From patchwork Fri Apr 19 14:42:14 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bethany Jamison <bethany.jamison@canonical.com>
X-Patchwork-Id: 1925569
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4VLcn50c08z1yPJ
	for <incoming@patchwork.ozlabs.org>; Sat, 20 Apr 2024 00:42:33 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rxpRb-0001YM-LZ; Fri, 19 Apr 2024 14:42:27 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <bethany.jamison@canonical.com>)
 id 1rxpRZ-0001Wt-9v
 for kernel-team@lists.ubuntu.com; Fri, 19 Apr 2024 14:42:25 +0000
Received: from mail-io1-f71.google.com (mail-io1-f71.google.com
 [209.85.166.71])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 12B283F1B4
 for <kernel-team@lists.ubuntu.com>; Fri, 19 Apr 2024 14:42:25 +0000 (UTC)
Received: by mail-io1-f71.google.com with SMTP id
 ca18e2360f4ac-7c8a960bd9eso251296239f.0
 for <kernel-team@lists.ubuntu.com>; Fri, 19 Apr 2024 07:42:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1713537743; x=1714142543;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Cxzwg9Cvfcqv4hCEt9QyankNjz0k8ZUUW42ssOknQWk=;
 b=BNZRaN40TfOTRJLt8csvV213dcxqhKwEwMIqArdQJmfG6dhBAFjh5BDYcVIutmoWLc
 hUE3pTCNKTPL+emob4t0ENxbqIRFi1IDm5j/oijRQgh6YfnUMPOKMi2c0A6whxppaB1R
 d/LdzEo4cSUEi1jckbJloWINxEsbNr4PBYSkcs467L+39tNc0PG/SMreylJiI5t2y62G
 7qLQP2R1LSxI1XpRBXOyudFcD1Q0F3ur6BLAZPgQ3R/JUqoKy2tXVPfW2xo159uQVjkP
 MUTziJOrZtTm3u7w5SkznBsncilGyFQtfLYntMsRyhvHLBQWxd408Lu0gapdcPIzdM9g
 M1dw==
X-Gm-Message-State: AOJu0Ywh8ASOELIt4uJlh3L49tEZ2daRUNdd7sM+RnUn1d7gfhTr5Qk4
 MIdEssNk2rNSZnlag/S+YQ/cxSY+XBkMEaxq+IOSINWEs4nQ+bf/lBFRpvH16i8woKSuplgvLi/
 yoxsM+RnS2g+NJ0mIRYpKWGMIlA3EeqZXNmC6LWqoeHdohKQrV7EOLehtaq6Xnap3RF2++EhTPS
 rNXWmfGuOQiWjV
X-Received: by 2002:a6b:e615:0:b0:7d5:c987:3239 with SMTP id
 g21-20020a6be615000000b007d5c9873239mr2876164ioh.16.1713537743662;
 Fri, 19 Apr 2024 07:42:23 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IEtyqbpEipnuVZkUyLkPxpsvx9l0E7jDx64DaJAotBlEmCPahdrNSUB9oaBozzLQY8N8uRojg==
X-Received: by 2002:a6b:e615:0:b0:7d5:c987:3239 with SMTP id
 g21-20020a6be615000000b007d5c9873239mr2876151ioh.16.1713537743356;
 Fri, 19 Apr 2024 07:42:23 -0700 (PDT)
Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net.
 [104.218.69.129]) by smtp.gmail.com with ESMTPSA id
 i10-20020a05663813ca00b00482d033889csm1089235jaj.171.2024.04.19.07.42.22
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 19 Apr 2024 07:42:22 -0700 (PDT)
From: Bethany Jamison <bethany.jamison@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][J][PATCH 1/3] packet: move from strlcpy with unused retval to
 strscpy
Date: Fri, 19 Apr 2024 09:42:14 -0500
Message-Id: <20240419144219.21413-3-bethany.jamison@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240419144219.21413-1-bethany.jamison@canonical.com>
References: <20240419144219.21413-1-bethany.jamison@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Wolfram Sang <wsa+renesas@sang-engineering.com>

Follow the advice of the below link and prefer 'strscpy' in this
subsystem. Conversion is 1:1 because the return value is not used.
Generated by a coccinelle script.

