[SRU,Jammy,2/4] mctp: Allow MCTP on tun devices

Message ID	20230704142113.581071-3-cascardo@canonical.com
State	New
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU Jammy 2/4] mctp: Allow MCTP on tun devices Date: Tue, 4 Jul 2023 11:21:11 -0300 Message-Id: <20230704142113.581071-3-cascardo@canonical.com> In-Reply-To: <20230704142113.581071-1-cascardo@canonical.com> References: <20230704142113.581071-1-cascardo@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2023-3439 \| expand [SRU,Jammy,0/4] CVE-2023-3439 [SRU,Jammy,1/4] mctp: Add refcounts to mctp_dev [SRU,Jammy,2/4] mctp: Allow MCTP on tun devices [SRU,Jammy,3/4] mctp: make __mctp_dev_get() take a refcount hold [SRU,Jammy,4/4] mctp: defer the kfree of object mdev->addrs

Message ID

20230704142113.581071-3-cascardo@canonical.com

State

New

Headers

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU Jammy 2/4] mctp: Allow MCTP on tun devices
Date: Tue,  4 Jul 2023 11:21:11 -0300
Message-Id: <20230704142113.581071-3-cascardo@canonical.com>
In-Reply-To: <20230704142113.581071-1-cascardo@canonical.com>
References: <20230704142113.581071-1-cascardo@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2023-3439 | expand

Commit Message

Thadeu Lima de Souza Cascardo July 4, 2023, 2:21 p.m. UTC

From: Matt Johnston <matt@codeconstruct.com.au>

Allowing TUN is useful for testing, to route packets to userspace or to
tunnel between machines.

Signed-off-by: Matt Johnston <matt@codeconstruct.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit f364dd71d92fe6722fe5d47803be974dc0c40762)
CVE-2023-3439
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 net/mctp/device.c |  7 +++++--
 net/mctp/route.c  | 13 ++++++++-----
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/net/mctp/device.c b/net/mctp/device.c
index a29027b86ba1..f556c6d01abc 100644
--- a/net/mctp/device.c
+++ b/net/mctp/device.c
@@ -363,9 +363,12 @@  static int mctp_register(struct net_device *dev)
 	if (rtnl_dereference(dev->mctp_ptr))
 		return 0;
 
-	/* only register specific types; MCTP-specific and loopback for now */
-	if (dev->type != ARPHRD_MCTP && dev->type != ARPHRD_LOOPBACK)
+	/* only register specific types (inc. NONE for TUN devices) */
+	if (!(dev->type == ARPHRD_MCTP ||
+	      dev->type == ARPHRD_LOOPBACK ||
+	      dev->type == ARPHRD_NONE)) {
 		return 0;
+	}
 
 	mdev = mctp_add_dev(dev);
 	if (IS_ERR(mdev))
diff --git a/net/mctp/route.c b/net/mctp/route.c
index 1e41f57d5a95..1a60fee0e99e 100644
--- a/net/mctp/route.c
+++ b/net/mctp/route.c
@@ -828,13 +828,18 @@  static int mctp_pkttype_receive(struct sk_buff *skb, struct net_device *dev,
 				struct net_device *orig_dev)
 {
 	struct net *net = dev_net(dev);
+	struct mctp_dev *mdev;
 	struct mctp_skb_cb *cb;
 	struct mctp_route *rt;
 	struct mctp_hdr *mh;
 
-	/* basic non-data sanity checks */
-	if (dev->type != ARPHRD_MCTP)
+	rcu_read_lock();
+	mdev = __mctp_dev_get(dev);
+	rcu_read_unlock();
+	if (!mdev) {
+		/* basic non-data sanity checks */
 		goto err_drop;
+	}
 
 	if (!pskb_may_pull(skb, sizeof(struct mctp_hdr)))
 		goto err_drop;
@@ -848,9 +853,7 @@  static int mctp_pkttype_receive(struct sk_buff *skb, struct net_device *dev,
 		goto err_drop;
 
 	cb = __mctp_cb(skb);
-	rcu_read_lock();
-	cb->net = READ_ONCE(__mctp_dev_get(dev)->net);
-	rcu_read_unlock();
+	cb->net = READ_ONCE(mdev->net);
 
 	rt = mctp_route_lookup(net, cb->net, mh->dest);
 	if (!rt)

[SRU,Jammy,2/4] mctp: Allow MCTP on tun devices

Commit Message

Patch