Commit 0ededb6e authored by Nikolay Aleksandrov's avatar Nikolay Aleksandrov Committed by Greg Kroah-Hartman

net: netlink: cap max groups which will be considered in netlink_bind()

commit 3a20773b upstream.

Since nl_groups is a u32 we can't bind more groups via ->bind
(netlink_bind) call, but netlink has supported more groups via
setsockopt() for a long time and thus nlk->ngroups could be over 32.
Recently I added support for per-vlan notifications and increased the
groups to 33 for NETLINK_ROUTE which exposed an old bug in the
netlink_bind() code causing out-of-bounds access on archs where unsigned
long is 32 bits via test_bit() on a local variable. Fix this by capping the
maximum groups in netlink_bind() to BITS_PER_TYPE(u32), effectively
capping them at 32 which is the minimum of allocated groups and the
maximum groups which can be bound via netlink_bind().

CC: Christophe Leroy <christophe.leroy@c-s.fr>
CC: Richard Guy Briggs <rgb@redhat.com>
Fixes: 4f520900 ("netlink: have netlink per-protocol bind function return an error code.")
Reported-by: default avatarErhard F. <erhard_f@mailbox.org>
Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent c2f49064
...@@ -1029,7 +1029,8 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr, ...@@ -1029,7 +1029,8 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
if (nlk->netlink_bind && groups) { if (nlk->netlink_bind && groups) {
int group; int group;
for (group = 0; group < nlk->ngroups; group++) { /* nl_groups is a u32, so cap the maximum groups we can bind */
for (group = 0; group < BITS_PER_TYPE(u32); group++) {
if (!test_bit(group, &groups)) if (!test_bit(group, &groups))
continue; continue;
err = nlk->netlink_bind(net, group + 1); err = nlk->netlink_bind(net, group + 1);
...@@ -1048,7 +1049,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr, ...@@ -1048,7 +1049,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
netlink_insert(sk, nladdr->nl_pid) : netlink_insert(sk, nladdr->nl_pid) :
netlink_autobind(sock); netlink_autobind(sock);
if (err) { if (err) {
netlink_undo_bind(nlk->ngroups, groups, sk); netlink_undo_bind(BITS_PER_TYPE(u32), groups, sk);
goto unlock; goto unlock;
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment