From patchwork Mon Aug 31 18:28:05 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Johannes Berg X-Patchwork-Id: 1354523 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=23.128.96.18; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=sipsolutions.net Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by ozlabs.org (Postfix) with ESMTP id 4BgJcZ6xyxz9sSJ for ; Tue, 1 Sep 2020 04:28:46 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729296AbgHaS2n (ORCPT ); Mon, 31 Aug 2020 14:28:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726174AbgHaS2n (ORCPT ); Mon, 31 Aug 2020 14:28:43 -0400 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4E2A2C061573; Mon, 31 Aug 2020 11:28:42 -0700 (PDT) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94) (envelope-from ) id 1kCoXY-00DhWg-Li; Mon, 31 Aug 2020 20:28:24 +0200 From: Johannes Berg To: netdev@vger.kernel.org Cc: kuba@kernel.org, linux-kernel@vger.kernel.org, davem@davemloft.net, syzkaller-bugs@googlegroups.com, Johannes Berg , syzbot+353df1490da781637624@syzkaller.appspotmail.com Subject: [PATCH] netlink: policy: correct validation type check Date: Mon, 31 Aug 2020 20:28:05 +0200 Message-Id: <20200831202805.8ca5a2fe1ffb.I46f0d5bee0a774517aeec539620895a473dd2299@changeid> X-Mailer: git-send-email 2.26.2 In-Reply-To: <000000000000ee7d1a05ae2f2720@google.com> References: <000000000000ee7d1a05ae2f2720@google.com> MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Johannes Berg In the policy export for binary attributes I erroneously used a != NLA_VALIDATE_NONE comparison instead of checking for the two possible values, which meant that if a validation function pointer ended up aliasing the min/max as negatives, we'd hit a warning in nla_get_range_unsigned(). Fix this to correctly check for only the two types that should be handled here, i.e. range with or without warn-too-long. Reported-by: syzbot+353df1490da781637624@syzkaller.appspotmail.com Fixes: 8aa26c575fb3 ("netlink: make NLA_BINARY validation more flexible") Signed-off-by: Johannes Berg --- net/netlink/policy.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netlink/policy.c b/net/netlink/policy.c index 7b1f50531cd3..5c9e7530865f 100644 --- a/net/netlink/policy.c +++ b/net/netlink/policy.c @@ -264,7 +264,8 @@ int netlink_policy_dump_write(struct sk_buff *skb, unsigned long _state) else type = NL_ATTR_TYPE_BINARY; - if (pt->validation_type != NLA_VALIDATE_NONE) { + if (pt->validation_type == NLA_VALIDATE_RANGE || + pt->validation_type == NLA_VALIDATE_RANGE_WARN_TOO_LONG) { struct netlink_range_validation range; nla_get_range_unsigned(pt, &range);