1. 03 Aug, 2023 15 commits
  2. 02 Aug, 2023 8 commits
    • Hans de Goede's avatar
      wifi: brcmfmac: Fix field-spanning write in brcmf_scan_params_v2_to_v1() · 16e455a4
      Hans de Goede authored
      Using brcmfmac with 6.5-rc3 on a brcmfmac43241b4-sdio triggers
      a backtrace caused by the following field-spanning warning:
      
      memcpy: detected field-spanning write (size 120) of single field
        "&params_le->channel_list[0]" at
        drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:1072 (size 2)
      
      The driver still works after this warning. The warning was introduced by the
      new field-spanning write checks which were enabled recently.
      
      Fix this by replacing the channel_list[1] declaration at the end of
      the struct with a flexible array declaration.
      
      Most users of struct brcmf_scan_params_le calculate the size to alloc
      using the size of the non flex-array part of the struct + needed extra
      space, so they do not care about sizeof(struct brcmf_scan_params_le).
      
      brcmf_notify_escan_complete() however uses the struct on the stack,
      expecting there to be room for at least 1 entry in the channel-list
      to store the special -1 abort channel-id.
      
      To make this work use an anonymous union with a padding member
      added + the actual channel_list flexible array.
      
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Reviewed-by: default avatarFranky Lin <franky.lin@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@kernel.org>
      Link: https://lore.kernel.org/r/20230729140500.27892-1-hdegoede@redhat.com
      16e455a4
    • Benjamin Poirier's avatar
      vxlan: Fix nexthop hash size · 0756384f
      Benjamin Poirier authored
      The nexthop code expects a 31 bit hash, such as what is returned by
      fib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash
      returned by skb_get_hash() can lead to problems related to the fact that
      'int hash' is a negative number when the MSB is set.
      
      In the case of hash threshold nexthop groups, nexthop_select_path_hthr()
      will disproportionately select the first nexthop group entry. In the case
      of resilient nexthop groups, nexthop_select_path_res() may do an out of
      bounds access in nh_buckets[], for example:
          hash = -912054133
          num_nh_buckets = 2
          bucket_index = 65535
      
      which leads to the following panic:
      
      BUG: unable to handle page fault for address: ffffc900025910c8
      PGD 100000067 P4D 100000067 PUD 10026b067 PMD 0
      Oops: 0002 [#1] PREEMPT SMP KASAN NOPTI
      CPU: 4 PID: 856 Comm: kworker/4:3 Not tainted 6.5.0-rc2+ #34
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
      Workqueue: ipv6_addrconf addrconf_dad_work
      RIP: 0010:nexthop_select_path+0x197/0xbf0
      Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85
      RSP: 0018:ffff88810c36f260 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77
      RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8
      RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219
      R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0
      R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900
      FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffc900025910c8 CR3: 0000000129d00000 CR4: 0000000000750ee0
      PKRU: 55555554
      Call Trace:
       <TASK>
       ? __die+0x23/0x70
       ? page_fault_oops+0x1ee/0x5c0
       ? __pfx_is_prefetch.constprop.0+0x10/0x10
       ? __pfx_page_fault_oops+0x10/0x10
       ? search_bpf_extables+0xfe/0x1c0
       ? fixup_exception+0x3b/0x470
       ? exc_page_fault+0xf6/0x110
       ? asm_exc_page_fault+0x26/0x30
       ? nexthop_select_path+0x197/0xbf0
       ? nexthop_select_path+0x197/0xbf0
       ? lock_is_held_type+0xe7/0x140
       vxlan_xmit+0x5b2/0x2340
       ? __lock_acquire+0x92b/0x3370
       ? __pfx_vxlan_xmit+0x10/0x10
       ? __pfx___lock_acquire+0x10/0x10
       ? __pfx_register_lock_class+0x10/0x10
       ? skb_network_protocol+0xce/0x2d0
       ? dev_hard_start_xmit+0xca/0x350
       ? __pfx_vxlan_xmit+0x10/0x10
       dev_hard_start_xmit+0xca/0x350
       __dev_queue_xmit+0x513/0x1e20
       ? __pfx___dev_queue_xmit+0x10/0x10
       ? __pfx_lock_release+0x10/0x10
       ? mark_held_locks+0x44/0x90
       ? skb_push+0x4c/0x80
       ? eth_header+0x81/0xe0
       ? __pfx_eth_header+0x10/0x10
       ? neigh_resolve_output+0x215/0x310
       ? ip6_finish_output2+0x2ba/0xc90
       ip6_finish_output2+0x2ba/0xc90
       ? lock_release+0x236/0x3e0
       ? ip6_mtu+0xbb/0x240
       ? __pfx_ip6_finish_output2+0x10/0x10
       ? find_held_lock+0x83/0xa0
       ? lock_is_held_type+0xe7/0x140
       ip6_finish_output+0x1ee/0x780
       ip6_output+0x138/0x460
       ? __pfx_ip6_output+0x10/0x10
       ? __pfx___lock_acquire+0x10/0x10
       ? __pfx_ip6_finish_output+0x10/0x10
       NF_HOOK.constprop.0+0xc0/0x420
       ? __pfx_NF_HOOK.constprop.0+0x10/0x10
       ? ndisc_send_skb+0x2c0/0x960
       ? __pfx_lock_release+0x10/0x10
       ? __local_bh_enable_ip+0x93/0x110
       ? lock_is_held_type+0xe7/0x140
       ndisc_send_skb+0x4be/0x960
       ? __pfx_ndisc_send_skb+0x10/0x10
       ? mark_held_locks+0x65/0x90
       ? find_held_lock+0x83/0xa0
       ndisc_send_ns+0xb0/0x110
       ? __pfx_ndisc_send_ns+0x10/0x10
       addrconf_dad_work+0x631/0x8e0
       ? lock_acquire+0x180/0x3f0
       ? __pfx_addrconf_dad_work+0x10/0x10
       ? mark_held_locks+0x24/0x90
       process_one_work+0x582/0x9c0
       ? __pfx_process_one_work+0x10/0x10
       ? __pfx_do_raw_spin_lock+0x10/0x10
       ? mark_held_locks+0x24/0x90
       worker_thread+0x93/0x630
       ? __kthread_parkme+0xdc/0x100
       ? __pfx_worker_thread+0x10/0x10
       kthread+0x1a5/0x1e0
       ? __pfx_kthread+0x10/0x10
       ret_from_fork+0x34/0x60
       ? __pfx_kthread+0x10/0x10
       ret_from_fork_asm+0x1b/0x30
      RIP: 0000:0x0
      Code: Unable to access opcode bytes at 0xffffffffffffffd6.
      RSP: 0000:0000000000000000 EFLAGS: 00000000 ORIG_RAX: 0000000000000000
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
       </TASK>
      Modules linked in:
      CR2: ffffc900025910c8
      ---[ end trace 0000000000000000 ]---
      RIP: 0010:nexthop_select_path+0x197/0xbf0
      Code: c1 e4 05 be 08 00 00 00 4c 8b 35 a4 14 7e 01 4e 8d 6c 25 00 4a 8d 7c 25 08 48 01 dd e8 c2 25 15 ff 49 8d 7d 08 e8 39 13 15 ff <4d> 89 75 08 48 89 ef e8 7d 12 15 ff 48 8b 5d 00 e8 14 55 2f 00 85
      RSP: 0018:ffff88810c36f260 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 00000000002000c0 RCX: ffffffffaf02dd77
      RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffc900025910c8
      RBP: ffffc900025910c0 R08: 0000000000000001 R09: fffff520004b2219
      R10: ffffc900025910cf R11: 31392d2068736168 R12: 00000000002000c0
      R13: ffffc900025910c0 R14: 00000000fffef608 R15: ffff88811840e900
      FS:  0000000000000000(0000) GS:ffff8881f7000000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffffffffd6 CR3: 0000000129d00000 CR4: 0000000000750ee0
      PKRU: 55555554
      Kernel panic - not syncing: Fatal exception in interrupt
      Kernel Offset: 0x2ca00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      Fix this problem by ensuring the MSB of hash is 0 using a right shift - the
      same approach used in fib_multipath_hash() and rt6_multipath_hash().
      
