Michael S. Tsirkin
2023-Jul-23 09:55 UTC
[PATCH v1] vdpa: Complement vdpa_nl_policy for nlattr length check
On Sun, Jul 23, 2023 at 05:33:54PM +0800, Lin Ma wrote:> Hello Michael, > > > > > > > The vdpa_nl_policy structure is used to validate the nlattr when parsing > > > the incoming nlmsg. It will ensure the attribute being described produces > > > a valid nlattr pointer in info->attrs before entering into each handler > > > in vdpa_nl_ops. > > > > > > That is to say, the missing part in vdpa_nl_policy may lead to illegal > > > nlattr after parsing, which could lead to OOB read just like CVE-2023-3773. > > > > Hmm. > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3773 > > > > ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided. > > > > Yeah, that CVE is assigned while fix not upstream yet. FYI, the fix is pending too. > See, https://marc.info/?l=linux-kernel&m=169009801131058&w=2. > > > > > > This patch adds three missing nla_policy to avoid such bugs. > > > > > > Fixes: 90fea5a800c3 ("vdpa: device feature provisioning") > > > Fixes: 13b00b135665 ("vdpa: Add support for querying vendor statistics") > > > Fixes: ad69dd0bf26b ("vdpa: Introduce query of device config layout") > > > Signed-off-by: Lin Ma <linma at zju.edu.cn> > > > > I don't know how OOB triggers but this duplication is problematic I > > think: we are likely to forget again in the future. Isn't there a way > > to block everything that is not listed? > > > > Sure, that is another undergoing task I'm working on. If the nlattr is parsed with > NL_VALIDATE_UNSPEC, any forgotten nlattr will be rejected, therefore (which is the default > for modern nla_parse). The problem here is that there are still consumers for > nla_parse_deprecated. And we cannot simply replace all *_deprecated to modern ones > as it may break userspace. See the commit message in 8cb081746c03 ("netlink: make > validation more configurable for future strictness") > > I believe if we can do enough test against userspace toolchains, we can ultimately > upgrade all *_depprecated parsers to modern ones, which costs time and efforts. This > send patch is a much simpler (but temporary) solution for now. > > Regards > LinHmm but vdpa does not use nla_parse_deprecated does it? And in fact was introduced after 8cb081746c031fb164089322e2336a0bf5b3070c. So why is there an issue in vdpa? -- MST