Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2004243imm; Thu, 24 May 2018 04:21:53 -0700 (PDT) X-Google-Smtp-Source: AB8JxZrXyjzPsF5m+BPw6Ikcv+ds2hyINxp4tn7x3GI0iqGAWfGES8jVtprOn53u4BHqa3sIbmGB X-Received: by 2002:a17:902:aa4b:: with SMTP id c11-v6mr6962423plr.17.1527160913620; Thu, 24 May 2018 04:21:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527160913; cv=none; d=google.com; s=arc-20160816; b=qkK8sRkdpeLqx/oBfAOKPKsJ17BWkS9KQgnWVbCVuDHj6qUKgS8LHL2ZDCzeETdbbm 60a1RFbnYhl2y+IpAVODu7J5PvEaLfulHwlTpN8agNXwLLwLsLf4YWHhMR1Kug7OGSIk KWzNsQ56iywB5ua1/K+NPdz+p7zoPASCOTOrk+qqbpc26sGCCdRDzM7Wj6m73bU7B/D+ bgPSgjovqXR7SWoym8nx1ZKzstiiM11LvLeFXhu02auaFjpfuWXBYVxITHvVDuDyXeNI GeVVgX1zKA5gILHpmsb9rC9CB7Ybqd2I4LqofB6OxEZ7eVaTauF5UeiFQ05k1ask4ntQ dbYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=VkQ6/uEbsEwajpQMLIbwrAzWjlD2SKk8EXgVGyZwISY=; b=CGlBkf8ecOqkc95ozVnZkHas+5QoOpEdwquzEGdSIztwwv1GoAEZdm9v2hkv+XwlvH mhkRzeY0p4FnFT6D9tFJ0KM8y4DWvE2aZi+Lhp/gJxDrRD/pRIVnDa4kj/LTtzVUrvSk fTpKhNp9d5nxuzJrBrllNmSgbGi6nAiioIHfA/nd/J+pmysmILSkYlFHbHUTElktBxbo /X/JLXLx4VNmBgMXTCYBzxKPoVhLUUGsqHa0LFh9YS/MqlCva9W6hwlDmLOGRm9D2C7O b0vIY/f0s5ls79M38oeL2edrkUQ1g9anewc5V0F9t4/0E4mpXohmRmKVvP0DsEZ5esCX jTDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=o5YpE3X3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n4-v6si20996265pfk.277.2018.05.24.04.21.39; Thu, 24 May 2018 04:21:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=o5YpE3X3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S967920AbeEXJwn (ORCPT + 99 others); Thu, 24 May 2018 05:52:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:53002 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S967908AbeEXJwi (ORCPT ); Thu, 24 May 2018 05:52:38 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A22D520847; Thu, 24 May 2018 09:52:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1527155558; bh=a3ecujHPaWg0gI7naMhUO1IheCAaBd+sUjeHDbCm7/8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=o5YpE3X3lVJATYkfpgsGENT59yx8KpR0ttKZo68YzBncHZWsK2AW7uB2ofvE0ik66 AZfyIL7l0BYKb4qzwMN8FhYUUVOWI51AMruZszLoh4ct7pFqK8oUTO9oZc9nIX4tH6 MdYt25nwE8Qi5KEqRIghGud/ZV8g8bIQ+Cd2uP50= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+5cd61039dc9b8bfa6e47@syzkaller.appspotmail.com, Eric Biggers , "David S. Miller" Subject: [PATCH 4.14 005/165] net/smc: check for missing nlattrs in SMC_PNETID messages Date: Thu, 24 May 2018 11:36:51 +0200 Message-Id: <20180524093622.192569496@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180524093621.979359379@linuxfoundation.org> References: <20180524093621.979359379@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers [ Upstream commit d49baa7e12ee70c0a7b821d088a770c94c02e494 ] It's possible to crash the kernel in several different ways by sending messages to the SMC_PNETID generic netlink family that are missing the expected attributes: - Missing SMC_PNETID_NAME => null pointer dereference when comparing names. - Missing SMC_PNETID_ETHNAME => null pointer dereference accessing smc_pnetentry::ndev. - Missing SMC_PNETID_IBNAME => null pointer dereference accessing smc_pnetentry::smcibdev. - Missing SMC_PNETID_IBPORT => out of bounds array access to smc_ib_device::pattr[-1]. Fix it by validating that all expected attributes are present and that SMC_PNETID_IBPORT is nonzero. Reported-by: syzbot+5cd61039dc9b8bfa6e47@syzkaller.appspotmail.com Fixes: 6812baabf24d ("smc: establish pnet table management") Cc: # v4.11+ Signed-off-by: Eric Biggers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/smc/smc_pnet.c | 71 +++++++++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 31 deletions(-) --- a/net/smc/smc_pnet.c +++ b/net/smc/smc_pnet.c @@ -245,40 +245,45 @@ out: static int smc_pnet_fill_entry(struct net *net, struct smc_pnetentry *pnetelem, struct nlattr *tb[]) { - char *string, *ibname = NULL; - int rc = 0; + char *string, *ibname; + int rc; memset(pnetelem, 0, sizeof(*pnetelem)); INIT_LIST_HEAD(&pnetelem->list); - if (tb[SMC_PNETID_NAME]) { - string = (char *)nla_data(tb[SMC_PNETID_NAME]); - if (!smc_pnetid_valid(string, pnetelem->pnet_name)) { - rc = -EINVAL; - goto error; - } - } - if (tb[SMC_PNETID_ETHNAME]) { - string = (char *)nla_data(tb[SMC_PNETID_ETHNAME]); - pnetelem->ndev = dev_get_by_name(net, string); - if (!pnetelem->ndev) - return -ENOENT; - } - if (tb[SMC_PNETID_IBNAME]) { - ibname = (char *)nla_data(tb[SMC_PNETID_IBNAME]); - ibname = strim(ibname); - pnetelem->smcibdev = smc_pnet_find_ib(ibname); - if (!pnetelem->smcibdev) { - rc = -ENOENT; - goto error; - } - } - if (tb[SMC_PNETID_IBPORT]) { - pnetelem->ib_port = nla_get_u8(tb[SMC_PNETID_IBPORT]); - if (pnetelem->ib_port > SMC_MAX_PORTS) { - rc = -EINVAL; - goto error; - } - } + + rc = -EINVAL; + if (!tb[SMC_PNETID_NAME]) + goto error; + string = (char *)nla_data(tb[SMC_PNETID_NAME]); + if (!smc_pnetid_valid(string, pnetelem->pnet_name)) + goto error; + + rc = -EINVAL; + if (!tb[SMC_PNETID_ETHNAME]) + goto error; + rc = -ENOENT; + string = (char *)nla_data(tb[SMC_PNETID_ETHNAME]); + pnetelem->ndev = dev_get_by_name(net, string); + if (!pnetelem->ndev) + goto error; + + rc = -EINVAL; + if (!tb[SMC_PNETID_IBNAME]) + goto error; + rc = -ENOENT; + ibname = (char *)nla_data(tb[SMC_PNETID_IBNAME]); + ibname = strim(ibname); + pnetelem->smcibdev = smc_pnet_find_ib(ibname); + if (!pnetelem->smcibdev) + goto error; + + rc = -EINVAL; + if (!tb[SMC_PNETID_IBPORT]) + goto error; + pnetelem->ib_port = nla_get_u8(tb[SMC_PNETID_IBPORT]); + if (pnetelem->ib_port < 1 || pnetelem->ib_port > SMC_MAX_PORTS) + goto error; + return 0; error: @@ -307,6 +312,8 @@ static int smc_pnet_get(struct sk_buff * void *hdr; int rc; + if (!info->attrs[SMC_PNETID_NAME]) + return -EINVAL; pnetelem = smc_pnet_find_pnetid( (char *)nla_data(info->attrs[SMC_PNETID_NAME])); if (!pnetelem) @@ -359,6 +366,8 @@ static int smc_pnet_add(struct sk_buff * static int smc_pnet_del(struct sk_buff *skb, struct genl_info *info) { + if (!info->attrs[SMC_PNETID_NAME]) + return -EINVAL; return smc_pnet_remove_by_pnetid( (char *)nla_data(info->attrs[SMC_PNETID_NAME])); }