From: Greg Kroah-Hartman Date: Wed, 11 Sep 2019 09:23:10 +0000 (+0100) Subject: 5.2-stable patches X-Git-Tag: v4.4.193~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a29c8c5a7034c6b187592d939f461fca5ed69a93;p=thirdparty%2Fkernel%2Fstable-queue.git 5.2-stable patches added patches: batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch --- diff --git a/queue-5.2/batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch b/queue-5.2/batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch new file mode 100644 index 00000000000..74ed2c06608 --- /dev/null +++ b/queue-5.2/batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch @@ -0,0 +1,65 @@ +From 3ee1bb7aae97324ec9078da1f00cb2176919563f Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 12 Aug 2019 04:57:27 -0700 +Subject: batman-adv: fix uninit-value in batadv_netlink_get_ifindex() + +From: Eric Dumazet + +commit 3ee1bb7aae97324ec9078da1f00cb2176919563f upstream. + +batadv_netlink_get_ifindex() needs to make sure user passed +a correct u32 attribute. + +syzbot reported : +BUG: KMSAN: uninit-value in batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968 +CPU: 1 PID: 11705 Comm: syz-executor888 Not tainted 5.1.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x191/0x1f0 lib/dump_stack.c:113 + kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622 + __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310 + batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968 + genl_lock_dumpit+0xc6/0x130 net/netlink/genetlink.c:482 + netlink_dump+0xa84/0x1ab0 net/netlink/af_netlink.c:2253 + __netlink_dump_start+0xa3a/0xb30 net/netlink/af_netlink.c:2361 + genl_family_rcv_msg net/netlink/genetlink.c:550 [inline] + genl_rcv_msg+0xfc1/0x1a40 net/netlink/genetlink.c:627 + netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2486 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:638 + netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] + netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1337 + netlink_sendmsg+0x127e/0x12f0 net/netlink/af_netlink.c:1926 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg net/socket.c:661 [inline] + ___sys_sendmsg+0xcc6/0x1200 net/socket.c:2260 + __sys_sendmsg net/socket.c:2298 [inline] + __do_sys_sendmsg net/socket.c:2307 [inline] + __se_sys_sendmsg+0x305/0x460 net/socket.c:2305 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2305 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x440209 + +Fixes: b60620cf567b ("batman-adv: netlink: hardif query") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/netlink.c ++++ b/net/batman-adv/netlink.c +@@ -164,7 +164,7 @@ batadv_netlink_get_ifindex(const struct + { + struct nlattr *attr = nlmsg_find_attr(nlh, GENL_HDRLEN, attrtype); + +- return attr ? nla_get_u32(attr) : 0; ++ return (attr && nla_len(attr) == sizeof(u32)) ? nla_get_u32(attr) : 0; + } + + /** diff --git a/queue-5.2/batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch b/queue-5.2/batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch new file mode 100644 index 00000000000..9c53e792e10 --- /dev/null +++ b/queue-5.2/batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch @@ -0,0 +1,81 @@ +From a15d56a60760aa9dbe26343b9a0ac5228f35d445 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Thu, 22 Aug 2019 08:55:36 +0200 +Subject: batman-adv: Only read OGM tvlv_len after buffer len check + +From: Sven Eckelmann + +commit a15d56a60760aa9dbe26343b9a0ac5228f35d445 upstream. + +Multiple batadv_ogm_packet can be stored in an skbuff. The functions +batadv_iv_ogm_send_to_if()/batadv_iv_ogm_receive() use +batadv_iv_ogm_aggr_packet() to check if there is another additional +batadv_ogm_packet in the skb or not before they continue processing the +packet. + +The length for such an OGM is BATADV_OGM_HLEN + +batadv_ogm_packet->tvlv_len. The check must first check that at least +BATADV_OGM_HLEN bytes are available before it accesses tvlv_len (which is +part of the header. Otherwise it might try read outside of the currently +available skbuff to get the content of tvlv_len. + +Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure") +Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com +Signed-off-by: Sven Eckelmann +Acked-by: Antonio Quartulli +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/bat_iv_ogm.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -277,17 +277,23 @@ static u8 batadv_hop_penalty(u8 tq, cons + * batadv_iv_ogm_aggr_packet() - checks if there is another OGM attached + * @buff_pos: current position in the skb + * @packet_len: total length of the skb +- * @tvlv_len: tvlv length of the previously considered OGM ++ * @ogm_packet: potential OGM in buffer + * + * Return: true if there is enough space for another OGM, false otherwise. + */ +-static bool batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len, +- __be16 tvlv_len) ++static bool ++batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len, ++ const struct batadv_ogm_packet *ogm_packet) + { + int next_buff_pos = 0; + +- next_buff_pos += buff_pos + BATADV_OGM_HLEN; +- next_buff_pos += ntohs(tvlv_len); ++ /* check if there is enough space for the header */ ++ next_buff_pos += buff_pos + sizeof(*ogm_packet); ++ if (next_buff_pos > packet_len) ++ return false; ++ ++ /* check if there is enough space for the optional TVLV */ ++ next_buff_pos += ntohs(ogm_packet->tvlv_len); + + return (next_buff_pos <= packet_len) && + (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); +@@ -315,7 +321,7 @@ static void batadv_iv_ogm_send_to_if(str + + /* adjust all flags and log packets */ + while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len, +- batadv_ogm_packet->tvlv_len)) { ++ batadv_ogm_packet)) { + /* we might have aggregated direct link packets with an + * ordinary base packet + */ +@@ -1704,7 +1710,7 @@ static int batadv_iv_ogm_receive(struct + + /* unpack the aggregated packets and process them one by one */ + while (batadv_iv_ogm_aggr_packet(ogm_offset, skb_headlen(skb), +- ogm_packet->tvlv_len)) { ++ ogm_packet)) { + batadv_iv_ogm_process(skb, ogm_offset, if_incoming); + + ogm_offset += BATADV_OGM_HLEN; diff --git a/queue-5.2/series b/queue-5.2/series index 8c472b8c0f7..f58fa7ef9ac 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -13,3 +13,5 @@ vhost-test-fix-build-for-vhost-test-again.patch powerpc-64e-drop-stale-call-to-smp_processor_id-which-hangs-smp-startup.patch powerpc-tm-fix-fp-vmx-unavailable-exceptions-inside-a-transaction.patch powerpc-tm-fix-restoring-fp-vmx-facility-incorrectly-on-interrupts.patch +batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch +batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch