Patch "net/sched: flower: fix possible OOB write in fl_set_geneve_opt()" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 5 Jun 2023 07:54:18 -0400

This is a note to let you know that I've just added the patch titled

    net/sched: flower: fix possible OOB write in fl_set_geneve_opt()

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-sched-flower-fix-possible-oob-write-in-fl_set_ge.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit b8a31ef16d196375750f1d09bf90580a1f00ea0f
Author: Hangyu Hua <hbh25y@xxxxxxxxx>
Date:   Wed May 31 18:28:04 2023 +0800

    net/sched: flower: fix possible OOB write in fl_set_geneve_opt()
    
    [ Upstream commit 4d56304e5827c8cc8cc18c75343d283af7c4825c ]
    
    If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
    size is 252 bytes(key->enc_opts.len = 252) then
    key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
    TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
    bypasses the next bounds check and results in an out-of-bounds.
    
    Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
    Signed-off-by: Hangyu Hua <hbh25y@xxxxxxxxx>
    Reviewed-by: Simon Horman <simon.horman@xxxxxxxxxxxx>
    Reviewed-by: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@xxxxxxx>
    Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@xxxxxxxxx
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index 007fbc1993522..63f53aa8460a2 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -870,6 +870,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key,
 	if (option_len > sizeof(struct geneve_opt))
 		data_len = option_len - sizeof(struct geneve_opt);
 
+	if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4)
+		return -ERANGE;
+
 	opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len];
 	memset(opt, 0xff, option_len);
 	opt->length = data_len / 4;






