]>
Commit | Line | Data |
---|---|---|
7a0420e8 GKH |
1 | From foo@baz Thu Dec 13 12:16:38 CET 2018 |
2 | From: Eric Dumazet <edumazet@google.com> | |
3 | Date: Tue, 4 Dec 2018 09:40:35 -0800 | |
4 | Subject: rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices | |
5 | ||
6 | From: Eric Dumazet <edumazet@google.com> | |
7 | ||
8 | [ Upstream commit 688838934c231bb08f46db687e57f6d8bf82709c ] | |
9 | ||
10 | kmsan was able to trigger a kernel-infoleak using a gre device [1] | |
11 | ||
12 | nlmsg_populate_fdb_fill() has a hard coded assumption | |
13 | that dev->addr_len is ETH_ALEN, as normally guaranteed | |
14 | for ARPHRD_ETHER devices. | |
15 | ||
16 | A similar issue was fixed recently in commit da71577545a5 | |
17 | ("rtnetlink: Disallow FDB configuration for non-Ethernet device") | |
18 | ||
19 | [1] | |
20 | BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:143 [inline] | |
21 | BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4c0/0x2700 lib/iov_iter.c:576 | |
22 | CPU: 0 PID: 6697 Comm: syz-executor310 Not tainted 4.20.0-rc3+ #95 | |
23 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 | |
24 | Call Trace: | |
25 | __dump_stack lib/dump_stack.c:77 [inline] | |
26 | dump_stack+0x32d/0x480 lib/dump_stack.c:113 | |
27 | kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683 | |
28 | kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743 | |
29 | kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634 | |
30 | copyout lib/iov_iter.c:143 [inline] | |
31 | _copy_to_iter+0x4c0/0x2700 lib/iov_iter.c:576 | |
32 | copy_to_iter include/linux/uio.h:143 [inline] | |
33 | skb_copy_datagram_iter+0x4e2/0x1070 net/core/datagram.c:431 | |
34 | skb_copy_datagram_msg include/linux/skbuff.h:3316 [inline] | |
35 | netlink_recvmsg+0x6f9/0x19d0 net/netlink/af_netlink.c:1975 | |
36 | sock_recvmsg_nosec net/socket.c:794 [inline] | |
37 | sock_recvmsg+0x1d1/0x230 net/socket.c:801 | |
38 | ___sys_recvmsg+0x444/0xae0 net/socket.c:2278 | |
39 | __sys_recvmsg net/socket.c:2327 [inline] | |
40 | __do_sys_recvmsg net/socket.c:2337 [inline] | |
41 | __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334 | |
42 | __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334 | |
43 | do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 | |
44 | entry_SYSCALL_64_after_hwframe+0x63/0xe7 | |
45 | RIP: 0033:0x441119 | |
46 | Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 | |
47 | RSP: 002b:00007fffc7f008a8 EFLAGS: 00000207 ORIG_RAX: 000000000000002f | |
48 | RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000441119 | |
49 | RDX: 0000000000000040 RSI: 00000000200005c0 RDI: 0000000000000003 | |
50 | RBP: 00000000006cc018 R08: 0000000000000100 R09: 0000000000000100 | |
51 | R10: 0000000000000100 R11: 0000000000000207 R12: 0000000000402080 | |
52 | R13: 0000000000402110 R14: 0000000000000000 R15: 0000000000000000 | |
53 | ||
54 | Uninit was stored to memory at: | |
55 | kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline] | |
56 | kmsan_save_stack mm/kmsan/kmsan.c:261 [inline] | |
57 | kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469 | |
58 | kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344 | |
59 | kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362 | |
60 | __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162 | |
61 | __nla_put lib/nlattr.c:744 [inline] | |
62 | nla_put+0x20a/0x2d0 lib/nlattr.c:802 | |
63 | nlmsg_populate_fdb_fill+0x444/0x810 net/core/rtnetlink.c:3466 | |
64 | nlmsg_populate_fdb net/core/rtnetlink.c:3775 [inline] | |
65 | ndo_dflt_fdb_dump+0x73a/0x960 net/core/rtnetlink.c:3807 | |
66 | rtnl_fdb_dump+0x1318/0x1cb0 net/core/rtnetlink.c:3979 | |
67 | netlink_dump+0xc79/0x1c90 net/netlink/af_netlink.c:2244 | |
68 | __netlink_dump_start+0x10c4/0x11d0 net/netlink/af_netlink.c:2352 | |
69 | netlink_dump_start include/linux/netlink.h:216 [inline] | |
70 | rtnetlink_rcv_msg+0x141b/0x1540 net/core/rtnetlink.c:4910 | |
71 | netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477 | |
72 | rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965 | |
73 | netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] | |
