]>
Commit | Line | Data |
---|---|---|
2c361871 SL |
1 | From 4fcc59f3c74ef9e36629a6f26b3b0c18064a5af7 Mon Sep 17 00:00:00 2001 |
2 | From: Sasha Levin <sashal@kernel.org> | |
3 | Date: Wed, 13 Mar 2024 00:27:19 +0900 | |
4 | Subject: hsr: Fix uninit-value access in hsr_get_node() | |
5 | ||
6 | From: Shigeru Yoshida <syoshida@redhat.com> | |
7 | ||
8 | [ Upstream commit ddbec99f58571301679addbc022256970ca3eac6 ] | |
9 | ||
10 | KMSAN reported the following uninit-value access issue [1]: | |
11 | ||
12 | ===================================================== | |
13 | BUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 | |
14 | hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 | |
15 | fill_frame_info net/hsr/hsr_forward.c:577 [inline] | |
16 | hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615 | |
17 | hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223 | |
18 | __netdev_start_xmit include/linux/netdevice.h:4940 [inline] | |
19 | netdev_start_xmit include/linux/netdevice.h:4954 [inline] | |
20 | xmit_one net/core/dev.c:3548 [inline] | |
21 | dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 | |
22 | __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 | |
23 | dev_queue_xmit include/linux/netdevice.h:3134 [inline] | |
24 | packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 | |
25 | packet_snd net/packet/af_packet.c:3087 [inline] | |
26 | packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 | |
27 | sock_sendmsg_nosec net/socket.c:730 [inline] | |
28 | __sock_sendmsg net/socket.c:745 [inline] | |
29 | __sys_sendto+0x735/0xa10 net/socket.c:2191 | |
30 | __do_sys_sendto net/socket.c:2203 [inline] | |
31 | __se_sys_sendto net/socket.c:2199 [inline] | |
32 | __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 | |
33 | do_syscall_x64 arch/x86/entry/common.c:52 [inline] | |
34 | do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 | |
35 | entry_SYSCALL_64_after_hwframe+0x63/0x6b | |
36 | ||
37 | Uninit was created at: | |
38 | slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 | |
39 | slab_alloc_node mm/slub.c:3478 [inline] | |
40 | kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 | |
41 | kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 | |
42 | __alloc_skb+0x318/0x740 net/core/skbuff.c:651 | |
43 | alloc_skb include/linux/skbuff.h:1286 [inline] | |
44 | alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 | |
45 | sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 | |
46 | packet_alloc_skb net/packet/af_packet.c:2936 [inline] | |
47 | packet_snd net/packet/af_packet.c:3030 [inline] | |
48 | packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 | |
49 | sock_sendmsg_nosec net/socket.c:730 [inline] | |
50 | __sock_sendmsg net/socket.c:745 [inline] | |
51 | __sys_sendto+0x735/0xa10 net/socket.c:2191 | |
52 | __do_sys_sendto net/socket.c:2203 [inline] | |
53 | __se_sys_sendto net/socket.c:2199 [inline] | |
54 | __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 | |
55 | do_syscall_x64 arch/x86/entry/common.c:52 [inline] | |
56 | do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 | |
57 | entry_SYSCALL_64_after_hwframe+0x63/0x6b | |
58 | ||
59 | CPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 | |
60 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 | |
61 | ===================================================== | |
62 | ||
63 | If the packet type ID field in the Ethernet header is either ETH_P_PRP or | |
64 | ETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr() | |
65 | reads an invalid value as a sequence number. This causes the above issue. | |
66 | ||
67 | This patch fixes the issue by returning NULL if the Ethernet header is not | |
68 | followed by an HSR tag. | |
69 | ||
70 | Fixes: f266a683a480 ("net/hsr: Better frame dispatch") | |
71 | Reported-and-tested-by: syzbot+2ef3a8ce8e91b5a50098@syzkaller.appspotmail.com | |
72 | Closes: https://syzkaller.appspot.com/bug?extid=2ef3a8ce8e91b5a50098 [1] | |
73 | Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> | |
74 | Link: https://lore.kernel.org/r/20240312152719.724530-1-syoshida@redhat.com | |
75 | Signed-off-by: Paolo Abeni <pabeni@redhat.com> | |
76 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
77 | --- | |
78 | net/hsr/hsr_framereg.c | 4 ++++ | |
79 | 1 file changed, 4 insertions(+) | |
80 | ||
81 | diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c | |
82 | index 87fc86aade5c9..fc9fb3e5ae3e2 100644 | |
83 | --- a/net/hsr/hsr_framereg.c | |
84 | +++ b/net/hsr/hsr_framereg.c | |
85 | @@ -237,6 +237,10 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct list_head *node_db, | |
86 | */ | |
87 | if (ethhdr->h_proto == htons(ETH_P_PRP) || | |
88 | ethhdr->h_proto == htons(ETH_P_HSR)) { | |
89 | + /* Check if skb contains hsr_ethhdr */ | |
90 | + if (skb->mac_len < sizeof(struct hsr_ethhdr)) | |
91 | + return NULL; | |
92 | + | |
93 | /* Use the existing sequence_nr from the tag as starting point | |
94 | * for filtering duplicate frames. | |
95 | */ | |
96 | -- | |
97 | 2.43.0 | |
98 |