Link: https://lore.kernel.org/r/CAHk-=wgfRnXz0W3D37d01q3JFkr_i_uTL=V6A6G1oUZcprmknw@mail.gmail.com/
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Link: https://lore.kernel.org/r/20220818210227.8611-1-wsa+renesas@sang-engineering.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 8fc9d51ea2d32a05f7d7cf86a25cc86ecc57eb45)
CVE-2024-26733
Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com>
---
 net/packet/af_packet.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index e7b54f7214110..d62f79cf873dd 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1874,7 +1874,7 @@ static int packet_rcv_spkt(struct sk_buff *skb, struct net_device *dev,
 	 */
 
 	spkt->spkt_family = dev->type;
-	strlcpy(spkt->spkt_device, dev->name, sizeof(spkt->spkt_device));
+	strscpy(spkt->spkt_device, dev->name, sizeof(spkt->spkt_device));
 	spkt->spkt_protocol = skb->protocol;
 
 	/*
@@ -3540,7 +3540,7 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
 	rcu_read_lock();
 	dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex));
 	if (dev)
-		strlcpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
+		strscpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
 	rcu_read_unlock();
 
 	return sizeof(*uaddr);

From patchwork Fri Apr 19 14:42:15 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bethany Jamison <bethany.jamison@canonical.com>
X-Patchwork-Id: 1925571
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4VLcn74vxVz1yPJ
	for <incoming@patchwork.ozlabs.org>; Sat, 20 Apr 2024 00:42:35 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rxpRe-0001cZ-DV; Fri, 19 Apr 2024 14:42:30 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <bethany.jamison@canonical.com>)
 id 1rxpRZ-0001XM-PU
 for kernel-team@lists.ubuntu.com; Fri, 19 Apr 2024 14:42:25 +0000
Received: from mail-io1-f72.google.com (mail-io1-f72.google.com
 [209.85.166.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 8EDF83F16A
 for <kernel-team@lists.ubuntu.com>; Fri, 19 Apr 2024 14:42:25 +0000 (UTC)
Received: by mail-io1-f72.google.com with SMTP id
 ca18e2360f4ac-7da42114485so154770439f.2
 for <kernel-team@lists.ubuntu.com>; Fri, 19 Apr 2024 07:42:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1713537744; x=1714142544;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=6HFPC1Pz3GJjb42KP4/2IBIIUH3zVDpIH3QVVJ/V8S8=;
 b=lC2w487ODEjZr5zLWcL0ryjAusfJ31pLnyT2NNCeN1k079RnJ/gCF3HPlnm1pc+7ec
 CBQVmt+NBUuJYTD4pj3l+PaEF+wNhEhuBIEs055WoIlhuwfE6vPcDHmNSyJiGLiKj7nB
 lKtp5rO5W+nevZ7dGcaZLTOqsmB1tt/BC3coNGOpJWC2YLE3hLu1KQLkGW8Ldk4iGUv5
 +fJm+0nBEHFT3euUHwhnX6+YvBTh0pjwQDp9Q9rRC4CoO2fdAWGMpqBxV9KDenoSJK1v
 qmsFSaWkRdkMS2qLH74pQT2ILl+lyFAJa7uCgscuB+ezsDzRkxCp8OvZd6BeQyd4POFz
 rpiw==
X-Gm-Message-State: AOJu0YwTUv/AJ0nBA1byAYj2ZSP4OIYn4aVq1GsOm94387u9xuEzwf7e
 oulOu/Df+3p+fCEiqbqbzR4TbaB8bqAR8K1VdDwo1aqbuM65/kaBOVNmgWneNa0A4SyL8ntWCOi
 Bdp3go6bdJLcmkuY29w1rSl4Mdh12csrWPObORGbZ0i6Sx6tt4UDexkzvDzLJpVj6ay9maeY71k
 V+hsF7+fgLNHK3
X-Received: by 2002:a05:6602:6603:b0:7d9:62bb:8990 with SMTP id
 gx3-20020a056602660300b007d962bb8990mr3048152iob.13.1713537744294;
 Fri, 19 Apr 2024 07:42:24 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IHcL9uXKp+lhVqPbjb3OUVuTH/GMjxmDfVAM9sRCvr15MD1W2t+S3lhkpKfXLBEKb/H1daGlA==
X-Received: by 2002:a05:6602:6603:b0:7d9:62bb:8990 with SMTP id
 gx3-20020a056602660300b007d962bb8990mr3048130iob.13.1713537743872;
 Fri, 19 Apr 2024 07:42:23 -0700 (PDT)
Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net.
 [104.218.69.129]) by smtp.gmail.com with ESMTPSA id
 i10-20020a05663813ca00b00482d033889csm1089235jaj.171.2024.04.19.07.42.23
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 19 Apr 2024 07:42:23 -0700 (PDT)
From: Bethany Jamison <bethany.jamison@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][J][PATCH 2/3] net: dev: Convert sa_data to flexible array in
 struct sockaddr
Date: Fri, 19 Apr 2024 09:42:15 -0500
Message-Id: <20240419144219.21413-4-bethany.jamison@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240419144219.21413-1-bethany.jamison@canonical.com>
References: <20240419144219.21413-1-bethany.jamison@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Kees Cook <keescook@chromium.org>

