From patchwork Mon Dec 25 06:20:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tony Duan X-Patchwork-Id: 1880067 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Sz79M3ssRz23dC for ; Mon, 25 Dec 2023 17:22:15 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rHeLm-0007MO-Nx; Mon, 25 Dec 2023 06:22:06 +0000 Received: from mail-mw2nam12on2055.outbound.protection.outlook.com ([40.107.244.55] helo=NAM12-MW2-obe.outbound.protection.outlook.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rHeKs-0006qP-PM for kernel-team@lists.ubuntu.com; Mon, 25 Dec 2023 06:21:12 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BEx6fM0aeIvqD+JrHoVeSpPXXuFr1HvWxWcHua8MkuQCZ2F1WyxMLo7SGEYLbhH1w3lUHJDj46GV04rD9ohycVeelACwVmGOODpYTKIkXXFSh/isxLlxiYQ2Q4IgesQsU1pJpoBl0iIJ3ODiMTbzFCTykkR8f5RtT4LbjHCXUCxg+lZZZEUQB9gC4rh2xwXwHzaQKWSLi7BD9c9FnN0pGJLmNpNXrkVauAVKkCOLECttHV1SfBSD4gIMKJcHYyBpIjV0wYtkT9U9AVvA5TUu1zwbEvKTt2BBRkHqo+d0a96t2AtmLnVwhhNqOCmTfEKiZwJXyPgzrC318OOBI6FUxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/4NKlOHPe8g8eVOINgSSmpwAYvZ8U5YBi0eIKEzZawk=; b=fguN4zZlyU0VC1c80aYgFj1FflwaYjA0kdFRlp3r6qzOA/cI+n+DeWzCzRzbNVyoCmK7XvRNns14O0INChkTcAlISraGrJ1TS08DlFEoI9YH1hFkYY3z26qslO3wM73pROpDBtxj8bGGuN0vR//nnppckr3j/ecFyVJR7qBdkFfCXfeWEW+FMa0ibZmY3wLN5jpsRPNX0BxWWyR0NqzclL1zDBetKyirnkzlwAhr22qatDr095VOVeLIUGjiccuYgOgOC0lZyQBJOlZFaBY3ztMfMCs4Hb114RD/V8D6gse8VYlL2TO+Wrb3/06e7b7qdmRwoPt+f7x3w5QleY7B0w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=canonical.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) Received: from BLAP220CA0023.NAMP220.PROD.OUTLOOK.COM (2603:10b6:208:32c::28) by DS0PR12MB7993.namprd12.prod.outlook.com (2603:10b6:8:14b::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7113.26; Mon, 25 Dec 2023 06:21:07 +0000 Received: from BL6PEPF0001AB59.namprd02.prod.outlook.com (2603:10b6:208:32c:cafe::40) by BLAP220CA0023.outlook.office365.com (2603:10b6:208:32c::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7113.26 via Frontend Transport; Mon, 25 Dec 2023 06:21:06 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by BL6PEPF0001AB59.mail.protection.outlook.com (10.167.241.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7135.14 via Frontend Transport; Mon, 25 Dec 2023 06:21:06 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Sun, 24 Dec 2023 22:20:51 -0800 Received: from rnnvmail205.nvidia.com (10.129.68.10) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Sun, 24 Dec 2023 22:20:51 -0800 Received: from mtl123.mtl.labs.mlnx (10.127.8.10) by mail.nvidia.com (10.129.68.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41 via Frontend Transport; Sun, 24 Dec 2023 22:20:50 -0800 Received: from sw-mtx-008.mtx.labs.mlnx. (sw-mtx-008.mtx.labs.mlnx [10.9.150.35]) by mtl123.mtl.labs.mlnx (8.14.4/8.14.4) with ESMTP id 3BP6KW6K031863; Mon, 25 Dec 2023 08:20:47 +0200 From: Tony Duan To: Subject: [SRU][J:linux-bluefield][PATCH v1 8/9] xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH Date: Mon, 25 Dec 2023 00:20:30 -0600 Message-ID: <1703485231-27098-9-git-send-email-yifeid@nvidia.