linux/tools
Ido Schimmel d8a21070b6 nexthop: Fix out-of-bounds access during attribute validation
Passing a maximum attribute type to nlmsg_parse() that is larger than
the size of the passed policy will result in an out-of-bounds access [1]
when the attribute type is used as an index into the policy array.

Fix by setting the maximum attribute type according to the policy size,
as is already done for RTM_NEWNEXTHOP messages. Add a test case that
triggers the bug.

No regressions in fib nexthops tests:

 # ./fib_nexthops.sh
 [...]
 Tests passed: 236
 Tests failed:   0

[1]
BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x1e53/0x2940
Read of size 1 at addr ffffffff99ab4d20 by task ip/610

CPU: 3 PID: 610 Comm: ip Not tainted 6.8.0-rc7-custom-gd435d6e3e161 #9
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl+0x8f/0xe0
 print_report+0xcf/0x670
 kasan_report+0xd8/0x110
 __nla_validate_parse+0x1e53/0x2940
 __nla_parse+0x40/0x50
 rtm_del_nexthop+0x1bd/0x400
 rtnetlink_rcv_msg+0x3cc/0xf20
 netlink_rcv_skb+0x170/0x440
 netlink_unicast+0x540/0x820
 netlink_sendmsg+0x8d3/0xdb0
 ____sys_sendmsg+0x31f/0xa60
 ___sys_sendmsg+0x13a/0x1e0
 __sys_sendmsg+0x11c/0x1f0
 do_syscall_64+0xc5/0x1d0
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
[...]

The buggy address belongs to the variable:
 rtm_nh_policy_del+0x20/0x40

Fixes: 2118f9390d ("net: nexthop: Adjust netlink policy parsing for a new attribute")
Reported-by: Eric Dumazet <edumazet@google.com>
Closes: https://lore.kernel.org/netdev/CANn89i+UNcG0PJMW5X7gOMunF38ryMh=L1aeZUKH3kL4UdUqag@mail.gmail.com/
Reported-by: syzbot+65bb09a7208ce3d4a633@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/00000000000088981b06133bc07b@google.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20240311162307.545385-4-idosch@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2024-03-11 20:35:20 -07:00
..
accounting
arch work around gcc bugs with 'asm goto' with outputs 2024-02-09 15:57:48 -08:00
bootconfig
bpf libbpf: Recognize __arena global variables. 2024-03-11 15:43:35 -07:00
build perf cs-etm: Bump minimum OpenCSD version to ensure a bugfix is present 2023-11-27 10:21:27 -03:00
certs
cgroup samples: introduce new samples subdir for cgroup 2023-12-10 16:51:54 -08:00
counter tools/counter: Remove unneeded semicolon 2023-12-20 11:43:31 -05:00
crypto crypto: tcrypt - add script tcrypt_speed_compare.py 2023-12-29 11:25:55 +08:00
debugging
edid
firewire
firmware
gpio
hv hv/hv_kvp_daemon: Some small fixes for handling NM keyfiles 2023-11-10 23:27:46 +00:00
iio iio: add modifiers for A and B ultraviolet light 2023-12-04 13:57:24 +00:00
include for-netdev 2024-03-11 18:06:04 -07:00
kvm/kvm_stat
laptop
leds
lib libbpf: Recognize __arena global variables. 2024-03-11 15:43:35 -07:00
memory-model
mm
net/ynl netlink: specs: support generating code for genl socket priv 2024-03-11 15:15:42 -07:00
objtool Address a GCC-14 warning: there's no real bug, but indeed the calloc order doesn't match 2024-01-08 18:31:27 -08:00
pci
pcmcia
perf perf evlist: Fix evlist__new_default() for > 1 core PMU 2024-01-30 11:40:28 -03:00
power tools cpupower bench: Override CFLAGS assignments 2024-01-21 16:57:51 -07:00
rcu
scripts
spi
testing nexthop: Fix out-of-bounds access during attribute validation 2024-03-11 20:35:20 -07:00
thermal tools/thermal/tmon: Fix compilation warning for wrong format 2024-01-02 09:33:19 +01:00
time
tracing tools/rtla: Exit with EXIT_SUCCESS when help is invoked 2024-02-12 10:59:09 +01:00
usb
verification tools/rv: Fix curr_reactor uninitialized variable 2024-02-12 09:58:36 +01:00
virtio tools: virtio: introduce vhost_net_test 2024-03-05 11:38:14 +01:00
wmi
workqueue
Makefile