      Fixes: 1274e1cc ("vxlan: ecmp support for mac fdb entries")
      Signed-off-by: default avatarBenjamin Poirier <bpoirier@nvidia.com>
      Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0756384f
    • Yue Haibing's avatar
      ip6mr: Fix skb_under_panic in ip6mr_cache_report() · 30e0191b
      Yue Haibing authored
      skbuff: skb_under_panic: text:ffffffff88771f69 len:56 put:-4
       head:ffff88805f86a800 data:ffff887f5f86a850 tail:0x88 end:0x2c0 dev:pim6reg
       ------------[ cut here ]------------
       kernel BUG at net/core/skbuff.c:192!
       invalid opcode: 0000 [#1] PREEMPT SMP KASAN
       CPU: 2 PID: 22968 Comm: kworker/2:11 Not tainted 6.5.0-rc3-00044-g0a8db05b #236
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
       Workqueue: ipv6_addrconf addrconf_dad_work
       RIP: 0010:skb_panic+0x152/0x1d0
       Call Trace:
        <TASK>
        skb_push+0xc4/0xe0
        ip6mr_cache_report+0xd69/0x19b0
        reg_vif_xmit+0x406/0x690
        dev_hard_start_xmit+0x17e/0x6e0
        __dev_queue_xmit+0x2d6a/0x3d20
        vlan_dev_hard_start_xmit+0x3ab/0x5c0
        dev_hard_start_xmit+0x17e/0x6e0
        __dev_queue_xmit+0x2d6a/0x3d20
        neigh_connected_output+0x3ed/0x570
        ip6_finish_output2+0x5b5/0x1950
        ip6_finish_output+0x693/0x11c0
        ip6_output+0x24b/0x880
        NF_HOOK.constprop.0+0xfd/0x530
        ndisc_send_skb+0x9db/0x1400
        ndisc_send_rs+0x12a/0x6c0
        addrconf_dad_completed+0x3c9/0xea0
        addrconf_dad_work+0x849/0x1420
        process_one_work+0xa22/0x16e0
        worker_thread+0x679/0x10c0
        ret_from_fork+0x28/0x60
        ret_from_fork_asm+0x11/0x20
      
      When setup a vlan device on dev pim6reg, DAD ns packet may sent on reg_vif_xmit().
      reg_vif_xmit()
          ip6mr_cache_report()
              skb_push(skb, -skb_network_offset(pkt));//skb_network_offset(pkt) is 4
      And skb_push declared as:
      	void *skb_push(struct sk_buff *skb, unsigned int len);
      		skb->data -= len;
      		//0xffff88805f86a84c - 0xfffffffc = 0xffff887f5f86a850
      skb->data is set to 0xffff887f5f86a850, which is invalid mem addr, lead to skb_push() fails.
      
      Fixes: 14fb64e1 ("[IPV6] MROUTE: Support PIM-SM (SSM).")
      Signed-off-by: default avatarYue Haibing <yuehaibing@huawei.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      30e0191b
    • Alexandra Winter's avatar
      s390/qeth: Don't call dev_close/dev_open (DOWN/UP) · 1cfef80d
      Alexandra Winter authored
      dev_close() and dev_open() are issued to change the interface state to DOWN
      or UP (dev->flags IFF_UP). When the netdev is set DOWN it loses e.g its
      Ipv6 addresses and routes. We don't want this in cases of device recovery
      (triggered by hardware or software) or when the qeth device is set
      offline.
      