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1703485231-27098-1-git-send-email-yifeid@nvidia.com> References: <1703485231-27098-1-git-send-email-yifeid@nvidia.com> MIME-Version: 1.0 X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BL6PEPF0001AB59:EE_|DS0PR12MB7993:EE_ X-MS-Office365-Filtering-Correlation-Id: c49dfc39-0ca5-4fdd-b99b-08dc0511ad94 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: isbFWkOznUNcqkN5Se0KKeG0YTiErGxBXOi5505838FmOSEvXIe5z2kltZaoNdo1ox8PG7uLLFY0yhwxhpeI3wEP11xhpq0Rl+wAuRxNY5Z0d2JwrpCkzWdi2HqEJjyN+20sNyXceN/YQi/BvVDaH70WHC2LP/8KjLY2ri4Xv6PIdT9LgH5Z0jBGGI0+JgLZIiZOV7rkv9fp3rLGqFER0MK6XzgkgqAc9YqEvoY+5qQytcC6WZ6XQsKFs8GdR/ekPGWkjYwRa3YnqkPIeWZd8k3+KRI4K8x4AbZHUbH/b+3gbV562Y/fminwl7gfBAuYhFNspn3ROp8FgychrHJHn64XZzD0TuOgsA4O1wYqB9PihYYU2cawL+j39y7knXd4xzpkoPEfEPHVwS2YrRbBVjz7ULTAenBmgJIZZHquG6boeFiy2VdNRFYplbS/6T0vXcw3rgoJB1PrC+MZ0i6X78eWeGk5DcilYFoTMu7KjqR1+SUftObuSyxhBBXkYt2CBozPWkaotQQ9urEF9j0UVUfKxCuwiKFOpeR7yBNkzzoOGdryLmgfBgNlzPRMR3YLweV2S59oXn+f3n+hOGCl5lLdY5l8nqczlg8jZr96rD1wRfmMYGBQvw2kqGliE9WP292g7RyDvMFk/T2YFVGiYW+OG3KNiw4lfsTiraqbzutt1nUAKJ76MjTfa7AriHrO10K4PPeKTX57vKhsYQsouyTvPC2LvRAuv1mWsPgNxGTnzSMNuKwpeT+2LIqLa3VgxATZBc2trTZUJJWuGZQQaZtqCZ8S/CYo+Ceg/NCR06A= X-Forefront-Antispam-Report: CIP:216.228.117.160; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge1.nvidia.com; CAT:NONE; SFS:(13230031)(4636009)(346002)(136003)(396003)(376002)(39860400002)(230922051799003)(82310400011)(64100799003)(1800799012)(186009)(451199024)(36840700001)(46966006)(40470700004)(40480700001)(40460700003)(26005)(4326008)(8676002)(8936002)(478600001)(5660300002)(70586007)(70206006)(2616005)(54906003)(6916009)(316002)(336012)(2906002)(6666004)(47076005)(36860700001)(41300700001)(966005)(356005)(83380400001)(7636003)(36756003)(86362001)(82740400003); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Dec 2023 06:21:06.2368 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c49dfc39-0ca5-4fdd-b99b-08dc0511ad94 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.160]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BL6PEPF0001AB59.namprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB7993 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: vlad@nvidia.com, dann.frazier@canonical.com, bodong@nvidia.com Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lin Ma BugLink: https://bugs.launchpad.net/bugs/2044427 The previous commit 4e484b3e969b ("xfrm: rate limit SA mapping change message to user space") added one additional attribute named XFRMA_MTIMER_THRESH and described its type at compat_policy (net/xfrm/xfrm_compat.c). However, the author forgot to also describe the nla_policy at xfrma_policy (net/xfrm/xfrm_user.c). Hence, this suppose NLA_U32 (4 bytes) value can be faked as empty (0 bytes) by a malicious user, which leads to 4 bytes overflow read and heap information leak when parsing nlattrs. To exploit this, one malicious user can spray the SLUB objects and then leverage this 4 bytes OOB read to leak the heap data into x->mapping_maxage (see xfrm_update_ae_params(...)), and leak it to userspace via copy_to_user_state_extra(...). The above bug is assigned CVE-2023-3773. To fix it, this commit just completes the nla_policy description for XFRMA_MTIMER_THRESH, which enforces the length check and avoids such OOB read. Fixes: 4e484b3e969b ("xfrm: rate limit SA mapping change message to user space") Signed-off-by: Lin Ma Reviewed-by: Simon Horman Reviewed-by: Leon Romanovsky Signed-off-by: Steffen Klassert (cherry picked from commit 5e2424708da7207087934c5c75211e8584d553a0) Signed-off-by: Tony Duan --- net/xfrm/xfrm_user.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 1eb2592..b17dcc5 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -2884,6 +2884,7 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, [XFRMA_SET_MARK] = { .type = NLA_U32 }, [XFRMA_SET_MARK_MASK] = { .type = NLA_U32 }, [XFRMA_IF_ID] = { .type = NLA_U32 }, + [XFRMA_MTIMER_THRESH] = { .type = NLA_U32 }, }; EXPORT_SYMBOL_GPL(xfrma_policy);