Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2459626imd; Fri, 2 Nov 2018 11:46:43 -0700 (PDT) X-Google-Smtp-Source: AJdET5fyDEPdOJbgLL99oVdKnoR1zDA1ABA66apMWs2vRdyN7Dwr2Pe8R4I2sx5N3XQwe+pKC+sH X-Received: by 2002:a63:86c2:: with SMTP id x185mr11014449pgd.230.1541184403569; Fri, 02 Nov 2018 11:46:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541184403; cv=none; d=google.com; s=arc-20160816; b=KeKe+QbT1x9Ram032CunM9xz83cIMvI48g0tOPoYF827qqFDR7dPh7XfuDJ/3VUd1V +ymZ2MJFnZ+R/gZ2x6yI+mhOKt8lHD5eNEClRWdkTxuTpUErtU9V4NMcA14Srlpnqb99 7OXp89RiRWQ13m2dslzoTatyzNFkr5cIa6/f7NASMjBL8Dp6bIsDtUSotrN5EKYtaIS7 QMbsRaSS7D2TzKXvZtwXrv7MSYKfT3E86q1bvcefQ3wtbbh29XM177IfcecedVuAtVUo G7oJO20lPQ60WZYfYldXwij+WLbCbfGGlgjXnDunXjxcjTRmiTPBB1G1PpHEwqf+jUdB r+Dg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=sH7ozp/GnNqCAPzLj73fCRKTGlJcJo7Zubcye20C7f4=; b=EEHwHW1n7LXQRRZzQ0BQAO2phfo3gAOhC1NHLGr9s76RAhZKKrSvv5khQTuNN87pbL mncKTvkgtJ3fheX83CgYxd0PohN7z29rXYZbtL44jGEIXXAUZkJirw2e0fxloSckXdiw ThJrFOkE4ZH5wMpirY1caohI5iIGnYiSw3bk8srl8I9uky4F64DkU8bp58vnG7wiR4iQ Id7zjOv5pjHGK9U5XkEBf6+zvxP/ZOeaEEwliJDJaZQyke83AYRa9U3ccWujZOjawIrl 19TT6lMDC9d172Kzh3JTJP+TeO1srp0nqb2q8/xdNY3Z/H/i9Zuu1sA7Ew9FFPrTctRg DNlQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yCCGaXx3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w1-v6si5902613pff.47.2018.11.02.11.46.29; Fri, 02 Nov 2018 11:46:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=yCCGaXx3; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730029AbeKCDw3 (ORCPT + 99 others); Fri, 2 Nov 2018 23:52:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:47820 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726849AbeKCDw2 (ORCPT ); Fri, 2 Nov 2018 23:52:28 -0400 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 518D820847; Fri, 2 Nov 2018 18:44:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541184255; bh=5lSVTb057Tgo5b+wFCLOSTIbKekgnfXtvbZNsock4/Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yCCGaXx3NvqTEIPr1cmv7oNmn0eyDHgcABN+cGrn6OwyJJY7YvgFVUL8FFdV/RWCc B6UNp0iz9h8rqwTZW6GxG+iThNKIBkvqmBnssryoIkO+f5FgpYNWmBoi3gJ9klO3d5 hkQIzR1Wx1NMyQK7vg880nemQtmi8JMGoTZS+zfE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ido Schimmel , Vlad Yasevich , David Ahern , "David S. Miller" Subject: [PATCH 4.18 116/150] rtnetlink: Disallow FDB configuration for non-Ethernet device Date: Fri, 2 Nov 2018 19:34:38 +0100 Message-Id: <20181102182911.182031993@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181102182902.250560510@linuxfoundation.org> References: <20181102182902.250560510@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ido Schimmel [ Upstream commit da71577545a52be3e0e9225a946e5fd79cfab015 ] When an FDB entry is configured, the address is validated to have the length of an Ethernet address, but the device for which the address is configured can be of any type. The above can result in the use of uninitialized memory when the address is later compared against existing addresses since 'dev->addr_len' is used and it may be greater than ETH_ALEN, as with ip6tnl devices. Fix this by making sure that FDB entries are only configured for Ethernet devices. BUG: KMSAN: uninit-value in memcmp+0x11d/0x180 lib/string.c:863 CPU: 1 PID: 4318 Comm: syz-executor998 Not tainted 4.19.0-rc3+ #49 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x14b/0x190 lib/dump_stack.c:113 kmsan_report+0x183/0x2b0 mm/kmsan/kmsan.c:956 __msan_warning+0x70/0xc0 mm/kmsan/kmsan_instr.c:645 memcmp+0x11d/0x180 lib/string.c:863 dev_uc_add_excl+0x165/0x7b0 net/core/dev_addr_lists.c:464 ndo_dflt_fdb_add net/core/rtnetlink.c:3463 [inline] rtnl_fdb_add+0x1081/0x1270 net/core/rtnetlink.c:3558 rtnetlink_rcv_msg+0xa0b/0x1530 net/core/rtnetlink.c:4715 netlink_rcv_skb+0x36e/0x5f0 net/netlink/af_netlink.c:2454 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4733 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x1638/0x1720 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x1205/0x1290 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114 __sys_sendmsg net/socket.c:2152 [inline] __do_sys_sendmsg net/socket.c:2161 [inline] __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159 do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x440ee9 Code: e8 cc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fff6a93b518 EFLAGS: 00000213 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ee9 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003 RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8 R10: 00000000004002c8 R11: 0000000000000213 R12: 000000000000b4b0 R13: 0000000000401ec0 R14: 0000000000000000 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:181 kmsan_kmalloc+0x98/0x100 mm/kmsan/kmsan_hooks.c:91 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:100 slab_post_alloc_hook mm/slab.h:446 [inline] slab_alloc_node mm/slub.c:2718 [inline] __kmalloc_node_track_caller+0x9e7/0x1160 mm/slub.c:4351 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2f5/0x9e0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:996 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline] netlink_sendmsg+0xb49/0x1290 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114 __sys_sendmsg net/socket.c:2152 [inline] __do_sys_sendmsg net/socket.c:2161 [inline] __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159 do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 v2: * Make error message more specific (David) Fixes: 090096bf3db1 ("net: generic fdb support for drivers without ndo_fdb_") Signed-off-by: Ido Schimmel Reported-and-tested-by: syzbot+3a288d5f5530b901310e@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+d53ab4e92a1db04110ff@syzkaller.appspotmail.com Cc: Vlad Yasevich Cc: David Ahern Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/core/rtnetlink.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -3480,6 +3480,11 @@ static int rtnl_fdb_add(struct sk_buff * return -EINVAL; } + if (dev->type != ARPHRD_ETHER) { + NL_SET_ERR_MSG(extack, "FDB delete only supported for Ethernet devices"); + return -EINVAL; + } + addr = nla_data(tb[NDA_LLADDR]); err = fdb_vid_parse(tb[NDA_VLAN], &vid, extack); @@ -3584,6 +3589,11 @@ static int rtnl_fdb_del(struct sk_buff * return -EINVAL; } + if (dev->type != ARPHRD_ETHER) { + NL_SET_ERR_MSG(extack, "FDB add only supported for Ethernet devices"); + return -EINVAL; + } + addr = nla_data(tb[NDA_LLADDR]); err = fdb_vid_parse(tb[NDA_VLAN], &vid, extack);