Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1959496imm; Thu, 24 May 2018 03:37:26 -0700 (PDT) X-Google-Smtp-Source: AB8JxZoOxu+0ToBGzSmOst4TC6b51ysQ0x9BaDGf4DFz6k8NJg0o2PFBFYiIsgrPLPTF0qcDwF0C X-Received: by 2002:a17:902:3281:: with SMTP id z1-v6mr6685784plb.226.1527158246905; Thu, 24 May 2018 03:37:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527158246; cv=none; d=google.com; s=arc-20160816; b=gRTYUEgvUGbKTG9qLwZQ2JKv5Kzon47r7olbvin0akj4HhSu4/Zj2GiYyABTeA7Fwe NxFjEoQPWer+aNgz+ARvzzluzl0eGUz3sSTGUnB3PvHRpHXXHAyKZuW1oDXC2GEQcoe7 0Yp30Vadul7ona5LBOwWulORpf7kS6ac3SJVGf5/P0r9eDUdL7lOvQgIAI0uBrMj1c11 mby8kkaLUywVu/37YzvsqTrys9Sg1WaAxI/loDSJO+S4ndM9lBB9tpt7r7BhBOQMEcl8 UFGlyM53fmXzAroQuhwgcJQCeOK/IrKEOPUrDnV7Ec2nswQsLOq553DcsvOk4Cg4VKnJ IjZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=lhQ8jgc+euppsguZrHSL69IdoT4Q4Wow0mPoNfHwNzs=; b=qJ2TtVPUaoOVFUnya12wAqEI1Uzsmhn0zY/SGSXFYE7krX/4n7zYq+0zhX7CvYzkBw wACBl+F69/JpO9BwOxIQdABSC9fB/GfugmQVjkIj9LdCCnUVgArix6HrLqtUvBvndk3e cXIfBwlTM7ezHY0pBIdQF87loPlKFaikED4zFPyhRUYU7uU7GmSNj1ZdqycsTrjxIK4r ez4W2PsowZRvdKucIz8NlcASD5CHosjUepR2iUvv0bzq9pWJgZZCBTPwcVgXzwyENaLk UZNOPmEfN2Czflqd3V+ModvoZPsGo1+2m+kVk4ak7a9Qx7hOwcZIZ2U4D0OSbGoxmSl1 42GQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HM2ZIQMO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g72-v6si21997506pfb.280.2018.05.24.03.37.12; Thu, 24 May 2018 03:37:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HM2ZIQMO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S968312AbeEXKAI (ORCPT + 99 others); Thu, 24 May 2018 06:00:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:41290 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1030837AbeEXJ7y (ORCPT ); Thu, 24 May 2018 05:59:54 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1AF0B20870; Thu, 24 May 2018 09:59:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527155993; bh=492EUvtObseesMtKylteJFMzp8d9bhNFY15EZk9PtaQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HM2ZIQMOCkDeISCFr9vuKmz2cy3FnYdzpdYLdHiyRaRF1XnKN6Abc3X5qx26lt8zA l/QfbbiHoeTfZSRTzDmIanrHizbAUu+PCoQHRYV2oUeCkhOBGBsttddxi9TJfs7D1v +jbROiXMesZP9QqGyRRb2xjkOqCvDI2CyFLO+/iw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+5cd61039dc9b8bfa6e47@syzkaller.appspotmail.com, Eric Biggers , "David S. Miller" Subject: [PATCH 4.16 006/161] net/smc: check for missing nlattrs in SMC_PNETID messages Date: Thu, 24 May 2018 11:37:11 +0200 Message-Id: <20180524093019.138994906@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180524093018.331893860@linuxfoundation.org> References: <20180524093018.331893860@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers [ Upstream commit d49baa7e12ee70c0a7b821d088a770c94c02e494 ] It's possible to crash the kernel in several different ways by sending messages to the SMC_PNETID generic netlink family that are missing the expected attributes: - Missing SMC_PNETID_NAME => null pointer dereference when comparing names. - Missing SMC_PNETID_ETHNAME => null pointer dereference accessing smc_pnetentry::ndev. - Missing