From fe61e537ebe63ed1395e11b817fe995a232d21b9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 11 Sep 2019 10:22:32 +0100 Subject: [PATCH] 4.14-stable patches added patches: batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch vhost-test-fix-build-for-vhost-test.patch --- ...-value-in-batadv_netlink_get_ifindex.patch | 65 +++++++++++++++ ...-ogm-tvlv_len-after-buffer-len-check.patch | 81 +++++++++++++++++++ queue-4.14/series | 3 + .../vhost-test-fix-build-for-vhost-test.patch | 62 ++++++++++++++ 4 files changed, 211 insertions(+) create mode 100644 queue-4.14/batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch create mode 100644 queue-4.14/batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch create mode 100644 queue-4.14/vhost-test-fix-build-for-vhost-test.patch diff --git a/queue-4.14/batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch b/queue-4.14/batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch new file mode 100644 index 00000000000..4d80222eea3 --- /dev/null +++ b/queue-4.14/batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch @@ -0,0 +1,65 @@ +From 3ee1bb7aae97324ec9078da1f00cb2176919563f Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 12 Aug 2019 04:57:27 -0700 +Subject: batman-adv: fix uninit-value in batadv_netlink_get_ifindex() + +From: Eric Dumazet + +commit 3ee1bb7aae97324ec9078da1f00cb2176919563f upstream. + +batadv_netlink_get_ifindex() needs to make sure user passed +a correct u32 attribute. + +syzbot reported : +BUG: KMSAN: uninit-value in batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968 +CPU: 1 PID: 11705 Comm: syz-executor888 Not tainted 5.1.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x191/0x1f0 lib/dump_stack.c:113 + kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622 + __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310 + batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968 + genl_lock_dumpit+0xc6/0x130 net/netlink/genetlink.c:482 + netlink_dump+0xa84/0x1ab0 net/netlink/af_netlink.c:2253 + __netlink_dump_start+0xa3a/0xb30 net/netlink/af_netlink.c:2361 + genl_family_rcv_msg net/netlink/genetlink.c:550 [inline] + genl_rcv_msg+0xfc1/0x1a40 net/netlink/genetlink.c:627 + netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2486 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:638 + netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] + netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1337 + netlink_sendmsg+0x127e/0x12f0 net/netlink/af_netlink.c:1926 + sock_sendmsg_nosec net/socket.c:651 [inline] + sock_sendmsg net/socket.c:661 [inline] + ___sys_sendmsg+0xcc6/0x1200 net/socket.c:2260 + __sys_sendmsg net/socket.c:2298 [inline] + __do_sys_sendmsg net/socket.c:2307 [inline] + __se_sys_sendmsg+0x305/0x460 net/socket.c:2305 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2305 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x440209 + +Fixes: b60620cf567b ("batman-adv: netlink: hardif query") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/netlink.c ++++ b/net/batman-adv/netlink.c +@@ -110,7 +110,7 @@ batadv_netlink_get_ifindex(const struct + { + struct nlattr *attr = nlmsg_find_attr(nlh, GENL_HDRLEN, attrtype); + +- return attr ? nla_get_u32(attr) : 0; ++ return (attr && nla_len(attr) == sizeof(u32)) ? nla_get_u32(attr) : 0; + } + + /** diff --git a/queue-4.14/batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch b/queue-4.14/batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch new file mode 100644 index 00000000000..ca7f1329b5a --- /dev/null +++ b/queue-4.14/batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch @@ -0,0 +1,81 @@ +From a15d56a60760aa9dbe26343b9a0ac5228f35d445 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Thu, 22 Aug 2019 08:55:36 +0200 +Subject: batman-adv: Only read OGM tvlv_len after buffer len check + +From: Sven Eckelmann + +commit a15d56a60760aa9dbe26343b9a0ac5228f35d445 upstream. + +Multiple batadv_ogm_packet can be stored in an skbuff. The functions +batadv_iv_ogm_send_to_if()/batadv_iv_ogm_receive() use +batadv_iv_ogm_aggr_packet() to check if there is another additional +batadv_ogm_packet in the skb or not before they continue processing the +packet. + +The length for such an OGM is BATADV_OGM_HLEN + +batadv_ogm_packet->tvlv_len. The check must first check that at least +BATADV_OGM_HLEN bytes are available before it accesses tvlv_len (which is +part of the header. Otherwise it might try read outside of the currently +available skbuff to get the content of tvlv_len. + +Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure") +Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com +Signed-off-by: Sven Eckelmann +Acked-by: Antonio Quartulli +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/bat_iv_ogm.