From: Greg Kroah-Hartman Date: Mon, 29 Apr 2019 12:25:47 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.9.172~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e4b7051c8ff68d402d694e3c873add11bddd4ce;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch slip-make-slhc_free-silently-accept-an-error-pointer.patch tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch tipc-handle-the-err-returned-from-cmd-header-function.patch --- diff --git a/queue-4.4/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch b/queue-4.4/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..861ebf2561e --- /dev/null +++ b/queue-4.4/fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch @@ -0,0 +1,97 @@ +From 89189557b47b35683a27c80ee78aef18248eefb4 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 25 Apr 2019 22:24:05 -0700 +Subject: fs/proc/proc_sysctl.c: Fix a NULL pointer dereference + +From: YueHaibing + +commit 89189557b47b35683a27c80ee78aef18248eefb4 upstream. + +Syzkaller report this: + + sysctl could not get directory: /net//bridge -12 + kasan: CONFIG_KASAN_INLINE enabled + kasan: GPF could be caused by NULL-ptr deref or user memory access + general protection fault: 0000 [#1] SMP KASAN PTI + CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 + RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline] + RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline] + RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline] + RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459 + Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48 + RSP: 0018:ffff8881bb507778 EFLAGS: 00010206 + RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a + RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568 + RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4 + R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558 + R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + FS: 00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + PKRU: 55555554 + Call Trace: + erase_entry fs/proc/proc_sysctl.c:178 [inline] + erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207 + start_unregistering fs/proc/proc_sysctl.c:331 [inline] + drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631 + get_subdir fs/proc/proc_sysctl.c:1022 [inline] + __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335 + br_netfilter_init+0x68/0x1000 [br_netfilter] + do_one_initcall+0xbc/0x47d init/main.c:901 + do_init_module+0x1b5/0x547 kernel/module.c:3456 + load_module+0x6405/0x8c10 kernel/module.c:3804 + __do_sys_finit_module+0x162/0x190 kernel/module.c:3898 + do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle + iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter] + Dumping ftrace buffer: + (ftrace buffer empty) + ---[ end trace 68741688d5fbfe85 ]--- + +commit 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer +dereference in put_links") forgot to handle start_unregistering() case, +while header->parent is NULL, it calls erase_header() and as seen in the +above syzkaller call trace, accessing &header->parent->root will trigger +a NULL pointer dereference. + +As that commit explained, there is also no need to call +start_unregistering() if header->parent is NULL. + +Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com +Fixes: 23da9588037e ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links") +Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") +Signed-off-by: YueHaibing +Reported-by: Hulk Robot +Reviewed-by: Kees Cook +Cc: Luis Chamberlain +Cc: Alexey Dobriyan +Cc: Al Viro +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/proc_sysctl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1550,9 +1550,11 @@ static void drop_sysctl_table(struct ctl + if (--header->nreg) + return; + +- if (parent) ++ if (parent) { + put_links(header); +- start_unregistering(header); ++ start_unregistering(header); ++ } ++ + if (!--header->count) + kfree_rcu(header, rcu); + diff --git a/queue-4.4/intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch b/queue-4.4/intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch new file mode 100644 index 00000000000..1ca8bc17e9d --- /dev/null +++ b/queue-4.4/intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch @@ -0,0 +1,34 @@ +From 91d3f8a629849968dc91d6ce54f2d46abf4feb7f Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Fri, 1 Mar 2019 10:09:55 +0200 +Subject: intel_th: gth: Fix an off-by-one in output unassigning + +From: Alexander Shishkin + +commit 91d3f8a629849968dc91d6ce54f2d46abf4feb7f upstream. + +Commit 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs") +fixes a NULL dereference for all masters except the last one ("256+"), +which keeps the stale pointer after the output driver had been unassigned. + +Fix the off-by-one. + +Signed-off-by: Alexander Shishkin +Fixes: 9ed3f22223c3 ("intel_th: Don't reference unassigned outputs") +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/gth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/intel_th/gth.c ++++ b/drivers/hwtracing/intel_th/gth.c +@@ -597,7 +597,7 @@ static void intel_th_gth_unassign(struct + othdev->output.port = -1; + othdev->output.active = false; + gth->output[port].output = NULL; +- for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++) ++ for (master = 0; master <= TH_CONFIGURABLE_MASTERS; master++) + if (gth->master[master] == port) + gth->master[master] = -1; + spin_unlock(>h->gth_lock); diff --git a/queue-4.4/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch b/queue-4.4/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch new file mode 100644 index 00000000000..fe5ff67390e --- /dev/null +++ b/queue-4.4/netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch @@ -0,0 +1,34 @@ +From 7caa56f006e9d712b44f27b32520c66420d5cbc6 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 15 Apr 2019 00:43:00 +0200 +Subject: netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON + +From: Florian Westphal + +commit 7caa56f006e9d712b44f27b32520c66420d5cbc6 upstream. + +It means userspace gave us a ruleset where there is some other +data after the ebtables target but before the beginning of the next rule. + +Fixes: 81e675c227ec ("netfilter: ebtables: add CONFIG_COMPAT support") +Reported-by: syzbot+659574e7bcc7f7eb4df7@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/ebtables.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2046,7 +2046,8 @@ static int ebt_size_mwt(struct compat_eb + if (match_kern) + match_kern->match_size = ret; + +- if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) ++ /* rule should have no remaining data after target */ ++ if (type == EBT_COMPAT_TARGET && size_left) + return -EINVAL; + + match32 = (struct compat_ebt_entry_mwt *) buf; diff --git a/queue-4.4/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch b/queue-4.4/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch new file mode 100644 index 00000000000..277bf5019f5 --- /dev/null +++ b/queue-4.4/nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch @@ -0,0 +1,43 @@ +From 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 30 Mar 2019 10:21:07 +0900 +Subject: NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family. + +From: Tetsuo Handa + +commit 7c2bd9a39845bfb6d72ddb55ce737650271f6f96 upstream. + +syzbot is reporting uninitialized value at rpc_sockaddr2uaddr() [1]. This +is because syzbot is setting AF_INET6 to "struct sockaddr_in"->sin_family +(which is embedded into user-visible "struct nfs_mount_data" structure) +despite nfs23_validate_mount_data() cannot pass sizeof(struct sockaddr_in6) +bytes of AF_INET6 address to rpc_sockaddr2uaddr(). + +Since "struct nfs_mount_data" structure is user-visible, we can't change +"struct nfs_mount_data" to use "struct sockaddr_storage". Therefore, +assuming that everybody is using AF_INET family when passing address via +"struct nfs_mount_data"->addr, reject if its sin_family is not AF_INET. + +[1] https://syzkaller.appspot.com/bug?id=599993614e7cbbf66bc2656a919ab2a95fb5d75c + +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/super.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2020,7 +2020,8 @@ static int nfs23_validate_mount_data(voi + memcpy(sap, &data->addr, sizeof(data->addr)); + args->nfs_server.addrlen = sizeof(data->addr); + args->nfs_server.port = ntohs(data->addr.sin_port); +- if (!nfs_verify_server_address(sap)) ++ if (sap->sa_family != AF_INET || ++ !nfs_verify_server_address(sap)) + goto out_no_address; + + if (!