[thirdparty/kernel/stable-queue.git] / releases / 4.9.146 / rtnetlink-ndo_dflt_fdb_dump-only-work-for-arphrd_ether-devices.patch

From foo@baz Thu Dec 13 12:16:38 CET 2018
From: Eric Dumazet <edumazet@google.com>
Date: Tue, 4 Dec 2018 09:40:35 -0800
Subject: rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 688838934c231bb08f46db687e57f6d8bf82709c ]

kmsan was able to trigger a kernel-infoleak using a gre device [1]

nlmsg_populate_fdb_fill() has a hard coded assumption
that dev->addr_len is ETH_ALEN, as normally guaranteed
for ARPHRD_ETHER devices.

A similar issue was fixed recently in commit da71577545a5
("rtnetlink: Disallow FDB configuration for non-Ethernet device")

[1]
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:143 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4c0/0x2700 lib/iov_iter.c:576
CPU: 0 PID: 6697 Comm: syz-executor310 Not tainted 4.20.0-rc3+ #95
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x32d/0x480 lib/dump_stack.c:113
 kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
 kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
 kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
 copyout lib/iov_iter.c:143 [inline]
 _copy_to_iter+0x4c0/0x2700 lib/iov_iter.c:576
 copy_to_iter include/linux/uio.h:143 [inline]
 skb_copy_datagram_iter+0x4e2/0x1070 net/core/datagram.c:431
 skb_copy_datagram_msg include/linux/skbuff.h:3316 [inline]
 netlink_recvmsg+0x6f9/0x19d0 net/netlink/af_netlink.c:1975
 sock_recvmsg_nosec net/socket.c:794 [inline]
 sock_recvmsg+0x1d1/0x230 net/socket.c:801
 ___sys_recvmsg+0x444/0xae0 net/socket.c:2278
 __sys_recvmsg net/socket.c:2327 [inline]
 __do_sys_recvmsg net/socket.c:2337 [inline]
 __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334
 __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334
 do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x441119
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffc7f008a8 EFLAGS: 00000207 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000441119
RDX: 0000000000000040 RSI: 00000000200005c0 RDI: 0000000000000003
RBP: 00000000006cc018 R08: 0000000000000100 R09: 0000000000000100
R10: 0000000000000100 R11: 0000000000000207 R12: 0000000000402080
R13: 0000000000402110 R14: 0000000000000000 R15: 0000000000000000

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
 kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
 kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
 __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
 __nla_put lib/nlattr.c:744 [inline]
 nla_put+0x20a/0x2d0 lib/nlattr.c:802
 nlmsg_populate_fdb_fill+0x444/0x810 net/core/rtnetlink.c:3466
 nlmsg_populate_fdb net/core/rtnetlink.c:3775 [inline]
 ndo_dflt_fdb_dump+0x73a/0x960 net/core/rtnetlink.c:3807
 rtnl_fdb_dump+0x1318/0x1cb0 net/core/rtnetlink.c:3979
 netlink_dump+0xc79/0x1c90 net/netlink/af_netlink.c:2244
 __netlink_dump_start+0x10c4/0x11d0 net/netlink/af_netlink.c:2352
 netlink_dump_start include/linux/netlink.h:216 [inline]
 rtnetlink_rcv_msg+0x141b/0x1540 net/core/rtnetlink.c:4910
 netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg net/socket.c:631 [inline]
 ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
 __sys_sendmsg net/socket.c:2154 [inline]
 __do_sys_sendmsg net/socket.c:2163 [inline]
 __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
 do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
 kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
 kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
 __kmalloc+0x14c/0x4d0 mm/slub.c:3825
 kmalloc include/linux/slab.h:551 [inline]
 __hw_addr_create_ex net/core/dev_addr_lists.c:34 [inline]
 __hw_addr_add_ex net/core/dev_addr_lists.c:80 [inline]
 __dev_mc_add+0x357/0x8a0 net/core/dev_addr_lists.c:670
 dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687
 ip_mc_filter_add net/ipv4/igmp.c:1128 [inline]
 igmp_group_added+0x4d4/0xb80 net/ipv4/igmp.c:1311
 __ip_mc_inc_group+0xea9/0xf70 net/ipv4/igmp.c:1444
 ip_mc_inc_group net/ipv4/igmp.c:1453 [inline]
 ip_mc_up+0x1c3/0x400 net/ipv4/igmp.c:1775
 inetdev_event+0x1d03/0x1d80 net/ipv4/devinet.c:1522
 notifier_call_chain kernel/notifier.c:93 [inline]
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x13d/0x240 kernel/notifier.c:401
 __dev_notify_flags+0x3da/0x860 net/core/dev.c:1733
 dev_change_flags+0x1ac/0x230 net/core/dev.c:7569
 do_setlink+0x165f/0x5ea0 net/core/rtnetlink.c:2492
 rtnl_newlink+0x2ad7/0x35a0 net/core/rtnetlink.c:3111
 rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
 netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
 netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
 netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg net/socket.c:631 [inline]
 ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
 __sys_sendmsg net/socket.c:2154 [inline]
 __do_sys_sendmsg net/socket.c:2163 [inline]
 __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
 do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Bytes 36-37 of 105 are uninitialized
Memory access of size 105 starts at ffff88819686c000
Data copied to user address 0000000020000380

