[thirdparty/kernel/stable-queue.git] / queue-4.4 / tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch

From 6f07e5f06c8712acc423485f657799fc8e11e56c Mon Sep 17 00:00:00 2001
From: Xin Long <lucien.xin@gmail.com>
Date: Sun, 31 Mar 2019 22:50:08 +0800
Subject: tipc: check bearer name with right length in tipc_nl_compat_bearer_enable

From: Xin Long <lucien.xin@gmail.com>

commit 6f07e5f06c8712acc423485f657799fc8e11e56c upstream.

Syzbot reported the following crash:

BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:961
  memchr+0xce/0x110 lib/string.c:961
  string_is_valid net/tipc/netlink_compat.c:176 [inline]
  tipc_nl_compat_bearer_enable+0x2c4/0x910 net/tipc/netlink_compat.c:401
  __tipc_nl_compat_doit net/tipc/netlink_compat.c:321 [inline]
  tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:354
  tipc_nl_compat_handle net/tipc/netlink_compat.c:1162 [inline]
  tipc_nl_compat_recv+0x1ae7/0x2750 net/tipc/netlink_compat.c:1265
  genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
  genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
  netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
  genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
  netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
  netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
  netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
  sock_sendmsg_nosec net/socket.c:622 [inline]
  sock_sendmsg net/socket.c:632 [inline]

Uninit was created at:
  __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
  alloc_skb include/linux/skbuff.h:1012 [inline]
  netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
  netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
  sock_sendmsg_nosec net/socket.c:622 [inline]
  sock_sendmsg net/socket.c:632 [inline]

It was triggered when the bearer name size < TIPC_MAX_BEARER_NAME,
it would check with a wrong len/TLV_GET_DATA_LEN(msg->req), which
also includes priority and disc_domain length.

This patch is to fix it by checking it with a right length:
'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_bearer_config, name)'.

Reported-by: syzbot+8b707430713eb46e1e45@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/tipc/netlink_compat.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -388,7 +388,12 @@ static int tipc_nl_compat_bearer_enable(
 	if (!bearer)
 		return -EMSGSIZE;
 
-	len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
+	len = TLV_GET_DATA_LEN(msg->req);
+	len -= offsetof(struct tipc_bearer_config, name);
+	if (len <= 0)
+		return -EINVAL;
+
+	len = min_t(int, len, TIPC_MAX_BEARER_NAME);
 	if (!string_is_valid(b->name, len))
 		return -EINVAL;
Commit	Line	Data
9e4b7051 GKH	1	From 6f07e5f06c8712acc423485f657799fc8e11e56c Mon Sep 17 00:00:00 2001
	2	From: Xin Long <lucien.xin@gmail.com>
	3	Date: Sun, 31 Mar 2019 22:50:08 +0800
	4	Subject: tipc: check bearer name with right length in tipc_nl_compat_bearer_enable
	5
	6	From: Xin Long <lucien.xin@gmail.com>
	7
	8	commit 6f07e5f06c8712acc423485f657799fc8e11e56c upstream.
	9
	10	Syzbot reported the following crash:
	11
	12	BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:961
	13	memchr+0xce/0x110 lib/string.c:961
	14	string_is_valid net/tipc/netlink_compat.c:176 [inline]
	15	tipc_nl_compat_bearer_enable+0x2c4/0x910 net/tipc/netlink_compat.c:401
	16	__tipc_nl_compat_doit net/tipc/netlink_compat.c:321 [inline]
	17	tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:354
	18	tipc_nl_compat_handle net/tipc/netlink_compat.c:1162 [inline]
	19	tipc_nl_compat_recv+0x1ae7/0x2750 net/tipc/netlink_compat.c:1265
	20	genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
	21	genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
	22	netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
	23	genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
	24	netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
	25	netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
	26	netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
	27	sock_sendmsg_nosec net/socket.c:622 [inline]
	28	sock_sendmsg net/socket.c:632 [inline]
	29
	30	Uninit was created at:
	31	__alloc_skb+0x309/0xa20 net/core/skbuff.c:208
	32	alloc_skb include/linux/skbuff.h:1012 [inline]
	33	netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
	34	netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
	35	sock_sendmsg_nosec net/socket.c:622 [inline]
	36	sock_sendmsg net/socket.c:632 [inline]
	37
	38	It was triggered when the bearer name size < TIPC_MAX_BEARER_NAME,
	39	it would check with a wrong len/TLV_GET_DATA_LEN(msg->req), which
	40	also includes priority and disc_domain length.
	41
	42	This patch is to fix it by checking it with a right length:
	43	'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_bearer_config, name)'.
	44
	45	Reported-by: syzbot+8b707430713eb46e1e45@syzkaller.appspotmail.com
	46	Signed-off-by: Xin Long <lucien.xin@gmail.com>
	47	Signed-off-by: David S. Miller <davem@davemloft.net>
	48	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	49
	50	---
	51	net/tipc/netlink_compat.c \| 7 ++++++-
	52	1 file changed, 6 insertions(+), 1 deletion(-)
	53
	54	--- a/net/tipc/netlink_compat.c
	55	+++ b/net/tipc/netlink_compat.c
	56	@@ -388,7 +388,12 @@ static int tipc_nl_compat_bearer_enable(
	57	if (!bearer)
	58	return -EMSGSIZE;
	59
	60	- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
	61	+ len = TLV_GET_DATA_LEN(msg->req);
	62	+ len -= offsetof(struct tipc_bearer_config, name);
	63	+ if (len <= 0)
	64	+ return -EINVAL;
65	+
66	+ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
67	if (!string_is_valid(b->name, len))
68	return -EINVAL;
69