Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v6.3 2023-01-21T01:52:32Z 2023-01-21T01:52:32Z Eric Dumazet edumazet@google.com 2023-01-19T11:01:50Z urn:sha1:f0950402e8c76e7dcb08563f1b4e8000fbc62455 Most netlink attributes are parsed and validated from __nla_validate_parse() or validate_nla() u16 type = nla_type(nla); if (type == 0 || type > maxtype) { /* error or continue */ } @type is then used as an array index and can be used as a Spectre v1 gadget. array_index_nospec() can be used to prevent leaking content of kernel memory to malicious users. This should take care of vast majority of netlink uses, but an audit is needed to take care of others where validation is not yet centralized in core netlink functions. Fixes: bfa83a9e03cf ("[NETLINK]: Type-safe netlink messages/attributes interface") Signed-off-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20230119110150.2678537-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2022-11-08T23:06:56Z Yang Li yang.lee@linux.alibaba.com 2022-11-07T06:26:23Z urn:sha1:8e18be7610aebea50e9327c11afcd5eeaaa06644 Make the description of @policy to @p in nla_policy_len() to clear the below warnings: lib/nlattr.c:660: warning: Function parameter or member 'p' not described in 'nla_policy_len' lib/nlattr.c:660: warning: Excess function parameter 'policy' description in 'nla_policy_len' Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=2736 Reported-by: Abaci Robot <abaci@linux.alibaba.com> Signed-off-by: Yang Li <yang.lee@linux.alibaba.com> Link: https://lore.kernel.org/r/20221107062623.6709-1-yang.lee@linux.alibaba.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2022-11-02T04:29:06Z Florian Westphal fw@strlen.de 2022-10-31T12:34:07Z urn:sha1:ecaf75ffd5f5db320d8b1da0198eef5a5ce64a3f Jakub reported that the addition of the "network_byte_order" member in struct nla_policy increases size of 32bit platforms. Instead of scraping the bit from elsewhere Johannes suggested to add explicit NLA_BE types instead, so do this here. NLA_POLICY_MAX_BE() macro is removed again, there is no need for it: NLA_POLICY_MAX(NLA_BE.., ..) will do the right thing. NLA_BE64 can be added later. Fixes: 08724ef69907 ("netlink: introduce NLA_POLICY_MAX_BE") Reported-by: Jakub Kicinski <kuba@kernel.org> Suggested-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Florian Westphal <fw@strlen.de> Link: https://lore.kernel.org/r/20221031123407.9158-1-fw@strlen.de Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2022-09-07T11:33:43Z Florian Westphal fw@strlen.de 2022-09-05T10:09:36Z urn:sha1:08724ef69907214ce622344fe4945412e38368f0 netlink allows to specify allowed ranges for integer types. Unfortunately, nfnetlink passes integers in big endian, so the existing NLA_POLICY_MAX() cannot be used. At the moment, nfnetlink users, such as nf_tables, need to resort to programmatic checking via helpers such as nft_parse_u32_check(). This is both cumbersome and error prone. This adds NLA_POLICY_MAX_BE which adds range check support for BE16, BE32 and BE64 integers. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> 2021-07-08T18:48:20Z Zhen Lei thunder.leizhen@huawei.com 2021-07-08T01:07:31Z urn:sha1:9dbbc3b9d09d6deba9f3b9e1d5b355032ed46a75 Fix some spelling mistakes in comments: permanentely ==> permanently wont ==> won't remaning ==> remaining succed ==> succeed shouldnt ==> shouldn't alpha-numeric ==> alphanumeric storeing ==> storing funtion ==> function documenation ==> documentation Determin ==> Determine intepreted ==> interpreted ammount ==> amount obious ==> obvious interupts ==> interrupts occured ==> occurred asssociated ==> associated taking into acount ==> taking into account squence ==> sequence stil ==> still