SMC_PNETID_IBNAME => null pointer dereference accessing smc_pnetentry::smcibdev. - Missing SMC_PNETID_IBPORT => out of bounds array access to smc_ib_device::pattr[-1]. Fix it by validating that all expected attributes are present and that SMC_PNETID_IBPORT is nonzero. Reported-by: syzbot+5cd61039dc9b8bfa6e47@syzkaller.appspotmail.com Fixes: 6812baabf24d ("smc: establish pnet table management") Cc: # v4.11+ Signed-off-by: Eric Biggers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/smc/smc_pnet.c | 71 +++++++++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 31 deletions(-) --- a/net/smc/smc_pnet.c +++ b/net/smc/smc_pnet.c @@ -245,40 +245,45 @@ out: static int smc_pnet_fill_entry(struct net *net, struct smc_pnetentry *pnetelem, struct nlattr *tb[]) { - char *string, *ibname = NULL; - int rc = 0; + char *string, *ibname; + int rc; memset(pnetelem, 0, sizeof(*pnetelem)); INIT_LIST_HEAD(&pnetelem->list); - if (tb[SMC_PNETID_NAME]) { - string = (char *)nla_data(tb[SMC_PNETID_NAME]); - if (!smc_pnetid_valid(string, pnetelem->pnet_name)) { - rc = -EINVAL; - goto error; - } - } - if (tb[SMC_PNETID_ETHNAME]) { - string = (char *)nla_data(tb[SMC_PNETID_ETHNAME]); - pnetelem->ndev = dev_get_by_name(net, string); - if (!pnetelem->ndev) - return -ENOENT; - } - if (tb[SMC_PNETID_IBNAME]) { - ibname = (char *)nla_data(tb[SMC_PNETID_IBNAME]); - ibname = strim(ibname); - pnetelem->smcibdev = smc_pnet_find_ib(ibname); - if (!pnetelem->smcibdev) { - rc = -ENOENT; - goto error; - } - } - if (tb[SMC_PNETID_IBPORT]) { - pnetelem->ib_port = nla_get_u8(tb[SMC_PNETID_IBPORT]); - if (pnetelem->ib_port > SMC_MAX_PORTS) { - rc = -EINVAL; - goto error; - } - } + + rc = -EINVAL; + if (!tb[SMC_PNETID_NAME]) + goto error; + string = (char *)nla_data(tb[SMC_PNETID_NAME]); + if (!smc_pnetid_valid(string, pnetelem->pnet_name)) + goto error; + + rc = -EINVAL; + if (!tb[SMC_PNETID_ETHNAME]) + goto error; + rc = -ENOENT; + string = (char *)nla_data(tb[SMC_PNETID_ETHNAME]); + pnetelem->ndev = dev_get_by_name(net, string); + if (!pnetelem->ndev) + goto error; + + rc = -EINVAL; + if (!tb[SMC_PNETID_IBNAME]) + goto error; + rc = -ENOENT; + ibname = (char *)nla_data(tb[SMC_PNETID_IBNAME]); + ibname = strim(ibname); + pnetelem->smcibdev = smc_pnet_find_ib(ibname); + if (!pnetelem->smcibdev) + goto error; + + rc = -EINVAL; + if (!tb[SMC_PNETID_IBPORT]) + goto error; + pnetelem->ib_port = nla_get_u8(tb[SMC_PNETID_IBPORT]); + if (pnetelem->ib_port < 1 || pnetelem->ib_port > SMC_MAX_PORTS) + goto error; + return 0; error: @@ -307,6 +312,8 @@ static int smc_pnet_get(struct sk_buff * void *hdr; int rc; + if (!info->attrs[SMC_PNETID_NAME]) + return -EINVAL; pnetelem = smc_pnet_find_pnetid( (char *)nla_data(info->attrs[SMC_PNETID_NAME])); if (!pnetelem) @@ -359,6 +366,8 @@ static int smc_pnet_add(struct sk_buff * static int smc_pnet_del(struct sk_buff *skb, struct genl_info *info) { + if (!info->attrs[SMC_PNETID_NAME]) + return -EINVAL; return smc_pnet_remove_by_pnetid( (char *)nla_data(info->attrs[SMC_PNETID_NAME])); }