[PATCH net 0/5] net: Length checks for attributes within multipath routes

[PATCH net 0/5] net: Length checks for attributes within multipath routes

[David Ahern]

Add length checks for attributes within a multipath route (attributes
within RTA_MULTIPATH). Motivated by the syzbot report in patch 1 and
then expanded to other attributes as noted by Ido.

David Ahern (5):
  ipv4: Check attribute length for RTA_GATEWAY in multipath route
  ipv4: Check attribute length for RTA_FLOW in multipath route
  ipv6: Check attribute length for RTA_GATEWAY in multipath route
  ipv6: Check attribute length for RTA_GATEWAY when deleting multipath
    route
  lwtunnel: Validate RTA_ENCAP_TYPE attribute is at least 2 bytes

 net/core/lwtunnel.c      |  4 ++++
 net/ipv4/fib_semantics.c | 49 +++++++++++++++++++++++++++++++++++-----
 net/ipv6/route.c         | 31 +++++++++++++++++++++++--
 3 files changed, 76 insertions(+), 8 deletions(-)

-- 
2.24.3 (Apple Git-128)

[PATCH net 1/5] ipv4: Check attribute length for RTA_GATEWAY in multipath route

[David Ahern]

syzbot reported uninit-value:
============================================================
  BUG: KMSAN: uninit-value in fib_get_nhs+0xac4/0x1f80
  net/ipv4/fib_semantics.c:708
   fib_get_nhs+0xac4/0x1f80 net/ipv4/fib_semantics.c:708
   fib_create_info+0x2411/0x4870 net/ipv4/fib_semantics.c:1453
   fib_table_insert+0x45c/0x3a10 net/ipv4/fib_trie.c:1224
   inet_rtm_newroute+0x289/0x420 net/ipv4/fib_frontend.c:886

Add helper to validate RTA_GATEWAY length before using the attribute.

Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
Reported-by: syzbot+d4b9a2851cc3ce998741@syzkaller.appspotmail.com
Signed-off-by: David Ahern <dsahern@kernel.org>
Cc: Thomas Graf <tgraf@suug.ch>
---
 net/ipv4/fib_semantics.c | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index fde7797b5806..f1caa2c1c041 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -662,6 +662,19 @@ static int fib_count_nexthops(struct rtnexthop *rtnh, int remaining,
 	return nhs;
 }
 
+static int fib_gw_from_attr(__be32 *gw, struct nlattr *nla,
+			    struct netlink_ext_ack *extack)
+{
+	if (nla_len(nla) < sizeof(*gw)) {
+		NL_SET_ERR_MSG(extack, "Invalid IPv4 address in RTA_GATEWAY");
+		return -EINVAL;
+	}
+
+	*gw = nla_get_in_addr(nla);
+
+	return 0;
+}
+
 /* only called when fib_nh is integrated into fib_info */
 static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
 		       int remaining, struct fib_config *cfg,
@@ -704,7 +717,11 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
 				return -EINVAL;
 			}
 			if (nla) {
-				fib_cfg.fc_gw4 = nla_get_in_addr(nla);
+				ret = fib_gw_from_attr(&fib_cfg.fc_gw4, nla,
+						       extack);
+				if (ret)
+					goto errout;
+
 				if (fib_cfg.fc_gw4)
 					fib_cfg.fc_gw_family = AF_INET;
 			} else if (nlav) {
@@ -902,6 +919,7 @@ int fib_nh_match(struct net *net, struct fib_config *cfg, struct fib_info *fi,
 		attrlen = rtnh_attrlen(rtnh);
 		if (attrlen > 0) {
 			struct nlattr *nla, *nlav, *attrs = rtnh_attrs(rtnh);
+			int err;
 
 			nla = nla_find(attrs, attrlen, RTA_GATEWAY);
 			nlav = nla_find(attrs, attrlen, RTA_VIA);
@@ -912,12 +930,17 @@ int fib_nh_match(struct net *net, struct fib_config *cfg, struct fib_info *fi,
 			}
 
 			if (nla) {
+				__be32 gw;
+
+				err = fib_gw_from_attr(&gw, nla, extack);
+				if (err)
+					return err;
+
 				if (nh->fib_nh_gw_family != AF_INET ||
-				    nla_get_in_addr(nla) != nh->fib_nh_gw4)
+				    gw != nh->fib_nh_gw4)
 					return 1;
 			} else if (nlav) {
 				struct fib_config cfg2;
-				int err;
 
 				err = fib_gw_from_via(&cfg2, nlav, extack);
 				if (err)
-- 
2.24.3 (Apple Git-128)

[PATCH net 2/5] ipv4: Check attribute length for RTA_FLOW in multipath route

[David Ahern]

Make sure RTA_FLOW is at least 4B before using.

Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
Signed-off-by: David Ahern <dsahern@kernel.org>
---
 net/ipv4/fib_semantics.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index f1caa2c1c041..36bc429f1635 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -731,8 +731,13 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
 			}
 
 			nla = nla_find(attrs, attrlen, RTA_FLOW);
-			if (nla)
+			if (nla) {
+				if (nla_len(nla) < sizeof(u32)) {
+					NL_SET_ERR_MSG(extack, "Invalid RTA_FLOW");
+					return -EINVAL;
+				}
 				fib_cfg.fc_flow = nla_get_u32(nla);
+			}
 
 			fib_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);
 			nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
@@ -963,8 +968,14 @@ int fib_nh_match(struct net *net, struct fib_config *cfg, struct fib_info *fi,
 
 #ifdef CONFIG_IP_ROUTE_CLASSID
 			nla = nla_find(attrs, attrlen, RTA_FLOW);
-			if (nla && nla_get_u32(nla) != nh->nh_tclassid)
-				return 1;
+			if (nla) {
+				if (nla_len(nla) < sizeof(u32)) {
+					NL_SET_ERR_MSG(extack, "Invalid RTA_FLOW");
+					return -EINVAL;
+				}
+				if (nla_get_u32(nla) != nh->nh_tclassid)
+					return 1;
+			}
 #endif
 		}
 
-- 
2.24.3 (Apple Git-128)

[PATCH net 3/5] ipv6: Check attribute length for RTA_GATEWAY in multipath route

[David Ahern]

Commit referenced in the Fixes tag used nla_memcpy for RTA_GATEWAY as
does the current nla_get_in6_addr. nla_memcpy protects against accessing
memory greater than what is in the attribute, but there is no check
requiring the attribute to have an IPv6 address. Add it.

Fixes: 51ebd3181572 ("ipv6: add support of equal cost multipath (ECMP)")
Signed-off-by: David Ahern <dsahern@kernel.org>
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 net/ipv6/route.c | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 42d60c76d30a..d16599c225b8 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5224,6 +5224,19 @@ static bool ip6_route_mpath_should_notify(const struct fib6_info *rt)
 	return should_notify;
 }
 
+static int fib6_gw_from_attr(struct in6_addr *gw, struct nlattr *nla,
+			     struct netlink_ext_ack *extack)
+{
+	if (nla_len(nla) < sizeof(*gw)) {
+		NL_SET_ERR_MSG(extack, "Invalid IPv6 address in RTA_GATEWAY");
+		return -EINVAL;
+	}
+
+	*gw = nla_get_in6_addr(nla);
+
+	return 0;
+}
+
 static int ip6_route_multipath_add(struct fib6_config *cfg,
 				   struct netlink_ext_ack *extack)
 {
@@ -5264,7 +5277,13 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
 
 			nla = nla_find(attrs, attrlen, RTA_GATEWAY);
 			if (nla) {
-				r_cfg.fc_gateway = nla_get_in6_addr(nla);
+				int ret;
+
+				ret = fib6_gw_from_attr(&r_cfg.fc_gateway, nla,
+							extack);
+				if (ret)
+					return ret;
+
 				r_cfg.fc_flags |= RTF_GATEWAY;
 			}
 			r_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);
-- 
2.24.3 (Apple Git-128)

[PATCH net 4/5] ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route

[David Ahern]

Make sure RTA_GATEWAY for IPv6 multipath route has enough bytes to hold
an IPv6 address.