One of the worst offenders of "fake flexible arrays" is struct sockaddr,
as it is the classic example of why GCC and Clang have been traditionally
forced to treat all trailing arrays as fake flexible arrays: in the
distant misty past, sa_data became too small, and code started just
treating it as a flexible array, even though it was fixed-size. The
special case by the compiler is specifically that sizeof(sa->sa_data)
and FORTIFY_SOURCE (which uses __builtin_object_size(sa->sa_data, 1))
do not agree (14 and -1 respectively), which makes FORTIFY_SOURCE treat
it as a flexible array.

However, the coming -fstrict-flex-arrays compiler flag will remove
these special cases so that FORTIFY_SOURCE can gain coverage over all
the trailing arrays in the kernel that are _not_ supposed to be treated
as a flexible array. To deal with this change, convert sa_data to a true
flexible array. To keep the structure size the same, move sa_data into
a union with a newly introduced sa_data_min with the original size. The
result is that FORTIFY_SOURCE can continue to have no idea how large
sa_data may actually be, but anything using sizeof(sa->sa_data) must
switch to sizeof(sa->sa_data_min).

Cc: Jens Axboe <axboe@kernel.dk>
Cc: Pavel Begunkov <asml.silence@gmail.com>
Cc: David Ahern <dsahern@kernel.org>
Cc: Dylan Yudaken <dylany@fb.com>
Cc: Yajun Deng <yajun.deng@linux.dev>
Cc: Petr Machata <petrm@nvidia.com>
Cc: Hangbin Liu <liuhangbin@gmail.com>
Cc: Leon Romanovsky <leon@kernel.org>
Cc: syzbot <syzkaller@googlegroups.com>
Cc: Willem de Bruijn <willemb@google.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221018095503.never.671-kees@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit b5f0de6df6dce8d641ef58ef7012f3304dffb9a1)
CVE-2024-26733
Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com>
---
 include/linux/socket.h |  5 ++++-
 net/core/dev.c         |  2 +-
 net/core/dev_ioctl.c   |  2 +-
 net/packet/af_packet.c | 10 +++++-----
 4 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/include/linux/socket.h b/include/linux/socket.h
index 041d6032a3489..4c5ce8124f8e7 100644
--- a/include/linux/socket.h
+++ b/include/linux/socket.h
@@ -31,7 +31,10 @@ typedef __kernel_sa_family_t	sa_family_t;
 