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -450,17 +450,23 @@ static u8 batadv_hop_penalty(u8 tq, cons + * batadv_iv_ogm_aggr_packet - checks if there is another OGM attached + * @buff_pos: current position in the skb + * @packet_len: total length of the skb +- * @tvlv_len: tvlv length of the previously considered OGM ++ * @ogm_packet: potential OGM in buffer + * + * Return: true if there is enough space for another OGM, false otherwise. + */ +-static bool batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len, +- __be16 tvlv_len) ++static bool ++batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len, ++ const struct batadv_ogm_packet *ogm_packet) + { + int next_buff_pos = 0; + +- next_buff_pos += buff_pos + BATADV_OGM_HLEN; +- next_buff_pos += ntohs(tvlv_len); ++ /* check if there is enough space for the header */ ++ next_buff_pos += buff_pos + sizeof(*ogm_packet); ++ if (next_buff_pos > packet_len) ++ return false; ++ ++ /* check if there is enough space for the optional TVLV */ ++ next_buff_pos += ntohs(ogm_packet->tvlv_len); + + return (next_buff_pos <= packet_len) && + (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); +@@ -488,7 +494,7 @@ static void batadv_iv_ogm_send_to_if(str + + /* adjust all flags and log packets */ + while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len, +- batadv_ogm_packet->tvlv_len)) { ++ batadv_ogm_packet)) { + /* we might have aggregated direct link packets with an + * ordinary base packet + */ +@@ -1838,7 +1844,7 @@ static int batadv_iv_ogm_receive(struct + + /* unpack the aggregated packets and process them one by one */ + while (batadv_iv_ogm_aggr_packet(ogm_offset, skb_headlen(skb), +- ogm_packet->tvlv_len)) { ++ ogm_packet)) { + batadv_iv_ogm_process(skb, ogm_offset, if_incoming); + + ogm_offset += BATADV_OGM_HLEN; diff --git a/queue-4.14/series b/queue-4.14/series index 81098b89983..878924c2d55 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -8,3 +8,6 @@ xfrm-clean-up-xfrm-protocol-checks.patch ip6-fix-skb-leak-in-ip6frag_expire_frag_queue.patch pci-designware-ep-fix-find_first_zero_bit-usage.patch pci-dra7xx-fix-legacy-intd-irq-handling.patch +vhost-test-fix-build-for-vhost-test.patch +batman-adv-fix-uninit-value-in-batadv_netlink_get_ifindex.patch +batman-adv-only-read-ogm-tvlv_len-after-buffer-len-check.patch diff --git a/queue-4.14/vhost-test-fix-build-for-vhost-test.patch b/queue-4.14/vhost-test-fix-build-for-vhost-test.patch new file mode 100644 index 00000000000..4569bc43404 --- /dev/null +++ b/queue-4.14/vhost-test-fix-build-for-vhost-test.patch @@ -0,0 +1,62 @@ +From 264b563b8675771834419057cbe076c1a41fb666 Mon Sep 17 00:00:00 2001 +From: Tiwei Bie +Date: Wed, 28 Aug 2019 13:37:00 +0800 +Subject: vhost/test: fix build for vhost test + +From: Tiwei Bie + +commit 264b563b8675771834419057cbe076c1a41fb666 upstream. + +Since vhost_exceeds_weight() was introduced, callers need to specify +the packet weight and byte weight in vhost_dev_init(). Note that, the +packet weight isn't counted in this patch to keep the original behavior +unchanged. + +Fixes: e82b9b0727ff ("vhost: introduce vhost_exceeds_weight()") +Cc: stable@vger.kernel.org +Signed-off-by: Tiwei Bie +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vhost/test.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/vhost/test.c ++++ b/drivers/vhost/test.c +@@ -23,6 +23,12 @@ + * Using this limit prevents one virtqueue from starving others. */ + #define VHOST_TEST_WEIGHT 0x80000 + ++/* Max number of packets transferred before requeueing the job. ++ * Using this limit prevents one virtqueue from starving others with ++ * pkts. ++ */ ++#define VHOST_TEST_PKT_WEIGHT 256 ++ + enum { + VHOST_TEST_VQ = 0, + VHOST_TEST_VQ_MAX = 1, +@@ -81,10 +87,8 @@ static void handle_vq(struct vhost_test + } + vhost_add_used_and_signal(&n->dev, vq, head, 0); + total_len += len; +- if (unlikely(total_len >= VHOST_TEST_WEIGHT)) { +- vhost_poll_queue(&vq->poll); ++ if (unlikely(vhost_exceeds_weight(vq, 0, total_len))) + break; +- } + } + + mutex_unlock(&vq->mutex); +@@ -116,7 +120,8 @@ static int vhost_test_open(struct inode + dev = &n->dev; + vqs[VHOST_TEST_VQ] = &n->vqs[VHOST_TEST_VQ]; + n->vqs[VHOST_TEST_VQ].handle_kick = handle_vq_kick; +- vhost_dev_init(dev, vqs, VHOST_TEST_VQ_MAX); ++ vhost_dev_init(dev, vqs, VHOST_TEST_VQ_MAX, ++ VHOST_TEST_PKT_WEIGHT, VHOST_TEST_WEIGHT); + + f->private_data = n; + -- 2.47.3