From patchwork Fri Jan 5 11:27:19 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tony Duan X-Patchwork-Id: 1882842 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4T61Rr2gMMz1yP5 for ; Fri, 5 Jan 2024 22:28:40 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rLiNF-0005VX-IP; Fri, 05 Jan 2024 11:28:26 +0000 Received: from mail-dm6nam11on2071.outbound.protection.outlook.com ([40.107.223.71] helo=NAM11-DM6-obe.outbound.protection.outlook.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rLiMi-0004sP-A9 for kernel-team@lists.ubuntu.com; Fri, 05 Jan 2024 11:27:52 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=F/NnErTWL03lsPRuf23esji3k3ixo60V6bYTupBRxvM1MncHG978EZEY6K1wYunSRm0ahnSaGbDsK1+tzVCodRn65K/yoZvPpV23HlDKhdjTXOMib9jgEPxutIQM1/qbPv7bJbk9FHjq2Gm4mmWSiKd6AlzpekyTKyf/v0gUB68WVN/tAGpJ20rUc4dBQVv4IG8uX02edDvAzBO7/f1LsdsIkDZHJKaTPmV6yIV9j4HXiDeSPHHKpHCeO8iYp/SGE0YgtceYGBbUMtlnUVaZZVCKXke5fcJ59wJ4pnXNY3+r3/EdzWNxDzKx8mGCPeISoBbbs/csbyPNeHtFgwYxBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3ksmSy78c5ewbXBy5Br1GgT1T1aHI7M6QybjFIyj97c=; b=BPmUMtwk5y9d2STbdK2wkfyXHzbxxW/9pjH0JqunvbmNjR8GTcb989hyzwiN6oWyMKNgE0wEVDNH1RuodQJr80IX+GC7v/ce3skEqw/wp1ltRgnDfbqE9v0AqFsBAtXvYk6d/JyMhO9TOckwHHqaaQh9rNlx9L3Pl4ZFhvTbz7X07TybJihgc3gc2uiz5PAApdJSFQF+vqzLuUy4t6oDEHhntSWu2t6p2E2lqwB5sUk0XuHLuEVfwdUFLbU50F4/mMN7qATWBA1xf8mWxDE0PfUPM/A0+W6/FQOaGnHooPEttK4yCQGTO9QG9+yNMNkTTUlMy2l2Dh/ZoJOwqKQPbA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.161) smtp.rcpttodomain=canonical.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none (0) Received: from MN2PR20CA0054.namprd20.prod.outlook.com (2603:10b6:208:235::23) by PH0PR12MB5678.namprd12.prod.outlook.com (2603:10b6:510:14e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.16; Fri, 5 Jan 2024 11:27:48 +0000 Received: from MN1PEPF0000F0E4.namprd04.prod.outlook.com (2603:10b6:208:235:cafe::bc) by MN2PR20CA0054.outlook.office365.com (2603:10b6:208:235::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.17 via Frontend Transport; Fri, 5 Jan 2024 11:27:48 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.161 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.161) by MN1PEPF0000F0E4.mail.protection.outlook.com (10.167.242.42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.9 via Frontend Transport; Fri, 5 Jan 2024 11:27:48 +0000 Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Fri, 5 Jan 2024 03:27:34 -0800 Received: from rnnvmail203.nvidia.com (10.129.68.9) by rnnvmail203.nvidia.com (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Fri, 5 Jan 2024 03:27:34 -0800 Received: from mtl123.mtl.labs.mlnx (10.127.8.10) by mail.nvidia.com (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41 via Frontend Transport; Fri, 5 Jan 2024 03:27:33 -0800 Received: from sw-mtx-008.mtx.labs.mlnx. (sw-mtx-008.mtx.labs.mlnx [10.9.150.35]) by mtl123.mtl.labs.mlnx (8.14.4/8.14.4) with ESMTP id 405BRK0t014036; Fri, 5 Jan 2024 13:27:30 +0200 From: Tony Duan To: Subject: [SRU][J:linux-bluefield][PATCH v2 5/6] xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH Date: Fri, 5 Jan 2024 05:27:19 -0600 Message-ID: <1704454040-11017-6-git-send-email-yifeid@nvidia.