 struct sockaddr {
 	sa_family_t	sa_family;	/* address family, AF_xxx	*/
-	char		sa_data[14];	/* 14 bytes of protocol address	*/
+	union {
+		char sa_data_min[14];		/* Minimum 14 bytes of protocol address	*/
+		DECLARE_FLEX_ARRAY(char, sa_data);
+	};
 };
 
 struct linger {
diff --git a/net/core/dev.c b/net/core/dev.c
index 8501645ff67dd..af77dc77eb9c8 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -9090,7 +9090,7 @@ EXPORT_SYMBOL(dev_set_mac_address_user);
 
 int dev_get_mac_address(struct sockaddr *sa, struct net *net, char *dev_name)
 {
-	size_t size = sizeof(sa->sa_data);
+	size_t size = sizeof(sa->sa_data_min);
 	struct net_device *dev;
 	int ret = 0;
 
diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
index 0e87237fd8712..6ddfd7bfc5127 100644
--- a/net/core/dev_ioctl.c
+++ b/net/core/dev_ioctl.c
@@ -339,7 +339,7 @@ static int dev_ifsioc(struct net *net, struct ifreq *ifr, void __user *data,
 		if (ifr->ifr_hwaddr.sa_family != dev->type)
 			return -EINVAL;
 		memcpy(dev->broadcast, ifr->ifr_hwaddr.sa_data,
-		       min(sizeof(ifr->ifr_hwaddr.sa_data),
+		       min(sizeof(ifr->ifr_hwaddr.sa_data_min),
 			   (size_t)dev->addr_len));
 		call_netdevice_notifiers(NETDEV_CHANGEADDR, dev);
 		return 0;
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index d62f79cf873dd..75fb80717e489 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3252,7 +3252,7 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr,
 			    int addr_len)
 {
 	struct sock *sk = sock->sk;
-	char name[sizeof(uaddr->sa_data) + 1];
+	char name[sizeof(uaddr->sa_data_min) + 1];
 
 	/*
 	 *	Check legality
@@ -3263,8 +3263,8 @@ static int packet_bind_spkt(struct socket *sock, struct sockaddr *uaddr,
 	/* uaddr->sa_data comes from the userspace, it's not guaranteed to be
 	 * zero-terminated.
 	 */
-	memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data));
-	name[sizeof(uaddr->sa_data)] = 0;
+	memcpy(name, uaddr->sa_data, sizeof(uaddr->sa_data_min));
+	name[sizeof(uaddr->sa_data_min)] = 0;
 
 	return packet_do_bind(sk, name, 0, 0);
 }
@@ -3536,11 +3536,11 @@ static int packet_getname_spkt(struct socket *sock, struct sockaddr *uaddr,
 		return -EOPNOTSUPP;
 
 	uaddr->sa_family = AF_PACKET;
-	memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data));
+	memset(uaddr->sa_data, 0, sizeof(uaddr->sa_data_min));
 	rcu_read_lock();
 	dev = dev_get_by_index_rcu(sock_net(sk), READ_ONCE(pkt_sk(sk)->ifindex));
 	if (dev)
-		strscpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data));
+		strscpy(uaddr->sa_data, dev->name, sizeof(uaddr->sa_data_min));
 	rcu_read_unlock();
 
 	return sizeof(*uaddr);