Fixes: 6b9ea5a64ed5 ("ipv6: fix multipath route replace error recovery")
Signed-off-by: David Ahern <dsahern@kernel.org>
Cc: Roopa Prabhu <roopa@nvidia.com>
---
 net/ipv6/route.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index d16599c225b8..b311c0bc9983 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5453,7 +5453,11 @@ static int ip6_route_multipath_del(struct fib6_config *cfg,
 
 			nla = nla_find(attrs, attrlen, RTA_GATEWAY);
 			if (nla) {
-				nla_memcpy(&r_cfg.fc_gateway, nla, 16);
+				err = fib6_gw_from_attr(&r_cfg.fc_gateway, nla,
+							extack);
+				if (err)
+					return err;
+
 				r_cfg.fc_flags |= RTF_GATEWAY;
 			}
 		}
-- 
2.24.3 (Apple Git-128)

[PATCH net 5/5] lwtunnel: Validate RTA_ENCAP_TYPE attribute length

[David Ahern]

lwtunnel_valid_encap_type_attr is used to validate encap attributes
within a multipath route. Add length validation checking to the type.

lwtunnel_valid_encap_type_attr is called converting attributes to
fib{6,}_config struct which means it is used before fib_get_nhs,
ip6_route_multipath_add, and ip6_route_multipath_del - other
locations that use rtnh_ok and then nla_get_u16 on RTA_ENCAP_TYPE
attribute.

Fixes: 9ed59592e3e3 ("lwtunnel: fix autoload of lwt modules")

Signed-off-by: David Ahern <dsahern@kernel.org>
---
 net/core/lwtunnel.c      | 4 ++++
 net/ipv4/fib_semantics.c | 3 +++
 net/ipv6/route.c         | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/net/core/lwtunnel.c b/net/core/lwtunnel.c
index 2820aca2173a..9ccd64e8a666 100644
--- a/net/core/lwtunnel.c
+++ b/net/core/lwtunnel.c
@@ -197,6 +197,10 @@ int lwtunnel_valid_encap_type_attr(struct nlattr *attr, int remaining,
 			nla_entype = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
 
 			if (nla_entype) {
+				if (nla_len(nla_entype) < sizeof(u16)) {
+					NL_SET_ERR_MSG(extack, "Invalid RTA_ENCAP_TYPE");
+					return -EINVAL;
+				}
 				encap_type = nla_get_u16(nla_entype);
 
 				if (lwtunnel_valid_encap_type(encap_type,
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 36bc429f1635..92c29ab3d042 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -740,6 +740,9 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
 			}
 
 			fib_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);
+			/* RTA_ENCAP_TYPE length checked in
+			 * lwtunnel_valid_encap_type_attr
+			 */
 			nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
 			if (nla)
 				fib_cfg.fc_encap_type = nla_get_u16(nla);
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index b311c0bc9983..d2ff8a7e1709 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5287,6 +5287,10 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
 				r_cfg.fc_flags |= RTF_GATEWAY;
 			}
 			r_cfg.fc_encap = nla_find(attrs, attrlen, RTA_ENCAP);
+
+			/* RTA_ENCAP_TYPE length checked in
+			 * lwtunnel_valid_encap_type_attr
+			 */
 			nla = nla_find(attrs, attrlen, RTA_ENCAP_TYPE);
 			if (nla)
 				r_cfg.fc_encap_type = nla_get_u16(nla);
-- 
2.24.3 (Apple Git-128)

Re: [PATCH net 0/5] net: Length checks for attributes within multipath routes

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Thu, 30 Dec 2021 17:36:30 -0700 you wrote:
> Add length checks for attributes within a multipath route (attributes
> within RTA_MULTIPATH). Motivated by the syzbot report in patch 1 and
> then expanded to other attributes as noted by Ido.
> 
> David Ahern (5):
>   ipv4: Check attribute length for RTA_GATEWAY in multipath route
>   ipv4: Check attribute length for RTA_FLOW in multipath route
>   ipv6: Check attribute length for RTA_GATEWAY in multipath route
>   ipv6: Check attribute length for RTA_GATEWAY when deleting multipath
>     route
>   lwtunnel: Validate RTA_ENCAP_TYPE attribute is at least 2 bytes
> 
> [...]