Fixes: d83b06036048 ("net: add fdb generic dump routine")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Ido Schimmel <idosch@mellanox.com>
Cc: David Ahern <dsahern@gmail.com>
Reviewed-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/rtnetlink.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3186,6 +3186,9 @@ int ndo_dflt_fdb_dump(struct sk_buff *sk
 {
 	int err;
 
+	if (dev->type != ARPHRD_ETHER)
+		return -EINVAL;
+
 	netif_addr_lock_bh(dev);
 	err = nlmsg_populate_fdb(skb, cb, dev, idx, &dev->uc);
 	if (err)
Commit	Line	Data
7a0420e8 GKH	1	From foo@baz Thu Dec 13 12:16:38 CET 2018
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Tue, 4 Dec 2018 09:40:35 -0800
	4	Subject: rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices
	5
	6	From: Eric Dumazet <edumazet@google.com>
	7
	8	[ Upstream commit 688838934c231bb08f46db687e57f6d8bf82709c ]
	9
	10	kmsan was able to trigger a kernel-infoleak using a gre device [1]
	11
	12	nlmsg_populate_fdb_fill() has a hard coded assumption
	13	that dev->addr_len is ETH_ALEN, as normally guaranteed
	14	for ARPHRD_ETHER devices.
	15
	16	A similar issue was fixed recently in commit da71577545a5
	17	("rtnetlink: Disallow FDB configuration for non-Ethernet device")
	18
	19	[1]
	20	BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:143 [inline]
	21	BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4c0/0x2700 lib/iov_iter.c:576
	22	CPU: 0 PID: 6697 Comm: syz-executor310 Not tainted 4.20.0-rc3+ #95
	23	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	24	Call Trace:
	25	__dump_stack lib/dump_stack.c:77 [inline]
	26	dump_stack+0x32d/0x480 lib/dump_stack.c:113
	27	kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
	28	kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
	29	kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
	30	copyout lib/iov_iter.c:143 [inline]
	31	_copy_to_iter+0x4c0/0x2700 lib/iov_iter.c:576
	32	copy_to_iter include/linux/uio.h:143 [inline]
	33	skb_copy_datagram_iter+0x4e2/0x1070 net/core/datagram.c:431
	34	skb_copy_datagram_msg include/linux/skbuff.h:3316 [inline]
	35	netlink_recvmsg+0x6f9/0x19d0 net/netlink/af_netlink.c:1975
	36	sock_recvmsg_nosec net/socket.c:794 [inline]
	37	sock_recvmsg+0x1d1/0x230 net/socket.c:801
	38	___sys_recvmsg+0x444/0xae0 net/socket.c:2278
	39	__sys_recvmsg net/socket.c:2327 [inline]
	40	__do_sys_recvmsg net/socket.c:2337 [inline]
	41	__se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334
	42	__x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334
	43	do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
	44	entry_SYSCALL_64_after_hwframe+0x63/0xe7
	45	RIP: 0033:0x441119
	46	Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
	47	RSP: 002b:00007fffc7f008a8 EFLAGS: 00000207 ORIG_RAX: 000000000000002f
	48	RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000441119
	49	RDX: 0000000000000040 RSI: 00000000200005c0 RDI: 0000000000000003
	50	RBP: 00000000006cc018 R08: 0000000000000100 R09: 0000000000000100
	51	R10: 0000000000000100 R11: 0000000000000207 R12: 0000000000402080
	52	R13: 0000000000402110 R14: 0000000000000000 R15: 0000000000000000
	53
	54	Uninit was stored to memory at:
	55	kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
	56	kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
	57	kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
	58	kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
	59	kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
	60	__msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
	61	__nla_put lib/nlattr.c:744 [inline]
	62	nla_put+0x20a/0x2d0 lib/nlattr.c:802
	63	nlmsg_populate_fdb_fill+0x444/0x810 net/core/rtnetlink.c:3466
	64	nlmsg_populate_fdb net/core/rtnetlink.c:3775 [inline]
65	ndo_dflt_fdb_dump+0x73a/0x960 net/core/rtnetlink.c:3807
66	rtnl_fdb_dump+0x1318/0x1cb0 net/core/rtnetlink.c:3979
67	netlink_dump+0xc79/0x1c90 net/netlink/af_netlink.c:2244