From patchwork Fri Apr 19 14:42:16 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bethany Jamison <bethany.jamison@canonical.com>
X-Patchwork-Id: 1925572
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4VLcn91YHlz1yPJ
	for <incoming@patchwork.ozlabs.org>; Sat, 20 Apr 2024 00:42:37 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rxpRf-0001eU-Nk; Fri, 19 Apr 2024 14:42:31 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <bethany.jamison@canonical.com>)
 id 1rxpRa-0001Xd-Eq
 for kernel-team@lists.ubuntu.com; Fri, 19 Apr 2024 14:42:26 +0000
Received: from mail-io1-f69.google.com (mail-io1-f69.google.com
 [209.85.166.69])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 48CBE3F1B4
 for <kernel-team@lists.ubuntu.com>; Fri, 19 Apr 2024 14:42:26 +0000 (UTC)
Received: by mail-io1-f69.google.com with SMTP id
 ca18e2360f4ac-7da4360bbacso151597239f.2
 for <kernel-team@lists.ubuntu.com>; Fri, 19 Apr 2024 07:42:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1713537745; x=1714142545;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=frBNB7w15WtXbEudS2F329H/qihQxmwx1N0Jo2nfEss=;
 b=lC7er1zE/eD3wEtqwIIdHwk3NOPkpB5cPYYM29oHfJd6Or/8+Ia7AAwsYS/jsqP3oZ
 mx5aqZKBWY3mc882x0m+k7tS0NExLj2FhJUz67c/6e6jpMr5o1F56Ndrh8UJy1uYk1Q+
 hv7BBDfLl99U3K7045zLAd1h//wY243Wc2J4xTp+xBQabbem9onx38NmT0TYgfv0NvzN
 P/OcWGNDUsPQUWFjNIuMAKHKZUCFbJjHA78g4WZzbfqSsqzOHhg50X3f2uKsYeNvsErl
 +DhkTpyTR4oynYvwVBs3ucjh3KhJQhJXVagIsnmpdUD65Qr6vMwoa4TMvjf2kAslyEAI
 YwrQ==
X-Gm-Message-State: AOJu0YwXtgvV+YlICnKiQXpSFwKFyj2Oc2fWQ1q+aUwcY+SOTG9MzJ9b
 GzF2m+476W2DAsMyl56IT8TvcM72U/ftUYo/BwjgjI5JNCZ3ocZIwMByznV+q3Vk3fDO7d86chF
 Z/7zVeI98rePj/utic4iemc/3rqkH9vzyq+kn3ulPTDiZTEhclpCmLacCxrE7odi6ga6b0N/5HN
 i+4eftc9pwmfnb
X-Received: by 2002:a5e:a70d:0:b0:7d6:9fbe:5664 with SMTP id
 b13-20020a5ea70d000000b007d69fbe5664mr3076136iod.17.1713537744727;
 Fri, 19 Apr 2024 07:42:24 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IESVB1THsQ+9pH8ao1TAsUwzld9x9xffZy4mQIx9wVdoqo72QMIaVVUvBZqJBoi8FCmoKUKAQ==
X-Received: by 2002:a5e:a70d:0:b0:7d6:9fbe:5664 with SMTP id
 b13-20020a5ea70d000000b007d69fbe5664mr3076116iod.17.1713537744353;
 Fri, 19 Apr 2024 07:42:24 -0700 (PDT)
Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net.
 [104.218.69.129]) by smtp.gmail.com with ESMTPSA id
 i10-20020a05663813ca00b00482d033889csm1089235jaj.171.2024.04.19.07.42.24
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 19 Apr 2024 07:42:24 -0700 (PDT)
From: Bethany Jamison <bethany.jamison@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][J][PATCH 3/3] arp: Prevent overflow in arp_req_get().
Date: Fri, 19 Apr 2024 09:42:16 -0500
Message-Id: <20240419144219.21413-5-bethany.jamison@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20240419144219.21413-1-bethany.jamison@canonical.com>
References: <20240419144219.21413-1-bethany.jamison@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Kuniyuki Iwashima <kuniyu@amazon.com>

syzkaller reported an overflown write in arp_req_get(). [0]

When ioctl(SIOCGARP) is issued, arp_req_get() looks up an neighbour
entry and copies neigh->ha to struct arpreq.arp_ha.sa_data.

The arp_ha here is struct sockaddr, not struct sockaddr_storage, so
the sa_data buffer is just 14 bytes.