74 | netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336 | |
75 | netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917 | |
76 | sock_sendmsg_nosec net/socket.c:621 [inline] | |
77 | sock_sendmsg net/socket.c:631 [inline] | |
78 | ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116 | |
79 | __sys_sendmsg net/socket.c:2154 [inline] | |
80 | __do_sys_sendmsg net/socket.c:2163 [inline] | |
81 | __se_sys_sendmsg+0x305/0x460 net/socket.c:2161 | |
82 | __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 | |
83 | do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 | |
84 | entry_SYSCALL_64_after_hwframe+0x63/0xe7 | |
85 | ||
86 | Uninit was created at: | |
87 | kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline] | |
88 | kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170 | |
89 | kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186 | |
90 | __kmalloc+0x14c/0x4d0 mm/slub.c:3825 | |
91 | kmalloc include/linux/slab.h:551 [inline] | |
92 | __hw_addr_create_ex net/core/dev_addr_lists.c:34 [inline] | |
93 | __hw_addr_add_ex net/core/dev_addr_lists.c:80 [inline] | |
94 | __dev_mc_add+0x357/0x8a0 net/core/dev_addr_lists.c:670 | |
95 | dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687 | |
96 | ip_mc_filter_add net/ipv4/igmp.c:1128 [inline] | |
97 | igmp_group_added+0x4d4/0xb80 net/ipv4/igmp.c:1311 | |
98 | __ip_mc_inc_group+0xea9/0xf70 net/ipv4/igmp.c:1444 | |
99 | ip_mc_inc_group net/ipv4/igmp.c:1453 [inline] | |
100 | ip_mc_up+0x1c3/0x400 net/ipv4/igmp.c:1775 | |
101 | inetdev_event+0x1d03/0x1d80 net/ipv4/devinet.c:1522 | |
102 | notifier_call_chain kernel/notifier.c:93 [inline] | |
103 | __raw_notifier_call_chain kernel/notifier.c:394 [inline] | |
104 | raw_notifier_call_chain+0x13d/0x240 kernel/notifier.c:401 | |
105 | __dev_notify_flags+0x3da/0x860 net/core/dev.c:1733 | |
106 | dev_change_flags+0x1ac/0x230 net/core/dev.c:7569 | |
107 | do_setlink+0x165f/0x5ea0 net/core/rtnetlink.c:2492 | |
108 | rtnl_newlink+0x2ad7/0x35a0 net/core/rtnetlink.c:3111 | |
109 | rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947 | |
110 | netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477 | |
111 | rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965 | |
112 | netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] | |
113 | netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336 | |
114 | netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917 | |
115 | sock_sendmsg_nosec net/socket.c:621 [inline] | |
116 | sock_sendmsg net/socket.c:631 [inline] | |
117 | ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116 | |
118 | __sys_sendmsg net/socket.c:2154 [inline] | |
119 | __do_sys_sendmsg net/socket.c:2163 [inline] | |
120 | __se_sys_sendmsg+0x305/0x460 net/socket.c:2161 | |
121 | __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 | |
122 | do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291 | |
123 | entry_SYSCALL_64_after_hwframe+0x63/0xe7 | |
124 | ||
125 | Bytes 36-37 of 105 are uninitialized | |
126 | Memory access of size 105 starts at ffff88819686c000 | |
127 | Data copied to user address 0000000020000380 | |
128 | ||
129 | Fixes: d83b06036048 ("net: add fdb generic dump routine") | |
130 | Signed-off-by: Eric Dumazet <edumazet@google.com> | |
131 | Cc: John Fastabend <john.fastabend@gmail.com> | |
132 | Cc: Ido Schimmel <idosch@mellanox.com> | |
133 | Cc: David Ahern <dsahern@gmail.com> | |
134 | Reviewed-by: Ido Schimmel <idosch@mellanox.com> | |
135 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
136 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
137 | --- | |
138 | net/core/rtnetlink.c | 3 +++ | |
139 | 1 file changed, 3 insertions(+) | |
140 | ||
141 | --- a/net/core/rtnetlink.c | |
142 | +++ b/net/core/rtnetlink.c | |
143 | @@ -3186,6 +3186,9 @@ int ndo_dflt_fdb_dump(struct sk_buff *sk | |
144 | { | |
145 | int err; | |
146 | ||
147 | + if (dev->type != ARPHRD_ETHER) | |
148 | + return -EINVAL; | |
149 | + | |
150 | netif_addr_lock_bh(dev); | |
151 | err = nlmsg_populate_fdb(skb, cb, dev, idx, &dev->uc); | |
152 | if (err) |