(data->flags & NFS_MOUNT_TCP)) diff --git a/queue-4.4/series b/queue-4.4/series index 0702e97fc0a..c5f6bcf2998 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -62,3 +62,11 @@ powerpc-fsl-flush-the-branch-predictor-at-each-kernel-entry-64bit.patch powerpc-fsl-update-spectre-v2-reporting.patch powerpc-security-fix-spectre_v2-reporting.patch powerpc-fsl-fix-the-flush-of-branch-predictor.patch +tipc-handle-the-err-returned-from-cmd-header-function.patch +slip-make-slhc_free-silently-accept-an-error-pointer.patch +intel_th-gth-fix-an-off-by-one-in-output-unassigning.patch +fs-proc-proc_sysctl.c-fix-a-null-pointer-dereference.patch +nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch +netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch +tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch +tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch diff --git a/queue-4.4/slip-make-slhc_free-silently-accept-an-error-pointer.patch b/queue-4.4/slip-make-slhc_free-silently-accept-an-error-pointer.patch new file mode 100644 index 00000000000..c52a7c0a0bc --- /dev/null +++ b/queue-4.4/slip-make-slhc_free-silently-accept-an-error-pointer.patch @@ -0,0 +1,48 @@ +From baf76f0c58aec435a3a864075b8f6d8ee5d1f17e Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 25 Apr 2019 16:13:58 -0700 +Subject: slip: make slhc_free() silently accept an error pointer + +From: Linus Torvalds + +commit baf76f0c58aec435a3a864075b8f6d8ee5d1f17e upstream. + +This way, slhc_free() accepts what slhc_init() returns, whether that is +an error or not. + +In particular, the pattern in sl_alloc_bufs() is + + slcomp = slhc_init(16, 16); + ... + slhc_free(slcomp); + +for the error handling path, and rather than complicate that code, just +make it ok to always free what was returned by the init function. + +That's what the code used to do before commit 4ab42d78e37a ("ppp, slip: +Validate VJ compression slot parameters completely") when slhc_init() +just returned NULL for the error case, with no actual indication of the +details of the error. + +Reported-by: syzbot+45474c076a4927533d2e@syzkaller.appspotmail.com +Fixes: 4ab42d78e37a ("ppp, slip: Validate VJ compression slot parameters completely") +Acked-by: Ben Hutchings +Cc: David Miller +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/slip/slhc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/slip/slhc.c ++++ b/drivers/net/slip/slhc.c +@@ -153,7 +153,7 @@ out_fail: + void + slhc_free(struct slcompress *comp) + { +- if ( comp == NULLSLCOMPR ) ++ if ( IS_ERR_OR_NULL(comp) ) + return; + + if ( comp->tstate != NULLSLSTATE ) diff --git a/queue-4.4/tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch b/queue-4.4/tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch new file mode 100644 index 00000000000..e5ee10dc327 --- /dev/null +++ b/queue-4.4/tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch @@ -0,0 +1,69 @@ +From 6f07e5f06c8712acc423485f657799fc8e11e56c Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 31 Mar 2019 22:50:08 +0800 +Subject: tipc: check bearer name with right length in tipc_nl_compat_bearer_enable + +From: Xin Long + +commit 6f07e5f06c8712acc423485f657799fc8e11e56c upstream. + +Syzbot reported the following crash: + +BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:961 + memchr+0xce/0x110 lib/string.c:961 + string_is_valid net/tipc/netlink_compat.c:176 [inline] + tipc_nl_compat_bearer_enable+0x2c4/0x910 net/tipc/netlink_compat.c:401 + __tipc_nl_compat_doit net/tipc/netlink_compat.c:321 [inline] + tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:354 + tipc_nl_compat_handle net/tipc/netlink_compat.c:1162 [inline] + tipc_nl_compat_recv+0x1ae7/0x2750 net/tipc/netlink_compat.c:1265 + genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] + genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626 + netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:622 [inline] + sock_sendmsg net/socket.c:632 [inline] + +Uninit was created at: + __alloc_skb+0x309/0xa20 net/core/skbuff.c:208 + alloc_skb include/linux/skbuff.h:1012 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] + netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:622 [inline] + sock_sendmsg net/socket.c:632 [inline] + +It was triggered when the bearer name size < TIPC_MAX_BEARER_NAME, +it would check with a wrong len/TLV_GET_DATA_LEN(msg->req), which +also includes priority and disc_domain length. + +This patch is to fix it by checking it with a right length: +'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_bearer_config, name)'. + +Reported-by: syzbot+8b707430713eb46e1e45@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -388,7 +388,12 @@ static int tipc_nl_compat_bearer_enable( + if (!bearer) + return -EMSGSIZE; + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ len -= offsetof(struct tipc_bearer_config, name); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_BEARER_NAME); + if (!string_is_valid(b->name, len)) + return -EINVAL; + diff --git a/queue-4.4/tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch b/queue-4.4/tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch new file mode 100644 index 00000000000..b1db69de5f1 --- /dev/null +++ b/queue-4.4/tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch @@ -0,0 +1,41 @@ +From 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 31 Mar 2019 22:50:09 +0800 +Subject: tipc: check link name with right length in tipc_nl_compat_link_set + +From: Xin Long + +commit 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a upstream. + +A similar issue as fixed by Patch "tipc: check bearer name with right +length in tipc_nl_compat_bearer_enable" was also found by syzbot in +tipc_nl_compat_link_set(). + +The length to check with should be 'TLV_GET_DATA_LEN(msg->req) - +offsetof(struct tipc_link_config, name)'. + +Reported-by: syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -738,7 +738,12 @@ static int tipc_nl_compat_link_set(struc + + lc = (struct tipc_link_config *)TLV_DATA(msg->req); + +- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); ++ len = TLV_GET_DATA_LEN(msg->req); ++ len -= offsetof(struct tipc_link_config, name); ++ if (len <= 0) ++ return -EINVAL; ++ ++ len = min_t(int, len, TIPC_MAX_LINK_NAME); + if (!string_is_valid(lc->name, len)) + return -EINVAL; + diff --git a/queue-4.4/tipc-handle-the-err-returned-from-cmd-header-function.patch b/queue-4.4/tipc-handle-the-err-returned-from-cmd-header-function.patch new file mode 100644 index 00000000000..3b307b2a1b3 --- /dev/null +++ b/queue-4.4/tipc-handle-the-err-returned-from-cmd-header-function.patch @@ -0,0 +1,77 @@ +From 2ac695d1d602ce00b12170242f58c3d3a8e36d04 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Sun, 31 Mar 2019 22:50:10 +0800 +Subject: tipc: handle the err returned from cmd header function + +From: Xin Long + +commit 2ac695d1d602ce00b12170242f58c3d3a8e36d04 upstream. + +Syzbot found a crash: + + BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872 + Call Trace: + tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872 + __tipc_nl_compat_dumpit+0x59e/0xda0 net/tipc/netlink_compat.c:215 + tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:280 + tipc_nl_compat_handle net/tipc/netlink_compat.c:1226 [inline] + tipc_nl_compat_recv+0x1b5f/0x2750 net/tipc/netlink_compat.c:1265 + genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] + genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626 + netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 + netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] + netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336 + netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:622 [inline] + sock_sendmsg net/socket.c:632 [inline] + + Uninit was created at: + __alloc_skb+0x309/0xa20 net/core/skbuff.c:208 + alloc_skb include/linux/skbuff.h:1012 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] + netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:622 [inline] + sock_sendmsg net/socket.c:632 [inline] + +It was supposed to be fixed on commit 974cb0e3e7c9 ("tipc: fix uninit-value +in tipc_nl_compat_name_table_dump") by checking TLV_GET_DATA_LEN(msg->req) +in cmd->header()/tipc_nl_compat_name_table_dump_header(), which is called +ahead of tipc_nl_compat_name_table_dump(). + +However, tipc_nl_compat_dumpit() doesn't handle the error returned from cmd +header function. It means even when the check added in that fix fails, it +won't stop calling tipc_nl_compat_name_table_dump(), and the issue will be +triggered again. + +So this patch is to add the process for the err returned from cmd header +function in tipc_nl_compat_dumpit(). + +Reported-by: syzbot+3ce8520484b0d4e260a5@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/tipc/netlink_compat.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/net/tipc/netlink_compat.c ++++ b/net/tipc/netlink_compat.c +@@ -262,8 +262,14 @@ static int tipc_nl_compat_dumpit(struct + if (msg->rep_type) + tipc_tlv_init(msg->rep, msg->rep_type); + +- if (cmd->header) +- (*cmd->header)(msg); ++ if (cmd->header) { ++ err = (*cmd->header)(msg); ++ if (err) { ++ kfree_skb(msg->rep); ++ msg->rep = NULL; ++ return err; ++ } ++ } + + arg = nlmsg_new(0, GFP_KERNEL); + if (!arg) {