In the splat below, 2 bytes are overflown to the next int field,
arp_flags.  We initialise the field just after the memcpy(), so it's
not a problem.

However, when dev->addr_len is greater than 22 (e.g. MAX_ADDR_LEN),
arp_netmask is overwritten, which could be set as htonl(0xFFFFFFFFUL)
in arp_ioctl() before calling arp_req_get().

To avoid the overflow, let's limit the max length of memcpy().

Note that commit b5f0de6df6dc ("net: dev: Convert sa_data to flexible
array in struct sockaddr") just silenced syzkaller.

[0]:
memcpy: detected field-spanning write (size 16) of single field "r->arp_ha.sa_data" at net/ipv4/arp.c:1128 (size 14)
WARNING: CPU: 0 PID: 144638 at net/ipv4/arp.c:1128 arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
Modules linked in:
CPU: 0 PID: 144638 Comm: syz-executor.4 Not tainted 6.1.74 #31
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-debian-1.16.0-5 04/01/2014
RIP: 0010:arp_req_get+0x411/0x4a0 net/ipv4/arp.c:1128
Code: fd ff ff e8 41 42 de fb b9 0e 00 00 00 4c 89 fe 48 c7 c2 20 6d ab 87 48 c7 c7 80 6d ab 87 c6 05 25 af 72 04 01 e8 5f 8d ad fb <0f> 0b e9 6c fd ff ff e8 13 42 de fb be 03 00 00 00 4c 89 e7 e8 a6
RSP: 0018:ffffc900050b7998 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88803a815000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff8641a44a RDI: 0000000000000001
RBP: ffffc900050b7a98 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 203a7970636d656d R12: ffff888039c54000
R13: 1ffff92000a16f37 R14: ffff88803a815084 R15: 0000000000000010
FS:  00007f172bf306c0(0000) GS:ffff88805aa00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f172b3569f0 CR3: 0000000057f12005 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 arp_ioctl+0x33f/0x4b0 net/ipv4/arp.c:1261
 inet_ioctl+0x314/0x3a0 net/ipv4/af_inet.c:981
 sock_do_ioctl+0xdf/0x260 net/socket.c:1204
 sock_ioctl+0x3ef/0x650 net/socket.c:1321
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:870 [inline]
 __se_sys_ioctl fs/ioctl.c:856 [inline]
 __x64_sys_ioctl+0x18e/0x220 fs/ioctl.c:856
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x37/0x90 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x64/0xce
RIP: 0033:0x7f172b262b8d
Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f172bf300b8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f172b3abf80 RCX: 00007f172b262b8d
RDX: 0000000020000000 RSI: 0000000000008954 RDI: 0000000000000003
RBP: 00007f172b2d3493 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007f172b3abf80 R15: 00007f172bf10000
 </TASK>

Reported-by: syzkaller <syzkaller@googlegroups.com>
Reported-by: Bjoern Doebel <doebel@amazon.de>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20240215230516.31330-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit a7d6027790acea24446ddd6632d394096c0f4667)
CVE-2024-26733
Signed-off-by: Bethany Jamison <bethany.jamison@canonical.com>
---
 net/ipv4/arp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index 83a47998c4b18..5685fdfd810c6 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1104,7 +1104,8 @@ static int arp_req_get(struct arpreq *r, struct net_device *dev)
 	if (neigh) {
 		if (!(neigh->nud_state & NUD_NOARP)) {
 			read_lock_bh(&neigh->lock);
-			memcpy(r->arp_ha.sa_data, neigh->ha, dev->addr_len);
+			memcpy(r->arp_ha.sa_data, neigh->ha,
+			       min(dev->addr_len, sizeof(r->arp_ha.sa_data_min)));
 			r->arp_flags = arp_state_to_flags(neigh);
 			read_unlock_bh(&neigh->lock);
 			r->arp_ha.sa_family = dev->type;