      Setting a qeth device offline or online and device recovery actions call
      netif_device_detach() and/or netif_device_attach(). That will reset or
      set the LOWER_UP indication i.e. change the dev->state Bit
      __LINK_STATE_PRESENT. That is enough to e.g. cause bond failovers, and
      still preserves the interface settings that are handled by the network
      stack.
      
      Don't call dev_open() nor dev_close() from the qeth device driver. Let the
      network stack handle this.
      
      Fixes: d4560150 ("s390/qeth: call dev_close() during recovery")
      Signed-off-by: default avatarAlexandra Winter <wintera@linux.ibm.com>
      Reviewed-by: default avatarWenjia Zhang <wenjia@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1cfef80d
    • David S. Miller's avatar
      Merge branch 'tun-tap-uid' · 666c135b
      David S. Miller authored
      Laszlo Ersek says:
      
      ====================
      tun/tap: set sk_uid from current_fsuid()
      
      The original patches fixing CVE-2023-1076 are incorrect in my opinion.
      This small series fixes them up; see the individual commit messages for
      explanation.
      
      I have a very elaborate test procedure demonstrating the problem for
      both tun and tap; it involves libvirt, qemu, and "crash". I can share
      that procedure if necessary, but it's indeed quite long (I wrote it
      originally for our QE team).
      
      The patches in this series are supposed to "re-fix" CVE-2023-1076; given
      that said CVE is classified as Low Impact (CVSSv3=5.5), I'm posting this
      publicly, and not suggesting any embargo. Red Hat Product Security may
      assign a new CVE number later.
      
      I've tested the patches on top of v6.5-rc4, with "crash" built at commit
      c74f375e0ef7.
      
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Lorenzo Colitti <lorenzo@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: Pietro Borrello <borrello@diag.uniroma1.it>
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      666c135b
    • Laszlo Ersek's avatar
      net: tap_open(): set sk_uid from current_fsuid() · 5c9241f3
      Laszlo Ersek authored
      Commit 66b2c338 initializes the "sk_uid" field in the protocol socket
      (struct sock) from the "/dev/tapX" device node's owner UID. Per original
      commit 86741ec2 ("net: core: Add a UID field to struct sock.",
      2016-11-04), that's wrong: the idea is to cache the UID of the userspace
      process that creates the socket. Commit 86741ec2 mentions socket() and
      accept(); with "tap", the action that creates the socket is
      open("/dev/tapX").
      
      Therefore the device node's owner UID is irrelevant. In most cases,
      "/dev/tapX" will be owned by root, so in practice, commit 66b2c338 has
      no observable effect:
      
      - before, "sk_uid" would be zero, due to undefined behavior
        (CVE-2023-1076),
      
      - after, "sk_uid" would be zero, due to "/dev/tapX" being owned by root.
      
      What matters is the (fs)UID of the process performing the open(), so cache
      that in "sk_uid".
      
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Lorenzo Colitti <lorenzo@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: Pietro Borrello <borrello@diag.uniroma1.it>
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org
      Fixes: 66b2c338 ("tap: tap_open(): correctly initialize socket uid")
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435Signed-off-by: default avatarLaszlo Ersek <lersek@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c9241f3
    • Laszlo Ersek's avatar
      net: tun_chr_open(): set sk_uid from current_fsuid() · 9bc30473
      Laszlo Ersek authored
      Commit a096ccca initializes the "sk_uid" field in the protocol socket
      (struct sock) from the "/dev/net/tun" device node's owner UID. Per
      original commit 86741ec2 ("net: core: Add a UID field to struct
      sock.", 2016-11-04), that's wrong: the idea is to cache the UID of the
      userspace process that creates the socket. Commit 86741ec2 mentions
      socket() and accept(); with "tun", the action that creates the socket is
      open("/dev/net/tun").
      
      Therefore the device node's owner UID is irrelevant. In most cases,
      "/dev/net/tun" will be owned by root, so in practice, commit a096ccca
      has no observable effect:
      
      - before, "sk_uid" would be zero, due to undefined behavior
        (CVE-2023-1076),
      
      - after, "sk_uid" would be zero, due to "/dev/net/tun" being owned by root.
      
