From patchwork Thu Jul 27 23:22:20 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cengiz Can <cengiz.can@canonical.com>
X-Patchwork-Id: 1814004
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=CP/e06qt;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RBmzN2ZVtz1yYD
	for <incoming@patchwork.ozlabs.org>; Fri, 28 Jul 2023 09:23:28 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qPAKJ-0002Mq-Aa; Thu, 27 Jul 2023 23:23:23 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <cengiz.can@canonical.com>) id 1qPAKH-0002Lz-VY
 for kernel-team@lists.ubuntu.com; Thu, 27 Jul 2023 23:23:21 +0000
Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com
 [209.85.221.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id BC1453F189
 for <kernel-team@lists.ubuntu.com>; Thu, 27 Jul 2023 23:23:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1690500201;
 bh=ZQM3zUpDoXs4T6XUnWCP64/lI3y90OsPfesReBKgwvQ=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=CP/e06qtJS0tJJv8PURnPwIuhFYik8oPDGP4cFrw7n3aMAgm047YyGxhRE/nASBCl
 LmzR0Q1hU25dY4llwGNPLo9nsH8KxvvHIBDFy3KZze/jg55can2K/sVS1WJ0RqPsW7
 rnEiBmnLkU4VLw2cbJ7ngCjO1SMsEQ3I02vwGI/UtqDyayjq/BWssrElwozin1pzy/
 djoDxghR+A9EH/v0mD1elz8OH90EOG6SNNU6WPu0MvtFYEhNUF0XRd8rX5uyZP/eGJ
 laVSaXP2D8qG+SN1YJlBvyeuMz3KAH46Eq8qI16fZZcRNWjoZP5ItpO8v7k1jvsPsl
 vX60k1onusMGQ==
Received: by mail-wr1-f72.google.com with SMTP id
 ffacd0b85a97d-3113da8b778so831824f8f.3
 for <kernel-team@lists.ubuntu.com>; Thu, 27 Jul 2023 16:23:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1690500201; x=1691105001;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=ZQM3zUpDoXs4T6XUnWCP64/lI3y90OsPfesReBKgwvQ=;
 b=WgNyT3C0FGJbBoiGchaHC4fK82TkEg9ch+OKJXsmXhHJxe6JxVrHlH+zZLy+8LOcf1
 DjPry4gds4Fp9jHEbyZ18cpINVR6cpre9iyxZPryUlCkeUin0lVVGNnnEQj2fOkGZwlh
 xXIy9eAkna2aNPCBSXketi984N3bInrDTj6oHWnqR3Pegwhw0HZry5nxIKJs0Mo6PCYv
 Bq5ETX8Vb9yhNbdvfLJJY+XrDi4WzoWkDJu2vhlQh76cIoaff5UVzK47zQBh+BgoHoE7
 8I2+QvdbD02Y+lYrywtLQW8DmjuH+CKamVZQIL6T4EtkMhmQu8+0kWh0NN2DxNfUWIhA
 sHfg==
X-Gm-Message-State: ABy/qLaAGuDCjhGl6BB2my1107Bxfk4+QhhtiPoFrzRm/V8Tdk4ZGQgs
 JJgH+Dp7bCDOCKWuDSq5LRjXrLBYCtPDr0dDSTj1IJi/MnbOk0g6/t/DH1jU+7idmnmyXLDRa8x
 aW9NkeMjp/y2lunv/Dj7+hZr8DXhR2B+gWkfnc2N8E41F1Xvxf9WK
X-Received: by 2002:adf:fa09:0:b0:317:3deb:a899 with SMTP id
 m9-20020adffa09000000b003173deba899mr375135wrr.1.1690500201259;
 Thu, 27 Jul 2023 16:23:21 -0700 (PDT)
X-Google-Smtp-Source: 
 APBJJlHKUdydSlgMwI1DkKM1kCUjQx78tPaMDAwwv5O/fw1WEuAMpye0VLk1zBUPxmF1c39nKJ0juw==
X-Received: by 2002:adf:fa09:0:b0:317:3deb:a899 with SMTP id
 m9-20020adffa09000000b003173deba899mr375132wrr.1.1690500200913;
 Thu, 27 Jul 2023 16:23:20 -0700 (PDT)
Received: from localhost (uk.sesame.canonical.com. [185.125.190.60])
 by smtp.gmail.com with ESMTPSA id
 1-20020a05600c248100b003fbd2a9e94asm2792983wms.31.2023.07.27.16.23.20
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 27 Jul 2023 16:23:20 -0700 (PDT)
From: Cengiz Can <cengiz.can@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU Jammy/Kinetic/Lunar 1/2] net/sched: sch_qfq: refactor parsing of
 netlink parameters
Date: Fri, 28 Jul 2023 02:22:20 +0300
Message-Id: <20230727232220.972472-3-cengiz.can@canonical.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20230727232220.972472-1-cengiz.can@canonical.com>
References: <20230727232220.972472-1-cengiz.can@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Pedro Tammela <pctammela@mojatatu.com>

