kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   c911350cfd2bc939e01ecbc6e1df23246261fea6
  2.   patches.kabi
  3.   netlink-nla_policy-kabi-workaround.patch
Blob Blame History Raw 
From: Cho, Yu-Chen <acho@suse.com>
Subject: Fix kABI breakage by nl80211 security fix
Patch-mainline: Never, kABI fix
References: bsc#1152107 CVE-2019-16746

- The recent fix for nl80211 driver for a security issue
  0001-net-ipv4-Add-extack-messages-for-route-add-failures.patch
  0002-netlink-Return-extack-message-if-attribute-validatio.patch
  0003-netlink-add-NLA_REJECT-policy-type.patch
  0004-netlink-move-extack-setting-into-validate_nla.patch
  0005-netlink-allow-NLA_NESTED-to-specify-nested-policy-to.patch
  0006-netlink-add-nested-array-policy-validation.patch
  0007-netlink-make-validation_data-const.patch
  0008-netlink-add-attribute-range-validation-to-policy.patch
  0009-netlink-replace-__NLA_ENSURE-implementation.patch
  0010-netlink-add-validation-function-to-policy.patch
  0011-nl80211-validate-beacon-head.patch
which break kABI.
- Fix by restoring the old firmware struct with kABI markers.
- Add kABI markers for validate_nla_bitfield32

Acked-by: Cho, Yu-Chen <acho@suse.com>
---
 include/net/netlink.h |   21 ++++++++++++++++++---
 lib/nlattr.c          |   12 ++++++++++++
 2 files changed, 30 insertions(+), 3 deletions(-)

--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -171,7 +171,6 @@ enum {
 	NLA_FLAG,
 	NLA_MSECS,
 	NLA_NESTED,
-	NLA_NESTED_ARRAY,
 	NLA_NESTED_COMPAT,
 	NLA_NUL_STRING,
 	NLA_BINARY,
@@ -180,7 +179,10 @@ enum {
 	NLA_S32,
 	NLA_S64,
 	NLA_BITFIELD32,
+#ifndef __GENKSYMS__
 	NLA_REJECT,
+	NLA_NESTED_ARRAY,
+#endif
 	__NLA_TYPE_MAX,
 };
 
@@ -281,9 +283,21 @@ enum nla_policy_validation {
  * };
  */
 struct nla_policy {
-	u8		type;
-	u8		validation_type;
+#ifdef __GENKSYMS__
+	u16 type;
+#else
+#ifdef __BIG_ENDIAN
+	u8 validation_type;
+	u8 type;
+#else
+	u8 type;
+	u8 validation_type;
+#endif
+#endif
 	u16		len;
+#ifdef __GENKSYMS__
+	void	*validation_data;
+#else
 	union {
 		const void *validation_data;
 		struct {
@@ -292,6 +306,7 @@ struct nla_policy {
 		int (*validate)(const struct nlattr *attr,
 				struct netlink_ext_ack *extack);
 	};
+#endif
 };
 
 #define NLA_POLICY_NESTED(maxattr, policy) \
--- a/lib/nlattr.c
+++ b/lib/nlattr.c
@@ -27,13 +27,25 @@ static const u8 nla_attr_minlen[NLA_TYPE
 	[NLA_S64]	= sizeof(s64),
 };
 
+#ifdef __GENKSYMS__
+static int validate_nla_bitfield32(const struct nlattr *nla,
+				   u32 *valid_flags_allowed)
+#else
 static int validate_nla_bitfield32(const struct nlattr *nla,
 				   const u32 *valid_flags_mask)
+#endif
 {
 	const struct nla_bitfield32 *bf = nla_data(nla);
 
+#ifdef __GENKSYMS__
+	u32 *valid_flags_mask = valid_flags_allowed;
+
+	if (!valid_flags_allowed)
+		return -EINVAL;
+#else
 	if (!valid_flags_mask)
 		return -EINVAL;
+#endif
 
 	/*disallow invalid bit selector */
 	if (bf->selector & ~*valid_flags_mask)
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.