From: Sasha Levin Date: Sun, 12 Nov 2023 02:50:17 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v4.14.330~56 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=72288f4709b00f0952ac4345abdd2dcfd8fdea1c;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/dccp-call-security_inet_conn_request-after-setting-i.patch b/queue-4.14/dccp-call-security_inet_conn_request-after-setting-i.patch new file mode 100644 index 00000000000..7ef510679bf --- /dev/null +++ b/queue-4.14/dccp-call-security_inet_conn_request-after-setting-i.patch @@ -0,0 +1,59 @@ +From 2e5702fceed8d4aa279671af4a5cb103d1f0cd47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 13:10:41 -0700 +Subject: dccp: Call security_inet_conn_request() after setting IPv4 addresses. + +From: Kuniyuki Iwashima + +[ Upstream commit fa2df45af13091f76b89adb84a28f13818d5d631 ] + +Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child +sockets") introduced security_inet_conn_request() in some functions +where reqsk is allocated. The hook is added just after the allocation, +so reqsk's IPv4 remote address was not initialised then. + +However, SELinux/Smack started to read it in netlbl_req_setattr() +after the cited commits. + +This bug was partially fixed by commit 284904aa7946 ("lsm: Relocate +the IPv4 security_inet_conn_request() hooks"). + +This patch fixes the last bug in DCCPv4. + +Fixes: 389fb800ac8b ("netlabel: Label incoming TCP connections correctly in SELinux") +Fixes: 07feee8f812f ("netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Moore +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/dccp/ipv4.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c +index 892fbd1f650da..5281ac3260f6f 100644 +--- a/net/dccp/ipv4.c ++++ b/net/dccp/ipv4.c +@@ -612,9 +612,6 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) + if (dccp_parse_options(sk, dreq, skb)) + goto drop_and_free; + +- if (security_inet_conn_request(sk, skb, req)) +- goto drop_and_free; +- + ireq = inet_rsk(req); + sk_rcv_saddr_set(req_to_sk(req), ip_hdr(skb)->daddr); + sk_daddr_set(req_to_sk(req), ip_hdr(skb)->saddr); +@@ -622,6 +619,9 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) + ireq->ireq_family = AF_INET; + ireq->ir_iif = sk->sk_bound_dev_if; + ++ if (security_inet_conn_request(sk, skb, req)) ++ goto drop_and_free; ++ + /* + * Step 3: Process LISTEN state + * +-- +2.42.0 + diff --git a/queue-4.14/dccp-tcp-call-security_inet_conn_request-after-setti.patch b/queue-4.14/dccp-tcp-call-security_inet_conn_request-after-setti.patch new file mode 100644 index 00000000000..e9540bc1b6e --- /dev/null +++ b/queue-4.14/dccp-tcp-call-security_inet_conn_request-after-setti.patch @@ -0,0 +1,85 @@ +From c312f5fc808bc4b701c883e512e84ebb030eb2c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 13:10:42 -0700 +Subject: dccp/tcp: Call security_inet_conn_request() after setting IPv6 + addresses. + +From: Kuniyuki Iwashima + +[ Upstream commit 23be1e0e2a83a8543214d2599a31d9a2185a796b ] + +Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child +sockets") introduced security_inet_conn_request() in some functions +where reqsk is allocated. The hook is added just after the allocation, +so reqsk's IPv6 remote address was not initialised then. + +However, SELinux/Smack started to read it in netlbl_req_setattr() +after commit e1adea927080 ("calipso: Allow request sockets to be +relabelled by the lsm."). + +Commit 284904aa7946 ("lsm: Relocate the IPv4 security_inet_conn_request() +hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was +not supported at that time. Finally, the same issue was introduced again +in IPv6. + +Let's apply the same fix on DCCPv6 and TCPv6. + +Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.") +Signed-off-by: Kuniyuki Iwashima +Acked-by: Paul Moore +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/dccp/ipv6.c | 6 +++--- + net/ipv6/syncookies.c | 7 ++++--- + 2 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c +index 9b8c6cf0e5eee..72ceefbf23120 100644 +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -349,15 +349,15 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) + if (dccp_parse_options(sk, dreq, skb)) + goto drop_and_free; + +- if (security_inet_conn_request(sk, skb, req)) +- goto drop_and_free; +- + ireq = inet_rsk(req); + ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; + ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; + ireq->ireq_family = AF_INET6; + ireq->ir_mark = inet_request_mark(sk, skb); + ++ if (security_inet_conn_request(sk, skb, req)) ++ goto drop_and_free; ++ + if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) || + np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || + np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) { +diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c +index d1bfdb9c2f2da..3a54d3947052e 100644 +--- a/net/ipv6/syncookies.c ++++ b/net/ipv6/syncookies.c +@@ -183,14 +183,15 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb) + treq = tcp_rsk(req); + treq->tfo_listener = false; + +- if (security_inet_conn_request(sk, skb, req)) +- goto out_free; +- + req->mss = mss; + ireq->ir_rmt_port = th->source; + ireq->ir_num = ntohs(th->dest); + ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr; + ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr; ++ ++ if (security_inet_conn_request(sk, skb, req)) ++ goto out_free; ++ + if (ipv6_opt_accepted(sk, skb, &TCP_SKB_CB(skb)->header.h6) || + np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo || + np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) { +-- +2.42.0 + diff --git a/queue-4.14/llc-verify-mac-len-before-reading-mac-header.patch b/queue-4.14/llc-verify-mac-len-before-reading-mac-header.patch new file mode 100644 index 00000000000..80ec00bdcd7 --- /dev/null +++ b/queue-4.14/llc-verify-mac-len-before-reading-mac-header.patch @@ -0,0 +1,113 @@ +From 499e49c878d2ee726b62fd58534be3d5ec1220af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Oct 2023 19:42:38 -0400 +Subject: llc: verify mac len before reading mac header + +From: Willem de Bruijn + +[ Upstream commit 7b3ba18703a63f6fd487183b9262b08e5632da1b ] + +LLC reads the mac header with eth_hdr without verifying that the skb +has an Ethernet header. + +Syzbot was able to enter llc_rcv on a tun device. Tun can insert +packets without mac len and with user configurable skb->protocol +(passing a tun_pi header when not configuring IFF_NO_PI). + + BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] + BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 + llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline] + llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111 + llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218 + __netif_receive_skb_one_core net/core/dev.c:5523 [inline] + __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637 + netif_receive_skb_internal net/core/dev.c:5723 [inline] + netif_receive_skb+0x58/0x660 net/core/dev.c:5782 + tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 + tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002 + +Add a mac_len test before all three eth_hdr(skb) calls under net/llc. + +There are further uses in include/net/llc_pdu.h. All these are +protected by a test skb->protocol == ETH_P_802_2. Which does not +protect against this tun scenario. + +But the mac_len test added in this patch in llc_fixup_skb will +indirectly protect those too. That is called from llc_rcv before any +other LLC code. + +It is tempting to just add a blanket mac_len check in llc_rcv, but +not sure whether that could break valid LLC paths that do not assume +an Ethernet header. 802.2 LLC may be used on top of non-802.3 +protocols in principle. The below referenced commit shows that used +to, on top of Token Ring. + +At least one of the three eth_hdr uses goes back to before the start +of git history. But the one that syzbot exercises is introduced in +this commit. That commit is old enough (2008), that effectively all +stable kernels should receive this. + +Fixes: f83f1768f833 ("[LLC]: skb allocation size for responses") +Reported-by: syzbot+a8c7be6dee0de1b669cc@syzkaller.appspotmail.com +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20231025234251.3796495-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/llc/llc_input.c | 10 ++++++++-- + net/llc/llc_s_ac.c | 3 +++ + net/llc/llc_station.c | 3 +++ + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/net/llc/llc_input.c b/net/llc/llc_input.c +index d5c6fb41be92e..0e9926c39d1dd 100644 +--- a/net/llc/llc_input.c ++++ b/net/llc/llc_input.c +@@ -127,8 +127,14 @@ static inline int llc_fixup_skb(struct sk_buff *skb) + skb->transport_header += llc_len; + skb_pull(skb, llc_len); + if (skb->protocol == htons(ETH_P_802_2)) { +- __be16 pdulen = eth_hdr(skb)->h_proto; +- s32 data_size = ntohs(pdulen) - llc_len; ++ __be16 pdulen; ++ s32 data_size; ++ ++ if (skb->mac_len < ETH_HLEN) ++ return 0; ++ ++ pdulen = eth_hdr(skb)->h_proto; ++ data_size = ntohs(pdulen) - llc_len; + + if (data_size < 0 || + !pskb_may_pull(skb, data_size)) +diff --git a/net/llc/llc_s_ac.c b/net/llc/llc_s_ac.c +index 9fa3342c7a829..df26557a02448 100644 +--- a/net/llc/llc_s_ac.c ++++ b/net/llc/llc_s_ac.c +@@ -153,6 +153,9 @@ int llc_sap_action_send_test_r(struct llc_sap *sap, struct sk_buff *skb) + int rc = 1; + u32 data_size; + ++ if (skb->mac_len < ETH_HLEN) ++ return 1; ++ + llc_pdu_decode_sa(skb, mac_da); + llc_pdu_decode_da(skb, mac_sa); + llc_pdu_decode_ssap(skb, &dsap); +diff --git a/net/llc/llc_station.c b/net/llc/llc_station.c +index c29170e767a8c..64e2c67e16ba3 100644 +--- a/net/llc/llc_station.c ++++ b/net/llc/llc_station.c +@@ -77,6 +77,9 @@ static int llc_station_ac_send_test_r(struct sk_buff *skb) + u32 data_size; + struct sk_buff *nskb; + ++ if (skb->mac_len < ETH_HLEN) ++ goto out; ++ + /* The test request command is type U (llc_len = 3) */ + data_size = ntohs(eth_hdr(skb)->h_proto) - 3; + nskb = llc_alloc_frame(NULL, skb->dev, LLC_PDU_TYPE_U, data_size); +-- +2.42.0 + diff --git a/queue-4.14/netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch b/queue-4.14/netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch new file mode 100644 index 00000000000..22f20417854 --- /dev/null +++ b/queue-4.14/netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch @@ -0,0 +1,49 @@ +From f5e8ffe856e61c7030fa3d3084a6629caee08175 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Nov 2023 11:56:00 -0800 +Subject: netfilter: xt_recent: fix (increase) ipv6 literal buffer length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +[ Upstream commit 7b308feb4fd2d1c06919445c65c8fbf8e9fd1781 ] + +in6_pton() supports 'low-32-bit dot-decimal representation' +(this is useful with DNS64/NAT64 networks for example): + + # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:1.2.3.4 > /proc/self/net/xt_recent/DEFAULT + # cat /proc/self/net/xt_recent/DEFAULT + src=aaaa:bbbb:cccc:dddd:eeee:ffff:0102:0304 ttl: 0 last_seen: 9733848829 oldest_pkt: 1 9733848829 + +but the provided buffer is too short: + + # echo +aaaa:bbbb:cccc:dddd:eeee:ffff:255.255.255.255 > /proc/self/net/xt_recent/DEFAULT + -bash: echo: write error: Invalid argument + +Fixes: 079aa88fe717 ("netfilter: xt_recent: IPv6 support") +Signed-off-by: Maciej Żenczykowski +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/xt_recent.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c +index cafbddf844d62..a2462351f9c41 100644 +--- a/net/netfilter/xt_recent.c ++++ b/net/netfilter/xt_recent.c +@@ -566,7 +566,7 @@ recent_mt_proc_write(struct file *file, const char __user *input, + { + struct recent_table *t = PDE_DATA(file_inode(file)); + struct recent_entry *e; +- char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:5afe:c0de")]; ++ char buf[sizeof("+b335:1d35:1e55:dead:c0de:1715:255.255.255.255")]; + const char *c = buf; + union nf_inet_addr addr = {}; + u_int16_t family; +-- +2.42.0 + diff --git a/queue-4.14/pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch b/queue-4.14/pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch new file mode 100644 index 00000000000..ce50ddc14d5 --- /dev/null +++ b/queue-4.14/pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch @@ -0,0 +1,51 @@ +From 15b60f2363ff9a1ebc569d6d85d93595821b41fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Oct 2023 10:54:14 -0700 +Subject: pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Fainelli + +[ Upstream commit e9bc4411548aaa738905d37851a0146c16b3bb21 ] + +The suspend/resume functions currently utilize +clk_disable()/clk_enable() respectively which may be no-ops with certain +clock providers such as SCMI. Fix this to use clk_disable_unprepare() +and clk_prepare_enable() respectively as we should. + +Fixes: 3a9f5957020f ("pwm: Add Broadcom BCM7038 PWM controller support") +Signed-off-by: Florian Fainelli +Acked-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-brcmstb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pwm/pwm-brcmstb.c b/drivers/pwm/pwm-brcmstb.c +index 8063cffa1c960..5d7842a62d594 100644 +--- a/drivers/pwm/pwm-brcmstb.c ++++ b/drivers/pwm/pwm-brcmstb.c +@@ -307,7 +307,7 @@ static int brcmstb_pwm_suspend(struct device *dev) + { + struct brcmstb_pwm *p = dev_get_drvdata(dev); + +- clk_disable(p->clk); ++ clk_disable_unprepare(p->clk); + + return 0; + } +@@ -316,7 +316,7 @@ static int brcmstb_pwm_resume(struct device *dev) + { + struct brcmstb_pwm *p = dev_get_drvdata(dev); + +- clk_enable(p->clk); ++ clk_prepare_enable(p->clk); + + return 0; + } +-- +2.42.0 + diff --git a/queue-4.14/series b/queue-4.14/series index c34682d0253..5131d096e5d 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -33,3 +33,10 @@ pcmcia-ds-fix-refcount-leak-in-pcmcia_device_add.patch pcmcia-ds-fix-possible-name-leak-in-error-path-in-pc.patch media-s3c-camif-avoid-inappropriate-kfree.patch media-dvb-usb-v2-af9035-fix-missing-unlock.patch +pwm-brcmstb-utilize-appropriate-clock-apis-in-suspen.patch +llc-verify-mac-len-before-reading-mac-header.patch +tipc-change-nla_policy-for-bearer-related-names-to-n.patch +dccp-call-security_inet_conn_request-after-setting-i.patch +dccp-tcp-call-security_inet_conn_request-after-setti.patch +tg3-power-down-device-only-on-system_power_off.patch +netfilter-xt_recent-fix-increase-ipv6-literal-buffer.patch diff --git a/queue-4.14/tg3-power-down-device-only-on-system_power_off.patch b/queue-4.14/tg3-power-down-device-only-on-system_power_off.patch new file mode 100644 index 00000000000..51c93d8c11f --- /dev/null +++ b/queue-4.14/tg3-power-down-device-only-on-system_power_off.patch @@ -0,0 +1,46 @@ +From 4a41e47be3a21f3f3f1e0ec4a8942d0ba2758c94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Nov 2023 13:50:29 +0200 +Subject: tg3: power down device only on SYSTEM_POWER_OFF + +From: George Shuklin + +[ Upstream commit 9fc3bc7643341dc5be7d269f3d3dbe441d8d7ac3 ] + +Dell R650xs servers hangs on reboot if tg3 driver calls +tg3_power_down. + +This happens only if network adapters (BCM5720 for R650xs) were +initialized using SNP (e.g. by booting ipxe.efi). + +The actual problem is on Dell side, but this fix allows servers +to come back alive after reboot. + +Signed-off-by: George Shuklin +Fixes: 2ca1c94ce0b6 ("tg3: Disable tg3 device on system reboot to avoid triggering AER") +Reviewed-by: Pavan Chebbi +Reviewed-by: Michael Chan +Link: https://lore.kernel.org/r/20231103115029.83273-1-george.shuklin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/tg3.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/tg3.c b/drivers/net/ethernet/broadcom/tg3.c +index bc046153edee4..fa89d71336c6a 100644 +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -18167,7 +18167,8 @@ static void tg3_shutdown(struct pci_dev *pdev) + if (netif_running(dev)) + dev_close(dev); + +- tg3_power_down(tp); ++ if (system_state == SYSTEM_POWER_OFF) ++ tg3_power_down(tp); + + rtnl_unlock(); + +-- +2.42.0 + diff --git a/queue-4.14/tipc-change-nla_policy-for-bearer-related-names-to-n.patch b/queue-4.14/tipc-change-nla_policy-for-bearer-related-names-to-n.patch new file mode 100644 index 00000000000..3d075367bdd --- /dev/null +++ b/queue-4.14/tipc-change-nla_policy-for-bearer-related-names-to-n.patch @@ -0,0 +1,111 @@ +From 965a93822023ebb372dc680b2f5b0136025f26aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Oct 2023 16:55:40 +0900 +Subject: tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING + +From: Shigeru Yoshida + +[ Upstream commit 19b3f72a41a8751e26bffc093bb7e1cef29ad579 ] + +syzbot reported the following uninit-value access issue [1]: + +===================================================== +BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] +BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 + strlen lib/string.c:418 [inline] + strstr+0xb8/0x2f0 lib/string.c:756 + tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 + genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] + genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] + genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 + netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 + genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 + netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] + netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 + netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 + sock_sendmsg_nosec net/socket.c:730 [inline] + sock_sendmsg net/socket.c:753 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 + __sys_sendmsg net/socket.c:2624 [inline] + __do_sys_sendmsg net/socket.c:2633 [inline] + __se_sys_sendmsg net/socket.c:2631 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Uninit was created at: + slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 + slab_alloc_node mm/slub.c:3478 [inline] + kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 + kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 + __alloc_skb+0x318/0x740 net/core/skbuff.c:650 + alloc_skb include/linux/skbuff.h:1286 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] + netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 + sock_sendmsg_nosec net/socket.c:730 [inline] + sock_sendmsg net/socket.c:753 [inline] + ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 + ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 + __sys_sendmsg net/socket.c:2624 [inline] + __do_sys_sendmsg net/socket.c:2633 [inline] + __se_sys_sendmsg net/socket.c:2631 [inline] + __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +TIPC bearer-related names including link names must be null-terminated +strings. If a link name which is not null-terminated is passed through +netlink, strstr() and similar functions can cause buffer overrun. This +causes the above issue. + +This patch changes the nla_policy for bearer-related names from NLA_STRING +to NLA_NUL_STRING. This resolves the issue by ensuring that only +null-terminated strings are accepted as bearer-related names. + +syzbot reported similar uninit-value issue related to bearer names [2]. The +root cause of this issue is that a non-null-terminated bearer name was +passed. This patch also resolved this issue. + +Fixes: 7be57fc69184 ("tipc: add link get/dump to new netlink api") +Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api") +Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574 [1] +Reported-and-tested-by: syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com +Closes: https://syzkaller.appspot.com/bug?extid=9425c47dccbcb4c17d51 [2] +Signed-off-by: Shigeru Yoshida +Reviewed-by: Jiri Pirko +Link: https://lore.kernel.org/r/20231030075540.3784537-1-syoshida@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/netlink.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c +index d4e0bbeee7279..f21d4b9e56c83 100644 +--- a/net/tipc/netlink.c ++++ b/net/tipc/netlink.c +@@ -85,7 +85,7 @@ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = { + + const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = { + [TIPC_NLA_LINK_UNSPEC] = { .type = NLA_UNSPEC }, +- [TIPC_NLA_LINK_NAME] = { .type = NLA_STRING, ++ [TIPC_NLA_LINK_NAME] = { .type = NLA_NUL_STRING, + .len = TIPC_MAX_LINK_NAME }, + [TIPC_NLA_LINK_MTU] = { .type = NLA_U32 }, + [TIPC_NLA_LINK_BROADCAST] = { .type = NLA_FLAG }, +@@ -113,7 +113,7 @@ const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = { + + const struct nla_policy tipc_nl_bearer_policy[TIPC_NLA_BEARER_MAX + 1] = { + [TIPC_NLA_BEARER_UNSPEC] = { .type = NLA_UNSPEC }, +- [TIPC_NLA_BEARER_NAME] = { .type = NLA_STRING, ++ [TIPC_NLA_BEARER_NAME] = { .type = NLA_NUL_STRING, + .len = TIPC_MAX_BEARER_NAME }, + [TIPC_NLA_BEARER_PROP] = { .type = NLA_NESTED }, + [TIPC_NLA_BEARER_DOMAIN] = { .type = NLA_U32 } +-- +2.42.0 +