Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6266670imu; Mon, 21 Jan 2019 06:06:29 -0800 (PST) X-Google-Smtp-Source: ALg8bN55OP6zDsiTJUTsJXCEg7NoQa7BsAVnOhcpDCoMuAuRbZ67IPWnPDMCce9A5KGZPHJ3GdEv X-Received: by 2002:a17:902:b707:: with SMTP id d7mr29019125pls.29.1548079589478; Mon, 21 Jan 2019 06:06:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548079589; cv=none; d=google.com; s=arc-20160816; b=erfzpEm77tA/NNJaIUwJw54nMeO9gsoJ5567OO8zk+PViFWFKJId456ywAqTvKrer+ x02jQECHmzwlhpENQixpgnArdzuVKkXg/veImjqRuZqe9dKtKnTsvWsqoSODJZra9J8s UzAD3tp4gwcsBgNiy2LukjWwtjmkhkDX5eexyBEEoEV9hTqsX0uVG+5SKKDhiH/RSJMX pKB0OLdHg19Evgxhsg+Wbl2Ep99qOmUkgdDdvQKHoHIl+qKY9Fe10QpIh9P5kTOheM01 NwR4MtD/vrDe9fGcdaKeXB6WIT4wZyqBwrzpeNtRkRsF46A1ico4z8RMnBK1dABuIuzj cKUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=qEDayTbW5WllM8SHthOICd+qkStosw+UN/3t4t2TcpM=; b=Ur1XKJe06XoJso6O/cJBTuRoeQN8ZN/x+DC0H2BpIsMDU9Dl+eqn7syp+Llz3eiIsj D2dvLJoXm4ZRyB6H+D1J/GoPEB3bl85aMVSM12hp8wNf7NTO5FxI7HPerAvzDzVYX+4m jyd9atKBtUCanoQQfi+ZI8uc36fTFM6zz/dhEG1oUUERyHDcdtg1dM7Vj7lHYM1n3QB3 NirWJWodRe2Pj7Nja21Q8zinx1FRozLhss8ubTeGKBa2gWqd/3e9WKAfloIeOh0Lfvj+ dx41fvqeWfoy6Fkxau/vLgXM6Vb/VD3JNMEqU9OJKSRs9DDT4VjG9itXLDeDgbBo2jFh l3EQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RYBaHyAg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e3si12980732pfe.203.2019.01.21.06.06.14; Mon, 21 Jan 2019 06:06:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RYBaHyAg; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732853AbfAUOCl (ORCPT + 99 others); Mon, 21 Jan 2019 09:02:41 -0500 Received: from mail.kernel.org ([198.145.29.99]:50338 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730092AbfAUOCi (ORCPT ); Mon, 21 Jan 2019 09:02:38 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 704CA2089F; Mon, 21 Jan 2019 14:02:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548079356; bh=YAAm7z67KrHTzXkrmkxorGaspzyMNglHcivPOjgh/WU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RYBaHyAg2eNOuswzljCva9JmEwaXRoj45++ZX/X7vcE8SSFce9fmm1o1QREHyWkOE 6WhQALFNG9+0cLYl2BVCNXo9b3JB5uqkqjHoko3mPzZ5C3gt1hUWZU6ecp18/4Msg9 zJBu/WXzLO4vrHP4ck52xYtxehmKE6PsOVwxf6Js= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+bca0dc46634781f08b38@syzkaller.appspotmail.com, syzbot+6bdb590321a7ae40c1a6@syzkaller.appspotmail.com, Ying Xue , "David S. Miller" Subject: [PATCH 4.19 79/99] tipc: fix uninit-value in tipc_nl_compat_doit Date: Mon, 21 Jan 2019 14:49:11 +0100 Message-Id: <20190121134917.102773676@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190121134913.924726465@linuxfoundation.org> References: <20190121134913.924726465@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ying Xue commit 2753ca5d9009c180dbfd4c802c80983b4b6108d1 upstream. BUG: KMSAN: uninit-value in tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335 CPU: 0 PID: 4514 Comm: syz-executor485 Not tainted 4.16.0+ #87 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335 tipc_nl_compat_recv+0x164b/0x2700 net/tipc/netlink_compat.c:1153 genl_family_rcv_msg net/netlink/genetlink.c:599 [inline] genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447 genl_rcv+0x63/0x80 net/netlink/genetlink.c:635 netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337 netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x43fda9 RSP: 002b:00007ffd0c184ba8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9 RDX: 0000000000000000 RSI: 0000000020023000 RDI: 0000000000000003 RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 R10: 00000000004002c8 R11: 0000000000000213 R12: 00000000004016d0 R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 slab_post_alloc_hook mm/slab.h:445 [inline] slab_alloc_node mm/slub.c:2737 [inline] __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:984 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline] netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 In tipc_nl_compat_recv(), when the len variable returned by nlmsg_attrlen() is 0, the message is still treated as a valid one, which is obviously unresonable. When len is zero, it means the message not only doesn't contain any valid TLV payload, but also TLV header is not included. Under this stituation, tlv_type field in TLV header is still accessed in tipc_nl_compat_dumpit() or tipc_nl_compat_doit(), but the field space is obviously illegal. Of course, it is not initialized. Reported-by: syzbot+bca0dc46634781f08b38@syzkaller.appspotmail.com Reported-by: syzbot+6bdb590321a7ae40c1a6@syzkaller.appspotmail.com Signed-off-by: Ying Xue Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/tipc/netlink_compat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/tipc/netlink_compat.c +++ b/net/tipc/netlink_compat.c @@ -1249,7 +1249,7 @@ static int tipc_nl_compat_recv(struct sk } len = nlmsg_attrlen(req_nlh, GENL_HDRLEN + TIPC_GENL_HDRLEN); - if (len && !TLV_OK(msg.req, len)) { + if (!len || !TLV_OK(msg.req, len)) { msg.rep = tipc_get_err_tlv(TIPC_CFG_NOT_SUPPORTED); err = -EOPNOTSUPP; goto send;