From 68e161867609dafcee1a20343990547a8da9be83 Mon Sep 17 00:00:00 2001 From: Nagappan Ramasamy Palaniappan Date: Wed, 2 Aug 2023 13:10:03 +0000 Subject: [PATCH 5/5] net/sched: flower: fix possible OOB write in-fl_set_geneve_opt() CVE: CVE-2023-35788 commit 4d56304e5827c8cc8cc18c75343d283af7c4825c Author: Hangyu Hua Date: Wed May 31 18:28:04 2023 +0800 net/sched: flower: fix possible OOB write in fl_set_geneve_opt() If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total size is 252 bytes(key->enc_opts.len = 252) then key->enc_opts.len = opt->length = data_len / 4 = 0 when the third TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This bypasses the next bounds check and results in an out-of-bounds. Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options") Signed-off-by: Hangyu Hua Reviewed-by: Simon Horman Reviewed-by: Pieter Jansen van Vuuren Link: https://lore.kernel.org/r/20230531102805.27090-1-hbh25y@gmail.com Signed-off-by: Nagappan Ramasamy Palaniappan Reviewed-by: Laurence Rochfort --- net/sched/cls_flower.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c index 041d63ff8..65b68bf36 100644 --- a/net/sched/cls_flower.c +++ b/net/sched/cls_flower.c @@ -1145,6 +1145,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key, if (option_len > sizeof(struct geneve_opt)) data_len = option_len - sizeof(struct geneve_opt); + if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4) + return -ERANGE; + opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len]; memset(opt, 0xff, option_len); opt->length = data_len / 4; -- 2.31.1