68	__netlink_dump_start+0x10c4/0x11d0 net/netlink/af_netlink.c:2352
69	netlink_dump_start include/linux/netlink.h:216 [inline]
70	rtnetlink_rcv_msg+0x141b/0x1540 net/core/rtnetlink.c:4910
71	netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
72	rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
73	netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
74	netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
75	netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
76	sock_sendmsg_nosec net/socket.c:621 [inline]
77	sock_sendmsg net/socket.c:631 [inline]
78	___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
79	__sys_sendmsg net/socket.c:2154 [inline]
80	__do_sys_sendmsg net/socket.c:2163 [inline]
81	__se_sys_sendmsg+0x305/0x460 net/socket.c:2161
82	__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
83	do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
84	entry_SYSCALL_64_after_hwframe+0x63/0xe7
85
86	Uninit was created at:
87	kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
88	kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
89	kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
90	__kmalloc+0x14c/0x4d0 mm/slub.c:3825
91	kmalloc include/linux/slab.h:551 [inline]
92	__hw_addr_create_ex net/core/dev_addr_lists.c:34 [inline]
93	__hw_addr_add_ex net/core/dev_addr_lists.c:80 [inline]
94	__dev_mc_add+0x357/0x8a0 net/core/dev_addr_lists.c:670
95	dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687
96	ip_mc_filter_add net/ipv4/igmp.c:1128 [inline]
97	igmp_group_added+0x4d4/0xb80 net/ipv4/igmp.c:1311
98	__ip_mc_inc_group+0xea9/0xf70 net/ipv4/igmp.c:1444
99	ip_mc_inc_group net/ipv4/igmp.c:1453 [inline]
100	ip_mc_up+0x1c3/0x400 net/ipv4/igmp.c:1775
101	inetdev_event+0x1d03/0x1d80 net/ipv4/devinet.c:1522
102	notifier_call_chain kernel/notifier.c:93 [inline]
103	__raw_notifier_call_chain kernel/notifier.c:394 [inline]
104	raw_notifier_call_chain+0x13d/0x240 kernel/notifier.c:401
105	__dev_notify_flags+0x3da/0x860 net/core/dev.c:1733
106	dev_change_flags+0x1ac/0x230 net/core/dev.c:7569
107	do_setlink+0x165f/0x5ea0 net/core/rtnetlink.c:2492
108	rtnl_newlink+0x2ad7/0x35a0 net/core/rtnetlink.c:3111
109	rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
110	netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
111	rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
112	netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
113	netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
114	netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
115	sock_sendmsg_nosec net/socket.c:621 [inline]
116	sock_sendmsg net/socket.c:631 [inline]
117	___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
118	__sys_sendmsg net/socket.c:2154 [inline]
119	__do_sys_sendmsg net/socket.c:2163 [inline]
120	__se_sys_sendmsg+0x305/0x460 net/socket.c:2161
121	__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
122	do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
123	entry_SYSCALL_64_after_hwframe+0x63/0xe7
124
125	Bytes 36-37 of 105 are uninitialized
126	Memory access of size 105 starts at ffff88819686c000
127	Data copied to user address 0000000020000380
128
129	Fixes: d83b06036048 ("net: add fdb generic dump routine")
130	Signed-off-by: Eric Dumazet <edumazet@google.com>
131	Cc: John Fastabend <john.fastabend@gmail.com>
132	Cc: Ido Schimmel <idosch@mellanox.com>
133	Cc: David Ahern <dsahern@gmail.com>
134	Reviewed-by: Ido Schimmel <idosch@mellanox.com>
135	Signed-off-by: David S. Miller <davem@davemloft.net>
136	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
137	---
138	net/core/rtnetlink.c \| 3 +++
139	1 file changed, 3 insertions(+)
140
141	--- a/net/core/rtnetlink.c
142	+++ b/net/core/rtnetlink.c
143	@@ -3186,6 +3186,9 @@ int ndo_dflt_fdb_dump(struct sk_buff *sk
144	{
145	int err;
146
147	+ if (dev->type != ARPHRD_ETHER)
148	+ return -EINVAL;
149	+
150	netif_addr_lock_bh(dev);
151	err = nlmsg_populate_fdb(skb, cb, dev, idx, &dev->uc);
152	if (err)