korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-09-22 12:44:11 +08:00
Code Issues Packages Projects Releases Wiki Activity
19b3f72a41
linux/net
History
Shigeru Yoshida 19b3f72a41 tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING 
syzbot reported the following uninit-value access issue [1]:

=====================================================
BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]
BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756
 strlen lib/string.c:418 [inline]
 strstr+0xb8/0x2f0 lib/string.c:756
 tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595
 genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]
 genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
 genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066
 netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545
 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075
 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
 netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368
 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910
 sock_sendmsg_nosec net/socket.c:730 [inline]
 sock_sendmsg net/socket.c:753 [inline]
 ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595
 __sys_sendmsg net/socket.c:2624 [inline]
 __do_sys_sendmsg net/socket.c:2633 [inline]
 __se_sys_sendmsg net/socket.c:2631 [inline]
 __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Uninit was created at:
 slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
 slab_alloc_node mm/slub.c:3478 [inline]
 kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559
 __alloc_skb+0x318/0x740 net/core/skbuff.c:650
 alloc_skb include/linux/skbuff.h:1286 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]
 netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885
 sock_sendmsg_nosec net/socket.c:730 [inline]
 sock_sendmsg net/socket.c:753 [inline]
 ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541
 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595
 __sys_sendmsg net/socket.c:2624 [inline]
 __do_sys_sendmsg net/socket.c:2633 [inline]
 __se_sys_sendmsg net/socket.c:2631 [inline]
 __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

TIPC bearer-related names including link names must be null-terminated
strings. If a link name which is not null-terminated is passed through
netlink, strstr() and similar functions can cause buffer overrun. This
causes the above issue.

This patch changes the nla_policy for bearer-related names from NLA_STRING
to NLA_NUL_STRING. This resolves the issue by ensuring that only
null-terminated strings are accepted as bearer-related names.

syzbot reported similar uninit-value issue related to bearer names [2]. The
root cause of this issue is that a non-null-terminated bearer name was
passed. This patch also resolved this issue.

Fixes: 7be57fc691 ("tipc: add link get/dump to new netlink api")
Fixes: 0655f6a863 ("tipc: add bearer disable/enable to new netlink api")
Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574 [1]
Reported-and-tested-by: syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9425c47dccbcb4c17d51 [2]
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://lore.kernel.org/r/20231030075540.3784537-1-syoshida@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-11-01 22:26:37 -07:00
..
6lowpan
9p net: annotate data-races around sock->ops 2023-08-09 15:32:43 -07:00
802 net: fill in MODULE_DESCRIPTION()s under net/802* 2023-10-28 11:29:28 +01:00
8021q net: fill in MODULE_DESCRIPTION()s under net/802* 2023-10-28 11:29:28 +01:00
appletalk appletalk: remove special handling code for ipddp 2023-10-13 17:59:32 -07:00
atm net: atm: Remove redundant check. 2023-10-23 08:45:25 +01:00
ax25 net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-24 10:51:39 -07:00
bluetooth Bluetooth: hci_sync: Fix Opcode prints in bt_dev_dbg/err 2023-10-23 11:05:32 -07:00
bpf bpf: Prevent inlining of bpf_fentry_test7() 2023-08-30 08:36:17 +02:00
bpfilter
bridge net: bridge: fill in MODULE_DESCRIPTION() 2023-10-27 11:16:44 +01:00
caif
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-12 17:07:34 -07:00
ceph Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-19 13:29:01 -07:00
core Follow up to networking PR for 6.7 2023-11-01 16:33:20 -10:00
dcb
dccp tcp: record last received ipv6 flowlabel 2023-10-10 10:02:59 +02:00
devlink netlink: specs: devlink: add forgotten port function caps enum values 2023-11-01 22:13:43 -07:00
dns_resolver
dsa net: dsa: Rename IFLA_DSA_MASTER to IFLA_DSA_CONDUIT 2023-10-24 13:08:14 -07:00
ethernet
ethtool ethtool: untangle the linkmode and ethtool headers 2023-10-20 12:47:33 +01:00
handshake Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-26 13:46:28 -07:00
hsr hsr: Prevent use after free in prp_create_tagged_frame() 2023-11-01 22:26:04 -07:00
ieee802154 sysctl-6.6-rc1 2023-08-29 17:39:15 -07:00
ife
ipv4 net: tcp: remove call to obsolete crypto_ahash_alignmask() 2023-10-31 13:11:51 -07:00
ipv6 ipsec-next-2023-10-28 2023-10-30 14:36:57 -07:00
iucv
kcm kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). 2023-09-14 10:43:51 +02:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-05 13:16:47 -07:00
l3mdev
lapb
llc llc: verify mac len before reading mac header 2023-11-01 22:21:32 -07:00
mac80211 wireless-next patches for v6.7 2023-10-26 20:27:58 -07:00
mac802154
mctp mctp: perform route lookups under a RCU read-side lock 2023-10-10 19:43:22 -07:00
mpls networking: Update to register_net_sysctl_sz 2023-08-15 15:26:18 -07:00
mptcp mptcp: define more local variables sk 2023-10-27 08:47:30 -07:00
ncsi ncsi: Propagate carrier gain/loss events to the NCSI controller 2023-09-18 07:06:05 +01:00
netfilter ipsec-next-2023-10-28 2023-10-30 14:36:57 -07:00
netlabel
netlink genetlink: don't merge dumpit split op for different cmds into single iter 2023-10-23 16:11:53 -07:00
netrom net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
nfc nfc: nci: fix possible NULL pointer dereference in send_acknowledge() 2023-10-16 17:34:53 -07:00
nsh
openvswitch net: openvswitch: Annotate struct mask_array with __counted_by 2023-10-17 13:56:03 +02:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-12 17:07:34 -07:00
phonet
psample
qrtr
rds net: prevent address rewrite in kernel_bind() 2023-10-01 19:31:29 +01:00
rfkill net: rfkill: reduce data->mtx scope in rfkill_fop_open 2023-10-11 16:55:10 +02:00
rose net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
rxrpc
sched net: sched: Fill in missing MODULE_DESCRIPTION for qdiscs 2023-11-01 21:49:09 -07:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-05 13:16:47 -07:00
smc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-19 13:29:01 -07:00
strparser
sunrpc NFSD 6.7 Release Notes 2023-10-30 10:12:29 -10:00
switchdev
tipc tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING 2023-11-01 22:26:37 -07:00
tls tls: don't reset prot->aad_size and prot->tail_size for TLS_HW 2023-10-23 10:15:09 -07:00
unix af_unix: Remove module remnants. 2023-10-27 09:12:47 -07:00
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-26 13:46:28 -07:00
wireless wireless-next patches for v6.7 2023-10-26 20:27:58 -07:00
x25 net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
xdp xsk: Avoid starving the xsk further down the list 2023-10-24 11:55:36 +02:00
xfrm ipsec-next-2023-10-28 2023-10-30 14:36:57 -07:00
compat.c
devres.c
Kconfig net: add skb_segment kunit test 2023-10-11 10:39:01 +01:00
Kconfig.debug
Makefile
socket.c for-6.7/io_uring-sockopt-2023-10-30 2023-11-01 11:16:34 -10:00
sysctl_net.c sysctl: Add size to register_net_sysctl function 2023-08-15 15:26:17 -07:00