      What matters is the (fs)UID of the process performing the open(), so cache
      that in "sk_uid".
      
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Lorenzo Colitti <lorenzo@google.com>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: Pietro Borrello <borrello@diag.uniroma1.it>
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org
      Fixes: a096ccca ("tun: tun_chr_open(): correctly initialize socket uid")
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2173435Signed-off-by: default avatarLaszlo Ersek <lersek@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9bc30473
    • Lin Ma's avatar
      net: dcb: choose correct policy to parse DCB_ATTR_BCN · 31d49ba0
      Lin Ma authored
      The dcbnl_bcn_setcfg uses erroneous policy to parse tb[DCB_ATTR_BCN],
      which is introduced in commit 859ee3c4 ("DCB: Add support for DCB
      BCN"). Please see the comment in below code
      
      static int dcbnl_bcn_setcfg(...)
      {
        ...
        ret = nla_parse_nested_deprecated(..., dcbnl_pfc_up_nest, .. )
        // !!! dcbnl_pfc_up_nest for attributes
        //  DCB_PFC_UP_ATTR_0 to DCB_PFC_UP_ATTR_ALL in enum dcbnl_pfc_up_attrs
        ...
        for (i = DCB_BCN_ATTR_RP_0; i <= DCB_BCN_ATTR_RP_7; i++) {
        // !!! DCB_BCN_ATTR_RP_0 to DCB_BCN_ATTR_RP_7 in enum dcbnl_bcn_attrs
          ...
          value_byte = nla_get_u8(data[i]);
          ...
        }
        ...
        for (i = DCB_BCN_ATTR_BCNA_0; i <= DCB_BCN_ATTR_RI; i++) {
        // !!! DCB_BCN_ATTR_BCNA_0 to DCB_BCN_ATTR_RI in enum dcbnl_bcn_attrs
        ...
          value_int = nla_get_u32(data[i]);
        ...
        }
        ...
      }
      
      That is, the nla_parse_nested_deprecated uses dcbnl_pfc_up_nest
      attributes to parse nlattr defined in dcbnl_pfc_up_attrs. But the
      following access code fetch each nlattr as dcbnl_bcn_attrs attributes.
      By looking up the associated nla_policy for dcbnl_bcn_attrs. We can find
      the beginning part of these two policies are "same".
      
      static const struct nla_policy dcbnl_pfc_up_nest[...] = {
              [DCB_PFC_UP_ATTR_0]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_1]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_2]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_3]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_4]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_5]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_6]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_7]   = {.type = NLA_U8},
              [DCB_PFC_UP_ATTR_ALL] = {.type = NLA_FLAG},
      };
      
      static const struct nla_policy dcbnl_bcn_nest[...] = {
              [DCB_BCN_ATTR_RP_0]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_1]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_2]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_3]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_4]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_5]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_6]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_7]         = {.type = NLA_U8},
              [DCB_BCN_ATTR_RP_ALL]       = {.type = NLA_FLAG},
              // from here is somewhat different
              [DCB_BCN_ATTR_BCNA_0]       = {.type = NLA_U32},
              ...
              [DCB_BCN_ATTR_ALL]          = {.type = NLA_FLAG},
      };
      
      Therefore, the current code is buggy and this
      nla_parse_nested_deprecated could overflow the dcbnl_pfc_up_nest and use
      the adjacent nla_policy to parse attributes from DCB_BCN_ATTR_BCNA_0.
      
      Hence use the correct policy dcbnl_bcn_nest to parse the nested
      tb[DCB_ATTR_BCN] TLV.
      
      Fixes: 859ee3c4 ("DCB: Add support for DCB BCN")
      Signed-off-by: default avatarLin Ma <linma@zju.edu.cn>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Link: https://lore.kernel.org/r/20230801013248.87240-1-linma@zju.edu.cnSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      31d49ba0
  3. 01 Aug, 2023 14 commits
  4. 31 Jul, 2023 3 commits