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1704454040-11017-1-git-send-email-yifeid@nvidia.com> References: <1704454040-11017-1-git-send-email-yifeid@nvidia.com> MIME-Version: 1.0 X-NV-OnPremToCloud: ExternallySecured X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: MN1PEPF0000F0E4:EE_|PH0PR12MB5678:EE_ X-MS-Office365-Filtering-Correlation-Id: 66d2b85d-dfaf-47c1-6def-08dc0de158a4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: h1/KlsOUwQcE6+z4MU03eyu7Qt1goRchLIGyF8rX1NUKWaQaUo1YEgUIuI1OwpEzaqoWgcInmrcDHVzer9nZKEnhMJ9cTGKowuXOIqmOjnPFyNE79Cc4ONWwVplbS6/pRfT6Fh6pmViIs1RmsfG7fiYPy0as9wnzu9Tl4qcG/sjNap9MCZhmjRyuLr8LpS2D2DzgPvnoIPJjjUkOINnL/UcNSNnd7vNvGPdhj808uBKq+MdyUdiF1eT6kEqOJJAF8E+QseAbMB68TPZsnkNulBHhnEvQ2Go6UPpQSHe9DHq80+B58GRzoTRwkxJTXU5Z5GmLJr78ZpX3DpqeQpDKw/pQdfkRAMQRfwKsjp4ug3E+kbCNCEEWu1RkLk3fsLZrey1DFSweZeLHAbFXCCVNSVg22CTFQNdyrULwCkoUBvAUPbZYOPhCsZ8ele9JCZuoYKfXgTrNx6Lxw9+eq0xt2vuuvA+ehw+Sjyn54APvsMkRjd0/pNUb66jA8wbZkUgbf7oboBnr+LETjr2U4eQuJE0m9jHyzoYmIdb/t9Q90svpc9e/ULyEB58AfX70bMva9CAVI6xh59aExbrbf9PR4vCSrWPZGWD3xGzXWzTo7XBysxv2qNZnkm4cmdsQPjP9mCxSgv7hPhhYFxSoLHca2AL6lHZIbAnAUoNA+CK3RU7olKRbOuaQryBMLx6b1CTLabnFyOp650pdlS2KcTIAk4QiA5EcvK9ajIZ3lENclbCeYnXCdSzvxZuv8rJ2FNj5H1K/yHbYRqjfxhRcqyKgy/OycmB7ho8GXUNVOoQquOs= X-Forefront-Antispam-Report: CIP:216.228.117.161; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge2.nvidia.com; CAT:NONE; SFS:(13230031)(4636009)(39860400002)(346002)(376002)(396003)(136003)(230922051799003)(1800799012)(186009)(451199024)(82310400011)(64100799003)(36840700001)(40470700004)(46966006)(356005)(7636003)(82740400003)(36756003)(40460700003)(40480700001)(86362001)(2616005)(26005)(336012)(316002)(70206006)(54906003)(70586007)(8936002)(6666004)(4326008)(478600001)(966005)(83380400001)(8676002)(36860700001)(6916009)(47076005)(41300700001)(5660300002)(2906002); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2024 11:27:48.3710 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 66d2b85d-dfaf-47c1-6def-08dc0de158a4 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.161]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: MN1PEPF0000F0E4.namprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR12MB5678 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: vlad@nvidia.com, dann.frazier@canonical.com, bodong@nvidia.com Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lin Ma BugLink: https://bugs.launchpad.net/bugs/2044427 The previous commit 4e484b3e969b ("xfrm: rate limit SA mapping change message to user space") added one additional attribute named XFRMA_MTIMER_THRESH and described its type at compat_policy (net/xfrm/xfrm_compat.c). However, the author forgot to also describe the nla_policy at xfrma_policy (net/xfrm/xfrm_user.c). Hence, this suppose NLA_U32 (4 bytes) value can be faked as empty (0 bytes) by a malicious user, which leads to 4 bytes overflow read and heap information leak when parsing nlattrs. To exploit this, one malicious user can spray the SLUB objects and then leverage this 4 bytes OOB read to leak the heap data into x->mapping_maxage (see xfrm_update_ae_params(...)), and leak it to userspace via copy_to_user_state_extra(...). The above bug is assigned CVE-2023-3773. To fix it, this commit just completes the nla_policy description for XFRMA_MTIMER_THRESH, which enforces the length check and avoids such OOB read. Fixes: 4e484b3e969b ("xfrm: rate limit SA mapping change message to user space") Signed-off-by: Lin Ma Reviewed-by: Simon Horman Reviewed-by: Leon Romanovsky Signed-off-by: Steffen Klassert (cherry picked from commit 5e2424708da7207087934c5c75211e8584d553a0) Signed-off-by: Tony Duan --- net/xfrm/xfrm_user.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 2b9f760..5e2988b 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -2884,6 +2884,7 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, [XFRMA_SET_MARK] = { .type = NLA_U32 }, [XFRMA_SET_MARK_MASK] = { .type = NLA_U32 }, [XFRMA_IF_ID] = { .type = NLA_U32 }, + [XFRMA_MTIMER_THRESH] = { .type = NLA_U32 }, }; EXPORT_SYMBOL_GPL(xfrma_policy);