> <
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c30a3c957c885e618ddffc065f888be4f8d5a9bd>,
Can be reproduced with:
# tc action add mpls push label 3
Assuming you patch iproute2 to encode a wrong label length. For example:
diff --git a/tc/m_mpls.c b/tc/m_mpls.c
index 9b39d8533c21..2a43ca6c4dd3 100644
--- a/tc/m_mpls.c
+++ b/tc/m_mpls.c
@@ -191,7 +191,7 @@ static int parse_mpls(struct action_util *a, int *argc_p, char ***argv_p,
tail = addattr_nest(n, MAX_MSG, tca_id | NLA_F_NESTED);
addattr_l(n, MAX_MSG, TCA_MPLS_PARMS, &parm, sizeof(parm));
if (label != 0xffffffff)
- addattr_l(n, MAX_MSG, TCA_MPLS_LABEL, &label, sizeof(label));
+ addattr_l(n, MAX_MSG, TCA_MPLS_LABEL, &label, 8);
if (proto)
addattr_l(n, MAX_MSG, TCA_MPLS_PROTO, &proto, sizeof(proto));
if (tc != 0xff)
It does not seem valid to use NLA_POLICY_VALIDATE_FN() without
NLA_BINARY. Fixed for me by:
diff --git a/net/sched/act_mpls.c b/net/sched/act_mpls.c
index ff47ce4d3968..6b26bdb999d7 100644
--- a/net/sched/act_mpls.c
+++ b/net/sched/act_mpls.c
@@ -134,6 +134,11 @@ static int valid_label(const struct nlattr *attr,
{
const u32 *label = nla_data(attr);
+ if (nla_len(attr) != sizeof(*label)) {
+ NL_SET_ERR_MSG_MOD(extack, "Invalid MPLS label length");
+ return -EINVAL;
+ }
+
if (*label & ~MPLS_LABEL_MASK || *label == MPLS_LABEL_IMPLNULL) {
NL_SET_ERR_MSG_MOD(extack, "MPLS label out of range");
return -EINVAL;
@@ -145,7 +150,8 @@ static int valid_label(const struct nlattr *attr,
static const struct nla_policy mpls_policy[TCA_MPLS_MAX + 1] = {
[TCA_MPLS_PARMS] = NLA_POLICY_EXACT_LEN(sizeof(struct tc_mpls)),
[TCA_MPLS_PROTO] = { .type = NLA_U16 },
- [TCA_MPLS_LABEL] = NLA_POLICY_VALIDATE_FN(NLA_U32, valid_label),
+ [TCA_MPLS_LABEL] = NLA_POLICY_VALIDATE_FN(NLA_BINARY,
+ valid_label),
[TCA_MPLS_TC] = NLA_POLICY_RANGE(NLA_U8, 0, 7),
[TCA_MPLS_TTL] = NLA_POLICY_MIN(NLA_U8, 1),
[TCA_MPLS_BOS] = NLA_POLICY_RANGE(NLA_U8, 0, 1),
But please test with your reproducer as well.
For net-next we can try to remove the first argument from
NLA_POLICY_VALIDATE_FN() and set NLA_BINARY which is what everyone is
passing anyway.
Adding Johannes in case he has a better idea.
> --
> You received this message because you are subscribed to the Google Groups "syzkaller" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
syzkaller+...@googlegroups.com.
> To view this discussion on the web visit
https://groups.google.com/d/msgid/syzkaller/CAO4mrffa_3PhjfA9hxTq_U9GjC%2B%2B0suGnme9oNcKE%3DGn%2Bg1iRg%40mail.gmail.com.