]>
Commit | Line | Data |
---|---|---|
9e4b7051 GKH |
1 | From 6f07e5f06c8712acc423485f657799fc8e11e56c Mon Sep 17 00:00:00 2001 |
2 | From: Xin Long <lucien.xin@gmail.com> | |
3 | Date: Sun, 31 Mar 2019 22:50:08 +0800 | |
4 | Subject: tipc: check bearer name with right length in tipc_nl_compat_bearer_enable | |
5 | ||
6 | From: Xin Long <lucien.xin@gmail.com> | |
7 | ||
8 | commit 6f07e5f06c8712acc423485f657799fc8e11e56c upstream. | |
9 | ||
10 | Syzbot reported the following crash: | |
11 | ||
12 | BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:961 | |
13 | memchr+0xce/0x110 lib/string.c:961 | |
14 | string_is_valid net/tipc/netlink_compat.c:176 [inline] | |
15 | tipc_nl_compat_bearer_enable+0x2c4/0x910 net/tipc/netlink_compat.c:401 | |
16 | __tipc_nl_compat_doit net/tipc/netlink_compat.c:321 [inline] | |
17 | tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:354 | |
18 | tipc_nl_compat_handle net/tipc/netlink_compat.c:1162 [inline] | |
19 | tipc_nl_compat_recv+0x1ae7/0x2750 net/tipc/netlink_compat.c:1265 | |
20 | genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] | |
21 | genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626 | |
22 | netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477 | |
23 | genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 | |
24 | netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] | |
25 | netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336 | |
26 | netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917 | |
27 | sock_sendmsg_nosec net/socket.c:622 [inline] | |
28 | sock_sendmsg net/socket.c:632 [inline] | |
29 | ||
30 | Uninit was created at: | |
31 | __alloc_skb+0x309/0xa20 net/core/skbuff.c:208 | |
32 | alloc_skb include/linux/skbuff.h:1012 [inline] | |
33 | netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] | |
34 | netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892 | |
35 | sock_sendmsg_nosec net/socket.c:622 [inline] | |
36 | sock_sendmsg net/socket.c:632 [inline] | |
37 | ||
38 | It was triggered when the bearer name size < TIPC_MAX_BEARER_NAME, | |
39 | it would check with a wrong len/TLV_GET_DATA_LEN(msg->req), which | |
40 | also includes priority and disc_domain length. | |
41 | ||
42 | This patch is to fix it by checking it with a right length: | |
43 | 'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_bearer_config, name)'. | |
44 | ||
45 | Reported-by: syzbot+8b707430713eb46e1e45@syzkaller.appspotmail.com | |
46 | Signed-off-by: Xin Long <lucien.xin@gmail.com> | |
47 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
48 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
49 | ||
50 | --- | |
51 | net/tipc/netlink_compat.c | 7 ++++++- | |
52 | 1 file changed, 6 insertions(+), 1 deletion(-) | |
53 | ||
54 | --- a/net/tipc/netlink_compat.c | |
55 | +++ b/net/tipc/netlink_compat.c | |
56 | @@ -388,7 +388,12 @@ static int tipc_nl_compat_bearer_enable( | |
57 | if (!bearer) | |
58 | return -EMSGSIZE; | |
59 | ||
60 | - len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); | |
61 | + len = TLV_GET_DATA_LEN(msg->req); | |
62 | + len -= offsetof(struct tipc_bearer_config, name); | |
63 | + if (len <= 0) | |
64 | + return -EINVAL; | |
65 | + | |
66 | + len = min_t(int, len, TIPC_MAX_BEARER_NAME); | |
67 | if (!string_is_valid(b->name, len)) | |
68 | return -EINVAL; | |
69 |