rtnetlink: Remove VLA usage

In the quest to remove all stack VLA usage from the kernel[1], this
allocates the maximum size expected for all possible types and adds
sanity-checks at both registration and usage to make sure nothing gets
out of sync. This matches the proposed VLA solution for nfnetlink[2]. The
values chosen here were based on finding assignments for .maxtype and
.slave_maxtype and manually counting the enums:

slave_maxtype (max 33):
	IFLA_BRPORT_MAX     33
	IFLA_BOND_SLAVE_MAX  9

maxtype (max 45):
	IFLA_BOND_MAX       28
	IFLA_BR_MAX         45
	__IFLA_CAIF_HSI_MAX  8
	IFLA_CAIF_MAX        4
	IFLA_CAN_MAX        16
	IFLA_GENEVE_MAX     12
	IFLA_GRE_MAX        25
	IFLA_GTP_MAX         5
	IFLA_HSR_MAX         7
	IFLA_IPOIB_MAX       4
	IFLA_IPTUN_MAX      21
	IFLA_IPVLAN_MAX      3
	IFLA_MACSEC_MAX     15
	IFLA_MACVLAN_MAX     7
	IFLA_PPP_MAX         2
	__IFLA_RMNET_MAX     4
	IFLA_VLAN_MAX        6
	IFLA_VRF_MAX         2
	IFLA_VTI_MAX         7
	IFLA_VXLAN_MAX      28
	VETH_INFO_MAX        2
	VXCAN_INFO_MAX       2

This additionally changes maxtype and slave_maxtype fields to unsigned,
since they're only ever using positive values.

[1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com
[2] https://patchwork.kernel.org/patch/10439647/

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Kees Cook 2018-05-30 15:20:52 -07:00 committed by David S. Miller
parent 7bb8c9969d
commit ccf8dbcd06
2 changed files with 18 additions and 4 deletions

View File

@ -64,7 +64,7 @@ struct rtnl_link_ops {
size_t priv_size; size_t priv_size;
void (*setup)(struct net_device *dev); void (*setup)(struct net_device *dev);
int maxtype; unsigned int maxtype;
const struct nla_policy *policy; const struct nla_policy *policy;
int (*validate)(struct nlattr *tb[], int (*validate)(struct nlattr *tb[],
struct nlattr *data[], struct nlattr *data[],
@ -92,7 +92,7 @@ struct rtnl_link_ops {
unsigned int (*get_num_tx_queues)(void); unsigned int (*get_num_tx_queues)(void);
unsigned int (*get_num_rx_queues)(void); unsigned int (*get_num_rx_queues)(void);
int slave_maxtype; unsigned int slave_maxtype;
const struct nla_policy *slave_policy; const struct nla_policy *slave_policy;
int (*slave_changelink)(struct net_device *dev, int (*slave_changelink)(struct net_device *dev,
struct net_device *slave_dev, struct net_device *slave_dev,

View File

@ -59,6 +59,9 @@
#include <net/rtnetlink.h> #include <net/rtnetlink.h>
#include <net/net_namespace.h> #include <net/net_namespace.h>
#define RTNL_MAX_TYPE 48
#define RTNL_SLAVE_MAX_TYPE 36
struct rtnl_link { struct rtnl_link {
rtnl_doit_func doit; rtnl_doit_func doit;
rtnl_dumpit_func dumpit; rtnl_dumpit_func dumpit;
@ -389,6 +392,11 @@ int rtnl_link_register(struct rtnl_link_ops *ops)
{ {
int err; int err;
/* Sanity-check max sizes to avoid stack buffer overflow. */
if (WARN_ON(ops->maxtype > RTNL_MAX_TYPE ||
ops->slave_maxtype > RTNL_SLAVE_MAX_TYPE))
return -EINVAL;
rtnl_lock(); rtnl_lock();
err = __rtnl_link_register(ops); err = __rtnl_link_register(ops);
rtnl_unlock(); rtnl_unlock();
@ -2902,13 +2910,16 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
} }
if (1) { if (1) {
struct nlattr *attr[ops ? ops->maxtype + 1 : 1]; struct nlattr *attr[RTNL_MAX_TYPE + 1];
struct nlattr *slave_attr[m_ops ? m_ops->slave_maxtype + 1 : 1]; struct nlattr *slave_attr[RTNL_SLAVE_MAX_TYPE + 1];
struct nlattr **data = NULL; struct nlattr **data = NULL;
struct nlattr **slave_data = NULL; struct nlattr **slave_data = NULL;
struct net *dest_net, *link_net = NULL; struct net *dest_net, *link_net = NULL;
if (ops) { if (ops) {
if (ops->maxtype > RTNL_MAX_TYPE)
return -EINVAL;
if (ops->maxtype && linkinfo[IFLA_INFO_DATA]) { if (ops->maxtype && linkinfo[IFLA_INFO_DATA]) {
err = nla_parse_nested(attr, ops->maxtype, err = nla_parse_nested(attr, ops->maxtype,
linkinfo[IFLA_INFO_DATA], linkinfo[IFLA_INFO_DATA],
@ -2925,6 +2936,9 @@ static int rtnl_newlink(struct sk_buff *skb, struct nlmsghdr *nlh,
} }
if (m_ops) { if (m_ops) {
if (ops->slave_maxtype > RTNL_SLAVE_MAX_TYPE)
return -EINVAL;
if (m_ops->slave_maxtype && if (m_ops->slave_maxtype &&
linkinfo[IFLA_INFO_SLAVE_DATA]) { linkinfo[IFLA_INFO_SLAVE_DATA]) {
err = nla_parse_nested(slave_attr, err = nla_parse_nested(slave_attr,