projects / thirdparty / kernel / stable-queue.git / blame
| Commit | Line | Data |
|---|---|---|
| 2c361871 SL |
1 | From 4fcc59f3c74ef9e36629a6f26b3b0c18064a5af7 Mon Sep 17 00:00:00 2001 |
| 2 | From: Sasha Levin <sashal@kernel.org> | |
| 3 | Date: Wed, 13 Mar 2024 00:27:19 +0900 | |
| 4 | Subject: hsr: Fix uninit-value access in hsr_get_node() | |
| 5 | ||
| 6 | From: Shigeru Yoshida <syoshida@redhat.com> | |
| 7 | ||
| 8 | [ Upstream commit ddbec99f58571301679addbc022256970ca3eac6 ] | |
| 9 | ||
| 10 | KMSAN reported the following uninit-value access issue [1]: | |
| 11 | ||
| 12 | ===================================================== | |
| 13 | BUG: KMSAN: uninit-value in hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 | |
| 14 | hsr_get_node+0xa2e/0xa40 net/hsr/hsr_framereg.c:246 | |
| 15 | fill_frame_info net/hsr/hsr_forward.c:577 [inline] | |
| 16 | hsr_forward_skb+0xe12/0x30e0 net/hsr/hsr_forward.c:615 | |
| 17 | hsr_dev_xmit+0x1a1/0x270 net/hsr/hsr_device.c:223 | |
| 18 | __netdev_start_xmit include/linux/netdevice.h:4940 [inline] | |
| 19 | netdev_start_xmit include/linux/netdevice.h:4954 [inline] | |
| 20 | xmit_one net/core/dev.c:3548 [inline] | |
| 21 | dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564 | |
| 22 | __dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349 | |
| 23 | dev_queue_xmit include/linux/netdevice.h:3134 [inline] | |
| 24 | packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276 | |
| 25 | packet_snd net/packet/af_packet.c:3087 [inline] | |
| 26 | packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119 | |
| 27 | sock_sendmsg_nosec net/socket.c:730 [inline] | |
| 28 | __sock_sendmsg net/socket.c:745 [inline] | |
| 29 | __sys_sendto+0x735/0xa10 net/socket.c:2191 | |
| 30 | __do_sys_sendto net/socket.c:2203 [inline] | |
| 31 | __se_sys_sendto net/socket.c:2199 [inline] | |
| 32 | __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 | |
| 33 | do_syscall_x64 arch/x86/entry/common.c:52 [inline] | |
| 34 | do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 | |
| 35 | entry_SYSCALL_64_after_hwframe+0x63/0x6b | |
| 36 | ||
| 37 | Uninit was created at: | |
| 38 | slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768 | |
| 39 | slab_alloc_node mm/slub.c:3478 [inline] | |
| 40 | kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523 | |
| 41 | kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560 | |
| 42 | __alloc_skb+0x318/0x740 net/core/skbuff.c:651 | |
| 43 | alloc_skb include/linux/skbuff.h:1286 [inline] | |
| 44 | alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334 | |
| 45 | sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787 | |
| 46 | packet_alloc_skb net/packet/af_packet.c:2936 [inline] | |
| 47 | packet_snd net/packet/af_packet.c:3030 [inline] | |
| 48 | packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119 | |
| 49 | sock_sendmsg_nosec net/socket.c:730 [inline] | |
| 50 | __sock_sendmsg net/socket.c:745 [inline] | |
| 51 | __sys_sendto+0x735/0xa10 net/socket.c:2191 | |
| 52 | __do_sys_sendto net/socket.c:2203 [inline] | |
| 53 | __se_sys_sendto net/socket.c:2199 [inline] | |
| 54 | __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199 | |
| 55 | do_syscall_x64 arch/x86/entry/common.c:52 [inline] | |
| 56 | do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83 | |
| 57 | entry_SYSCALL_64_after_hwframe+0x63/0x6b | |
| 58 | ||
| 59 | CPU: 1 PID: 5033 Comm: syz-executor334 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0 | |
| 60 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023 | |
| 61 | ===================================================== | |
| 62 | ||
| 63 | If the packet type ID field in the Ethernet header is either ETH_P_PRP or | |
| 64 | ETH_P_HSR, but it is not followed by an HSR tag, hsr_get_skb_sequence_nr() | |
| 65 | reads an invalid value as a sequence number. This causes the above issue. | |
| 66 | ||
| 67 | This patch fixes the issue by returning NULL if the Ethernet header is not | |
| 68 | followed by an HSR tag. | |
| 69 | ||
| 70 | Fixes: f266a683a480 ("net/hsr: Better frame dispatch") | |
| 71 | Reported-and-tested-by: syzbot+2ef3a8ce8e91b5a50098@syzkaller.appspotmail.com | |
| 72 | Closes: https://syzkaller.appspot.com/bug?extid=2ef3a8ce8e91b5a50098 [1] | |
| 73 | Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> | |
| 74 | Link: https://lore.kernel.org/r/20240312152719.724530-1-syoshida@redhat.com | |
| 75 | Signed-off-by: Paolo Abeni <pabeni@redhat.com> | |
| 76 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
| 77 | --- | |
| 78 | net/hsr/hsr_framereg.c | 4 ++++ | |
| 79 | 1 file changed, 4 insertions(+) | |
| 80 | ||
| 81 | diff --git a/net/hsr/hsr_framereg.c b/net/hsr/hsr_framereg.c | |
| 82 | index 87fc86aade5c9..fc9fb3e5ae3e2 100644 | |
| 83 | --- a/net/hsr/hsr_framereg.c | |
| 84 | +++ b/net/hsr/hsr_framereg.c | |
| 85 | @@ -237,6 +237,10 @@ struct hsr_node *hsr_get_node(struct hsr_port *port, struct list_head *node_db, | |
| 86 | */ | |
| 87 | if (ethhdr->h_proto == htons(ETH_P_PRP) || | |
| 88 | ethhdr->h_proto == htons(ETH_P_HSR)) { | |
| 89 | + /* Check if skb contains hsr_ethhdr */ | |
| 90 | + if (skb->mac_len < sizeof(struct hsr_ethhdr)) | |
| 91 | + return NULL; | |
| 92 | + | |
| 93 | /* Use the existing sequence_nr from the tag as starting point | |
| 94 | * for filtering duplicate frames. | |
| 95 | */ | |
| 96 | -- | |
| 97 | 2.43.0 | |
| 98 |