net: ethtool: avoid OOB accesses in PAUSE_SET

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

We now reuse .parse_request() from GET on SET, so we need to make sure
that the policies for both cover the attributes used for .parse_request().
genetlink will only allocate space in info->attrs for ARRAY_SIZE(policy).

Reported-by: syzbot+430f9f76633641a62217@syzkaller.appspotmail.com
Fixes: 963781bdfe20 ("net: ethtool: call .parse_request for SET handlers")
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Tested-by: Ido Schimmel <idosch@nvidia.com>
Link: https://patch.msgid.link/20250626233926.199801-1-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 9 months ago 99e3eb45 7012d4f3

+2 -1

2 changed files

expand all

net

ethtool

netlink.h

pause.c

+1 -1

net/ethtool/netlink.h

··· 467 467 extern const struct nla_policy ethnl_coalesce_get_policy[ETHTOOL_A_COALESCE_HEADER + 1]; 468 468 extern const struct nla_policy ethnl_coalesce_set_policy[ETHTOOL_A_COALESCE_MAX + 1]; 469 469 extern const struct nla_policy ethnl_pause_get_policy[ETHTOOL_A_PAUSE_STATS_SRC + 1]; 470 - extern const struct nla_policy ethnl_pause_set_policy[ETHTOOL_A_PAUSE_TX + 1]; 470 + extern const struct nla_policy ethnl_pause_set_policy[ETHTOOL_A_PAUSE_STATS_SRC + 1]; 471 471 extern const struct nla_policy ethnl_eee_get_policy[ETHTOOL_A_EEE_HEADER + 1]; 472 472 extern const struct nla_policy ethnl_eee_set_policy[ETHTOOL_A_EEE_TX_LPI_TIMER + 1]; 473 473 extern const struct nla_policy ethnl_tsinfo_get_policy[ETHTOOL_A_TSINFO_MAX + 1];

net/ethtool/pause.c

··· 168 168 [ETHTOOL_A_PAUSE_AUTONEG] = { .type = NLA_U8 }, 169 169 [ETHTOOL_A_PAUSE_RX] = { .type = NLA_U8 }, 170 170 [ETHTOOL_A_PAUSE_TX] = { .type = NLA_U8 }, 171 + [ETHTOOL_A_PAUSE_STATS_SRC] = { .type = NLA_REJECT }, 171 172 }; 172 173 173 174 static int