +++ b/lib/nlattr.c @@ -1119,4 +1119,31 @@ int nla_append(struct sk_buff *skb, int attrlen, const void *data) return 0; } EXPORT_SYMBOL(nla_append); + +/** + * __nla_nest_trunc_msg - Truncate list of nested netlink attributes to max len + * @skb: socket buffer with tail pointer positioned after end of nested list + * @start: container attribute designating the beginning of the list + * + * Trims the skb to fit only the attributes which are within the range of the + * containing nest attribute. This is a helper for nla_nest_end, to prevent + * adding unduly to the length of what is an inline function. It is not + * intended to be called from anywhere else. + * + * Returns the truncated length of the enclosing nest attribute in accordance + * with the number of whole attributes that can fit. + */ +int __nla_nest_trunc_msg(struct sk_buff *skb, const struct nlattr *start) +{ + struct nlattr *attr = nla_data(start); + int rem = 0xffff - NLA_HDRLEN; + + while (nla_ok(attr, rem)) + attr = nla_next(attr, &rem); + nlmsg_trim(skb, attr); + nlmsg_hdr(skb)->nlmsg_flags |= NLM_F_NEST_TRUNCATED; + return (unsigned char *)attr - (unsigned char *)start; +} +EXPORT_SYMBOL(__nla_nest_trunc_msg); + #endif