Two parameters can be transformed into netlink policies and
validated while parsing the netlink message.

Reviewed-by: Simon Horman <simon.horman@corigine.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
CVE-2023-3611
(cherry picked from commit 25369891fcef373540f8b4e0b3bccf77a04490d5)
[cengizcan: prerequisite commit]
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
---
 net/sched/sch_qfq.c | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c
index 4c51aeb78f14..8fb30b20425f 100644
--- a/net/sched/sch_qfq.c
+++ b/net/sched/sch_qfq.c
@@ -113,6 +113,7 @@
 
 #define QFQ_MTU_SHIFT		16	/* to support TSO/GSO */
 #define QFQ_MIN_LMAX		512	/* see qfq_slot_insert */
+#define QFQ_MAX_LMAX		(1UL << QFQ_MTU_SHIFT)
 
 #define QFQ_MAX_AGG_CLASSES	8 /* max num classes per aggregate allowed */
 
@@ -214,9 +215,14 @@ static struct qfq_class *qfq_find_class(struct Qdisc *sch, u32 classid)
 	return container_of(clc, struct qfq_class, common);
 }
 
+static struct netlink_range_validation lmax_range = {
+	.min = QFQ_MIN_LMAX,
+	.max = QFQ_MAX_LMAX,
+};
+
 static const struct nla_policy qfq_policy[TCA_QFQ_MAX + 1] = {
-	[TCA_QFQ_WEIGHT] = { .type = NLA_U32 },
-	[TCA_QFQ_LMAX] = { .type = NLA_U32 },
+	[TCA_QFQ_WEIGHT] = NLA_POLICY_RANGE(NLA_U32, 1, QFQ_MAX_WEIGHT),
+	[TCA_QFQ_LMAX] = NLA_POLICY_FULL_RANGE(NLA_U32, &lmax_range),
 };
 
 /*
@@ -408,17 +414,13 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
 	}
 
 	err = nla_parse_nested_deprecated(tb, TCA_QFQ_MAX, tca[TCA_OPTIONS],
-					  qfq_policy, NULL);
+					  qfq_policy, extack);
 	if (err < 0)
 		return err;
 
-	if (tb[TCA_QFQ_WEIGHT]) {
+	if (tb[TCA_QFQ_WEIGHT])
 		weight = nla_get_u32(tb[TCA_QFQ_WEIGHT]);
-		if (!weight || weight > (1UL << QFQ_MAX_WSHIFT)) {
-			pr_notice("qfq: invalid weight %u\n", weight);
-			return -EINVAL;
-		}
-	} else
+	else
 		weight = 1;
 
 	if (tb[TCA_QFQ_LMAX])
@@ -426,11 +428,6 @@ static int qfq_change_class(struct Qdisc *sch, u32 classid, u32 parentid,
 	else
 		lmax = psched_mtu(qdisc_dev(sch));
 
-	if (lmax < QFQ_MIN_LMAX || lmax > (1UL << QFQ_MTU_SHIFT)) {
-		pr_notice("qfq: invalid max length %u\n", lmax);
-		return -EINVAL;
-	}
-
 	inv_w = ONE_FP / weight;
 	weight = ONE_FP / inv_w;