Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1490799ybl;
        Thu, 22 Aug 2019 15:44:26 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy6gQoSocs9PpdWPRRwTds7cpBmJVwF/4YHs2K1Bz5YWrr7Lz3ontYAGdD5zfxofpizMcCe
X-Received: by 2002:aa7:9790:: with SMTP id o16mr1708568pfp.51.1566513866569;
        Thu, 22 Aug 2019 15:44:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566513866; cv=none;
        d=google.com; s=arc-20160816;
        b=IO9++rRLvIfb0vBIAHGZF2DCx1IKfmG5GMcp8FBcI4cwPNDARGRgwURiKifxtqrojQ
         dGPdHiUVxuq04+ChIcBahfQqmlOHdOJ+kU0xSecqhhI/7v6vNA+OktTJMDC9CXLt65Az
         gv+1cnJBqrv77oGWmDBjLYyPMsYVcqbdVwJdayAtM7hSQeVK1iFT6bVQY87lYsZgW79f
         /F25+4qFANJTm6yVfhcroFV/Svg0Yth4dtcy2TjpvhXHY5xtFBAqwKCvY02Bk8+L0nYZ
         OYWnWQfREPKdgQMiQ261M3hvEkpTJ1mrJjZLmpF8bFXSmRSJpVfVwHyVg5YeM84E4ikx
         Z1ZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=3UUsej3KcVcXdiiG4HJuvSG0T3qQF9ZYFOVEtkty3Eg=;
        b=Y7tU3VOEjNxClxk1HiVEOSzsPQzSrlgNpJfINAriug2jFZobwS5NeK3uzjE3JNYMj5
         2nSjlkXzWkMynlHYSgGUpd9s0ebK68nm2j4D0Ohe7seUrYEI6kLdk+QPuacJ0wXFpYzd
         +X04ipxzcFMPu5p8ewQi114Q0htEaqRlsC+2K4Mxyz5mjlcWXcnvXv70K9d0yWwT/595
         lsnbt3pCoIoQD7klSf1JkJTaUTOXzSp8eVl0RLxM8h+o76cuMh0cIRrZDHyz+kdJtKDr
         eUeupDnpNhST4m6j19D61x+tElR8Jm3nZeCLfJvzyfT04EJUsLZ3WqO+sMwcru1DvVgI
         ohMA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=fMT2cSyR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id u2si460089pgr.284.2019.08.22.15.44.10;
        Thu, 22 Aug 2019 15:44:26 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=fMT2cSyR;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389036AbfHVRJy (ORCPT <rfc822;zoe.song.ucas@gmail.com>
        + 99 others); Thu, 22 Aug 2019 13:09:54 -0400
Received: from mail.kernel.org ([198.145.29.99]:59670 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2388980AbfHVRJ2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 22 Aug 2019 13:09:28 -0400
Received: from sasha-vm.mshome.net (wsip-184-188-36-2.sd.sd.cox.net [184.188.36.2])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 6C14A23405;
        Thu, 22 Aug 2019 17:09:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1566493766;
        bh=Pj3+j9qoBtsbQQTuBKJ89d0pJQH7ZMN6lmj1GPfksW4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=fMT2cSyRXH+fHGJAQ20mR6ogeLIF39Ah5CTIS3UeOg4YDdfGWTuiKd37iIYKily45
         Gj+lbO8nEQ5hZWDLrJ62g+RF4k3YP98ElgSo5kObBX6F5VLVWb1ZE4xFHu+ixQ778x
         tmGlHhHIyy2vB9eHkrUHIXJoRZvJhTpY1duatdcA=
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     David Ahern <dsahern@gmail.com>,
        Eric Dumazet <edumazet@google.com>,
        syzbot <syzkaller@googlegroups.com>,
        Jakub Kicinski <jakub.kicinski@netronome.com>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Subject: [PATCH 5.2 134/135] netlink: Fix nlmsg_parse as a wrapper for strict message parsing
Date:   Thu, 22 Aug 2019 13:08:10 -0400
Message-Id: <20190822170811.13303-135-sashal@kernel.org>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20190822170811.13303-1-sashal@kernel.org>
References: <20190822170811.13303-1-sashal@kernel.org>
MIME-Version: 1.0
X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.2.10-rc1.gz
X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
X-KernelTest-Branch: linux-5.2.y
X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git
X-KernelTest-Version: 5.2.10-rc1
X-KernelTest-Deadline: 2019-08-24T17:07+00:00
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: David Ahern <dsahern@gmail.com>

[ Upstream commit d00ee64e1dcf09b3afefd1340f3e9eb637272714 ]

Eric reported a syzbot warning:

BUG: KMSAN: uninit-value in nh_valid_get_del_req+0x6f1/0x8c0 net/ipv4/nexthop.c:1510
CPU: 0 PID: 11812 Comm: syz-executor444 Not tainted 5.3.0-rc3+ #17
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x191/0x1f0 lib/dump_stack.c:113
 kmsan_report+0x162/0x2d0 mm/kmsan/kmsan_report.c:109
 __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:294
 nh_valid_get_del_req+0x6f1/0x8c0 net/ipv4/nexthop.c:1510
 rtm_del_nexthop+0x1b1/0x610 net/ipv4/nexthop.c:1543
 rtnetlink_rcv_msg+0x115a/0x1580 net/core/rtnetlink.c:5223
 netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5241
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0xf6c/0x1050 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x110f/0x1330 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:637 [inline]
 sock_sendmsg net/socket.c:657 [inline]
 ___sys_sendmsg+0x14ff/0x1590 net/socket.c:2311
 __sys_sendmmsg+0x53a/0xae0 net/socket.c:2413
 __do_sys_sendmmsg net/socket.c:2442 [inline]
 __se_sys_sendmmsg+0xbd/0xe0 net/socket.c:2439
 __x64_sys_sendmmsg+0x56/0x70 net/socket.c:2439
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

The root cause is nlmsg_parse calling __nla_parse which means the
header struct size is not checked.

nlmsg_parse should be a wrapper around __nlmsg_parse with
NL_VALIDATE_STRICT for the validate argument very much like
nlmsg_parse_deprecated is for NL_VALIDATE_LIBERAL.

Fixes: 3de6440354465 ("netlink: re-add parse/validate functions in strict mode")
Reported-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/netlink.h | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/include/net/netlink.h b/include/net/netlink.h
index 395b4406f4b08..222af2046086e 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -680,9 +680,8 @@ static inline int nlmsg_parse(const struct nlmsghdr *nlh, int hdrlen,
 			      const struct nla_policy *policy,
 			      struct netlink_ext_ack *extack)
 {
-	return __nla_parse(tb, maxtype, nlmsg_attrdata(nlh, hdrlen),
-			   nlmsg_attrlen(nlh, hdrlen), policy,
-			   NL_VALIDATE_STRICT, extack);
+	return __nlmsg_parse(nlh, hdrlen, tb, maxtype, policy,
+			     NL_VALIDATE_STRICT, extack);
 }
 
 /**
-- 
2.20.1