Here is the summary with links:
  - [net,1/5] ipv4: Check attribute length for RTA_GATEWAY in multipath route
    https://git.kernel.org/netdev/net/c/7a3429bace0e
  - [net,2/5] ipv4: Check attribute length for RTA_FLOW in multipath route
    https://git.kernel.org/netdev/net/c/664b9c4b7392
  - [net,3/5] ipv6: Check attribute length for RTA_GATEWAY in multipath route
    https://git.kernel.org/netdev/net/c/4619bcf91399
  - [net,4/5] ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route
    https://git.kernel.org/netdev/net/c/1ff15a710a86
  - [net,5/5] lwtunnel: Validate RTA_ENCAP_TYPE attribute length
    https://git.kernel.org/netdev/net/c/8bda81a4d400

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH net 3/5] ipv6: Check attribute length for RTA_GATEWAY in multipath route

[Nicolas Dichtel]

Le 31/12/2021 à 01:36, David Ahern a écrit :
> Commit referenced in the Fixes tag used nla_memcpy for RTA_GATEWAY as
> does the current nla_get_in6_addr. nla_memcpy protects against accessing
> memory greater than what is in the attribute, but there is no check
> requiring the attribute to have an IPv6 address. Add it.
> 
> Fixes: 51ebd3181572 ("ipv6: add support of equal cost multipath (ECMP)")
> Signed-off-by: David Ahern <dsahern@kernel.org>
> Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> ---
>  net/ipv6/route.c | 21 ++++++++++++++++++++-
>  1 file changed, 20 insertions(+), 1 deletion(-)
> 
[snip]
> @@ -5264,7 +5277,13 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
>  
>  			nla = nla_find(attrs, attrlen, RTA_GATEWAY);
>  			if (nla) {
> -				r_cfg.fc_gateway = nla_get_in6_addr(nla);
> +				int ret;
> +
> +				ret = fib6_gw_from_attr(&r_cfg.fc_gateway, nla,
> +							extack);
> +				if (ret)
> +					return ret;
A 'goto cleanup;' is needed is case of error.

Re: [PATCH net 4/5] ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route

[Nicolas Dichtel]

Le 31/12/2021 à 01:36, David Ahern a écrit :
> Make sure RTA_GATEWAY for IPv6 multipath route has enough bytes to hold
> an IPv6 address.
> 
> Fixes: 6b9ea5a64ed5 ("ipv6: fix multipath route replace error recovery")
> Signed-off-by: David Ahern <dsahern@kernel.org>
> Cc: Roopa Prabhu <roopa@nvidia.com>
> ---
>  net/ipv6/route.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index d16599c225b8..b311c0bc9983 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -5453,7 +5453,11 @@ static int ip6_route_multipath_del(struct fib6_config *cfg,
>  
>  			nla = nla_find(attrs, attrlen, RTA_GATEWAY);
>  			if (nla) {
> -				nla_memcpy(&r_cfg.fc_gateway, nla, 16);
> +				err = fib6_gw_from_attr(&r_cfg.fc_gateway, nla,
> +							extack);
> +				if (err)
> +					return err;
When ip6_route_del() fails, the loop continue. For consistency, maybr it could
be good to do the same for this error.

Re: [PATCH net 3/5] ipv6: Check attribute length for RTA_GATEWAY in multipath route

[David Ahern]

On 12/31/21 8:30 AM, Nicolas Dichtel wrote:
> Le 31/12/2021 à 01:36, David Ahern a écrit :
>> Commit referenced in the Fixes tag used nla_memcpy for RTA_GATEWAY as
>> does the current nla_get_in6_addr. nla_memcpy protects against accessing
>> memory greater than what is in the attribute, but there is no check
>> requiring the attribute to have an IPv6 address. Add it.
>>
>> Fixes: 51ebd3181572 ("ipv6: add support of equal cost multipath (ECMP)")
>> Signed-off-by: David Ahern <dsahern@kernel.org>
>> Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>> ---
>>  net/ipv6/route.c | 21 ++++++++++++++++++++-
>>  1 file changed, 20 insertions(+), 1 deletion(-)
>>
> [snip]
>> @@ -5264,7 +5277,13 @@ static int ip6_route_multipath_add(struct fib6_config *cfg,
>>  
>>  			nla = nla_find(attrs, attrlen, RTA_GATEWAY);
>>  			if (nla) {
>> -				r_cfg.fc_gateway = nla_get_in6_addr(nla);
>> +				int ret;
>> +
>> +				ret = fib6_gw_from_attr(&r_cfg.fc_gateway, nla,
>> +							extack);
>> +				if (ret)
>> +					return ret;
> A 'goto cleanup;' is needed is case of error.

good catch; will send a followup.