contiguos ==> contiguous matchs ==> matches Link: https://lkml.kernel.org/r/20210607072555.12416-1-thunder.leizhen@huawei.com Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com> Reviewed-by: Jacob Keller <jacob.e.keller@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2021-05-05T19:48:46Z Maciej Żenczykowski maze@google.com 2021-05-05T16:58:31Z urn:sha1:2c16db6c92b0ee4aa61e88366df82169e83c3f7e Android userspace has been using TCA_KIND with a char[IFNAMESIZ] many-null-terminated buffer containing the string 'bpf'. This works on 4.19 and ceases to work on 5.10. I'm not entirely sure what fixes tag to use, but I think the issue was likely introduced in the below mentioned 5.4 commit. Reported-by: Nucca Chen <nuccachen@google.com> Cc: Cong Wang <xiyou.wangcong@gmail.com> Cc: David Ahern <dsahern@gmail.com> Cc: David S. Miller <davem@davemloft.net> Cc: Jakub Kicinski <jakub.kicinski@netronome.com> Cc: Jamal Hadi Salim <jhs@mojatatu.com> Cc: Jiri Pirko <jiri@mellanox.com> Cc: Jiri Pirko <jiri@resnulli.us> Fixes: 62794fc4fbf5 ("net_sched: add max len check for TCA_KIND") Change-Id: I66dc281f165a2858fc29a44869a270a2d698a82b Signed-off-by: David S. Miller <davem@davemloft.net> 2020-12-16T08:24:16Z Linus Torvalds torvalds@linux-foundation.org 2020-12-16T08:24:16Z urn:sha1:5e60366d56c630e32befce7ef05c569e04391ca3 Pull fallthrough fixes from Gustavo A. R. Silva: "Fix many fall-through warnings when building with Clang 12.0.0 using -Wimplicit-fallthrough. - powerpc: boot: include compiler_attributes.h (Nick Desaulniers) - Revert "lib: Revert use of fallthrough pseudo-keyword in lib/" (Nick Desaulniers) - powerpc: fix -Wimplicit-fallthrough (Nick Desaulniers) - lib: Fix fall-through warnings for Clang (Gustavo A. R. Silva)" * tag 'fallthrough-fixes-clang-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux: lib: Fix fall-through warnings for Clang powerpc: fix -Wimplicit-fallthrough Revert "lib: Revert use of fallthrough pseudo-keyword in lib/" powerpc: boot: include compiler_attributes.h 2020-11-19T13:23:47Z Gustavo A. R. Silva gustavoars@kernel.org 2020-11-19T13:11:44Z urn:sha1:36f9ff9e03de89691274a6aec45aa079bd3ae405 In preparation to enable -Wimplicit-fallthrough for Clang, fix multiple warnings by explicitly adding multiple break statements instead of letting the code fall through to the next case, and by replacing a number of /* fall through */ comments with the new pseudo-keyword macro fallthrough. Notice that Clang doesn't recognize /* Fall through */ comments as implicit fall-through markings. Link: https://github.com/KSPP/linux/issues/115 Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> 2020-11-16T16:08:54Z Francis Laniel laniel_francis@privacyrequired.com 2020-11-15T17:08:06Z urn:sha1:872f690341948b502c93318f806d821c56772c42 Calls to nla_strlcpy are now replaced by calls to nla_strscpy which is the new name of this function. Signed-off-by: Francis Laniel <laniel_francis@privacyrequired.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2020-11-16T16:08:54Z Francis Laniel laniel_francis@privacyrequired.com 2020-11-15T17:08:05Z urn:sha1:9ca718743ad8402958637bfc196d7b62371a1b9f nla_strlcpy now returns -E2BIG if src was truncated when written to dst. It also returns this error value if dstsize is 0 or higher than INT_MAX. For example, if src is "foo\0" and dst is 3 bytes long, the result will be: 1. "foG" after memcpy (G means garbage). 2. "fo\0" after memset. 3. -E2BIG is returned because src was not completely written into dst. The callers of nla_strlcpy were modified to take into account this modification. Signed-off-by: Francis Laniel <laniel_francis@privacyrequired.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org>