Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2004243imm;
        Thu, 24 May 2018 04:21:53 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZrXyjzPsF5m+BPw6Ikcv+ds2hyINxp4tn7x3GI0iqGAWfGES8jVtprOn53u4BHqa3sIbmGB
X-Received: by 2002:a17:902:aa4b:: with SMTP id c11-v6mr6962423plr.17.1527160913620;
        Thu, 24 May 2018 04:21:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527160913; cv=none;
        d=google.com; s=arc-20160816;
        b=qkK8sRkdpeLqx/oBfAOKPKsJ17BWkS9KQgnWVbCVuDHj6qUKgS8LHL2ZDCzeETdbbm
         60a1RFbnYhl2y+IpAVODu7J5PvEaLfulHwlTpN8agNXwLLwLsLf4YWHhMR1Kug7OGSIk
         KWzNsQ56iywB5ua1/K+NPdz+p7zoPASCOTOrk+qqbpc26sGCCdRDzM7Wj6m73bU7B/D+
         bgPSgjovqXR7SWoym8nx1ZKzstiiM11LvLeFXhu02auaFjpfuWXBYVxITHvVDuDyXeNI
         GeVVgX1zKA5gILHpmsb9rC9CB7Ybqd2I4LqofB6OxEZ7eVaTauF5UeiFQ05k1ask4ntQ
         dbYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=VkQ6/uEbsEwajpQMLIbwrAzWjlD2SKk8EXgVGyZwISY=;
        b=CGlBkf8ecOqkc95ozVnZkHas+5QoOpEdwquzEGdSIztwwv1GoAEZdm9v2hkv+XwlvH
         mhkRzeY0p4FnFT6D9tFJ0KM8y4DWvE2aZi+Lhp/gJxDrRD/pRIVnDa4kj/LTtzVUrvSk
         fTpKhNp9d5nxuzJrBrllNmSgbGi6nAiioIHfA/nd/J+pmysmILSkYlFHbHUTElktBxbo
         /X/JLXLx4VNmBgMXTCYBzxKPoVhLUUGsqHa0LFh9YS/MqlCva9W6hwlDmLOGRm9D2C7O
         b0vIY/f0s5ls79M38oeL2edrkUQ1g9anewc5V0F9t4/0E4mpXohmRmKVvP0DsEZ5esCX
         jTDA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=o5YpE3X3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n4-v6si20996265pfk.277.2018.05.24.04.21.39;
        Thu, 24 May 2018 04:21:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=o5YpE3X3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S967920AbeEXJwn (ORCPT <rfc822;huangweiredhat@gmail.com>
        + 99 others); Thu, 24 May 2018 05:52:43 -0400
Received: from mail.kernel.org ([198.145.29.99]:53002 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S967908AbeEXJwi (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 24 May 2018 05:52:38 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id A22D520847;
        Thu, 24 May 2018 09:52:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1527155558;
        bh=a3ecujHPaWg0gI7naMhUO1IheCAaBd+sUjeHDbCm7/8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=o5YpE3X3lVJATYkfpgsGENT59yx8KpR0ttKZo68YzBncHZWsK2AW7uB2ofvE0ik66
         AZfyIL7l0BYKb4qzwMN8FhYUUVOWI51AMruZszLoh4ct7pFqK8oUTO9oZc9nIX4tH6
         MdYt25nwE8Qi5KEqRIghGud/ZV8g8bIQ+Cd2uP50=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+5cd61039dc9b8bfa6e47@syzkaller.appspotmail.com,
        Eric Biggers <ebiggers@google.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 005/165] net/smc: check for missing nlattrs in SMC_PNETID messages
Date:   Thu, 24 May 2018 11:36:51 +0200
Message-Id: <20180524093622.192569496@linuxfoundation.org>
X-Mailer: git-send-email 2.17.0
In-Reply-To: <20180524093621.979359379@linuxfoundation.org>
References: <20180524093621.979359379@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Biggers <ebiggers@google.com>

[ Upstream commit d49baa7e12ee70c0a7b821d088a770c94c02e494 ]

It's possible to crash the kernel in several different ways by sending
messages to the SMC_PNETID generic netlink family that are missing the
expected attributes:

- Missing SMC_PNETID_NAME => null pointer dereference when comparing
  names.
- Missing SMC_PNETID_ETHNAME => null pointer dereference accessing
  smc_pnetentry::ndev.
- Missing SMC_PNETID_IBNAME => null pointer dereference accessing
  smc_pnetentry::smcibdev.
- Missing SMC_PNETID_IBPORT => out of bounds array access to
  smc_ib_device::pattr[-1].

Fix it by validating that all expected attributes are present and that
SMC_PNETID_IBPORT is nonzero.

Reported-by: syzbot+5cd61039dc9b8bfa6e47@syzkaller.appspotmail.com
Fixes: 6812baabf24d ("smc: establish pnet table management")
Cc: <stable@vger.kernel.org> # v4.11+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/smc/smc_pnet.c |   71 +++++++++++++++++++++++++++++------------------------
 1 file changed, 40 insertions(+), 31 deletions(-)

--- a/net/smc/smc_pnet.c
+++ b/net/smc/smc_pnet.c
@@ -245,40 +245,45 @@ out:
 static int smc_pnet_fill_entry(struct net *net, struct smc_pnetentry *pnetelem,
 			       struct nlattr *tb[])
 {
-	char *string, *ibname = NULL;
-	int rc = 0;
+	char *string, *ibname;
+	int rc;
 
 	memset(pnetelem, 0, sizeof(*pnetelem));
 	INIT_LIST_HEAD(&pnetelem->list);
-	if (tb[SMC_PNETID_NAME]) {
-		string = (char *)nla_data(tb[SMC_PNETID_NAME]);
-		if (!smc_pnetid_valid(string, pnetelem->pnet_name)) {
-			rc = -EINVAL;
-			goto error;
-		}
-	}
-	if (tb[SMC_PNETID_ETHNAME]) {
-		string = (char *)nla_data(tb[SMC_PNETID_ETHNAME]);
-		pnetelem->ndev = dev_get_by_name(net, string);
-		if (!pnetelem->ndev)
-			return -ENOENT;
-	}
-	if (tb[SMC_PNETID_IBNAME]) {
-		ibname = (char *)nla_data(tb[SMC_PNETID_IBNAME]);
-		ibname = strim(ibname);
-		pnetelem->smcibdev = smc_pnet_find_ib(ibname);
-		if (!pnetelem->smcibdev) {
-			rc = -ENOENT;
-			goto error;
-		}
-	}
-	if (tb[SMC_PNETID_IBPORT]) {
-		pnetelem->ib_port = nla_get_u8(tb[SMC_PNETID_IBPORT]);
-		if (pnetelem->ib_port > SMC_MAX_PORTS) {
-			rc = -EINVAL;
-			goto error;
-		}
-	}
+
+	rc = -EINVAL;
+	if (!tb[SMC_PNETID_NAME])
+		goto error;
+	string = (char *)nla_data(tb[SMC_PNETID_NAME]);
+	if (!smc_pnetid_valid(string, pnetelem->pnet_name))
+		goto error;
+
+	rc = -EINVAL;
+	if (!tb[SMC_PNETID_ETHNAME])
+		goto error;
+	rc = -ENOENT;
+	string = (char *)nla_data(tb[SMC_PNETID_ETHNAME]);
+	pnetelem->ndev = dev_get_by_name(net, string);
+	if (!pnetelem->ndev)
+		goto error;
+
+	rc = -EINVAL;
+	if (!tb[SMC_PNETID_IBNAME])
+		goto error;
+	rc = -ENOENT;
+	ibname = (char *)nla_data(tb[SMC_PNETID_IBNAME]);
+	ibname = strim(ibname);
+	pnetelem->smcibdev = smc_pnet_find_ib(ibname);
+	if (!pnetelem->smcibdev)
+		goto error;
+
+	rc = -EINVAL;
+	if (!tb[SMC_PNETID_IBPORT])
+		goto error;
+	pnetelem->ib_port = nla_get_u8(tb[SMC_PNETID_IBPORT]);
+	if (pnetelem->ib_port < 1 || pnetelem->ib_port > SMC_MAX_PORTS)
+		goto error;
+
 	return 0;
 
 error:
@@ -307,6 +312,8 @@ static int smc_pnet_get(struct sk_buff *
 	void *hdr;
 	int rc;
 
+	if (!info->attrs[SMC_PNETID_NAME])
+		return -EINVAL;
 	pnetelem = smc_pnet_find_pnetid(
 				(char *)nla_data(info->attrs[SMC_PNETID_NAME]));
 	if (!pnetelem)
@@ -359,6 +366,8 @@ static int smc_pnet_add(struct sk_buff *
 
 static int smc_pnet_del(struct sk_buff *skb, struct genl_info *info)
 {
+	if (!info->attrs[SMC_PNETID_NAME])
+		return -EINVAL;
 	return smc_pnet_remove_by_pnetid(
 				(char *)nla_data(info->attrs[SMC_PNETID_NAME]));
 }