git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From c88f0e6b06f4092995688211a631bb436125d77b Mon Sep 17 00:00:00 2001
   2 From: Xin Long <lucien.xin@gmail.com>
   3 Date: Sun, 27 Aug 2017 20:25:26 +0800
   4 Subject: scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
   5
   6 From: Xin Long <lucien.xin@gmail.com>
   7
   8 commit c88f0e6b06f4092995688211a631bb436125d77b upstream.
   9
  10 ChunYu found a kernel crash by syzkaller:
  11
  12 [  651.617875] kasan: CONFIG_KASAN_INLINE enabled
  13 [  651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
  14 [  651.618731] general protection fault: 0000 [#1] SMP KASAN
  15 [  651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
  16 [  651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
  17 [  651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
  18 [  651.622762] RIP: 0010:skb_release_data+0x26c/0x590
  19 [...]
  20 [  651.627260] Call Trace:
  21 [  651.629156]  skb_release_all+0x4f/0x60
  22 [  651.629450]  consume_skb+0x1a5/0x600
  23 [  651.630705]  netlink_unicast+0x505/0x720
  24 [  651.632345]  netlink_sendmsg+0xab2/0xe70
  25 [  651.633704]  sock_sendmsg+0xcf/0x110
  26 [  651.633942]  ___sys_sendmsg+0x833/0x980
  27 [  651.637117]  __sys_sendmsg+0xf3/0x240
  28 [  651.638820]  SyS_sendmsg+0x32/0x50
  29 [  651.639048]  entry_SYSCALL_64_fastpath+0x1f/0xc2
  30
  31 It's caused by skb_shared_info at the end of sk_buff was overwritten by
  32 ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
  33
  34 During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
  35 ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
  36 new value to skb_shinfo(SKB)->nr_frags by ev->type.
  37
  38 This patch is to fix it by checking nlh->nlmsg_len properly there to
  39 avoid over accessing sk_buff.
  40
  41 Reported-by: ChunYu Wang <chunwang@redhat.com>
  42 Signed-off-by: Xin Long <lucien.xin@gmail.com>
  43 Acked-by: Chris Leech <cleech@redhat.com>
  44 Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
  45 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  46
  47 ---
  48  drivers/scsi/scsi_transport_iscsi.c |    2 +-
  49  1 file changed, 1 insertion(+), 1 deletion(-)
  50
  51 --- a/drivers/scsi/scsi_transport_iscsi.c
  52 +++ b/drivers/scsi/scsi_transport_iscsi.c
  53 @@ -3697,7 +3697,7 @@ iscsi_if_rx(struct sk_buff *skb)
  54                 uint32_t group;
  55
  56                 nlh = nlmsg_hdr(skb);
  57 -               if (nlh->nlmsg_len < sizeof(*nlh) ||
  58 +               if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
  59                     skb->len < nlh->nlmsg_len) {
  60                         break;
  61                 }