Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2096283ybl; Thu, 30 Jan 2020 11:17:21 -0800 (PST) X-Google-Smtp-Source: APXvYqwuGeci5xye1Vu7Vmr+O04yJXjSWZzPupsu8RGX+ulULEnZX1OC9h+bA1fITKaNY5kIGP2z X-Received: by 2002:aca:c256:: with SMTP id s83mr4046604oif.57.1580411841468; Thu, 30 Jan 2020 11:17:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580411841; cv=none; d=google.com; s=arc-20160816; b=PCXGirk15hzhlDkSWrZlkIv4bp1kWTLduyG4z4ruA+rP7WdrE4Xt1rH/BAhHrQPPyg huAuH40OIzm+EnwQzyDkYtHxVyihq+8W0CUUskXLZ8HMQJTrIGd/WqMVctQbF7G5ckcP fTeVoRpLqeenR7K81yhOi6YeA9rcCOpIvfr2qPkjJ9rUUf0U21L6spmO3eeEii+4gK0y vHIJPEB+yoZkXUFv00MZCZkqdjcp7SRwC3IM9CsZmZ1hl3NroQVlAW44INxSQB0zzWCe nxvWhLa0MBo/WBME0tpEoZn7U9HBL5WUJihaBsY7sBXMEeSeyRAMx6In2RH71Ypt3m1w 4qKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=WJcC95huItUPNNQrODI+OY57BZD5S7ToYXhPe1Lh8Ic=; b=z0QjqVv5zjSka9v0f87ZltzwNPX3YJR2Sawh/H748irv8EC8tOIchwlXccdP6b2yeS d4rQNtCOxfCTBKy0jdiAIn/W0Bo/taa6T+ugkeQQavpARsg3eXWJ97kNYTEXTlnk7AJp 4u4cfqI2s/V1SqpkZlKRRBSFYARfplaCvfkcnvjco70lCrONgHYgVWY5mwZM7/n7U6Yn M4hpm8CiqJc5kvHnJ8JYrTx6x2EfPcyaspIlS5WakV0IU/WjqWEpjWVX8nsmhbZcRzYt 0u7ggFLUlQG7htrmcIlCOIlfCI2Nr/OyRI/AdkZqutxEKZnSCRj68ksxH3ZO53EVRHgs Vwig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=C9Kc7fze; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y186si3165768oig.241.2020.01.30.11.17.09; Thu, 30 Jan 2020 11:17:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=C9Kc7fze; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730591AbgA3SnV (ORCPT + 99 others); Thu, 30 Jan 2020 13:43:21 -0500 Received: from mail.kernel.org ([198.145.29.99]:51790 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730563AbgA3SnP (ORCPT ); Thu, 30 Jan 2020 13:43:15 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AC0DC20702; Thu, 30 Jan 2020 18:43:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1580409794; bh=Hs5PgR11akM00vuuaeTXEUHOa44riobDyTbwi8I4R5U=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=C9Kc7fzej3TuxOU+2QYZKAg/fXghEwYy6cRj5q3RoZgrXyuMpVxgye4AcA1J5qLR8 /hO+mVd4xjV1Pj2Ku5WkbdnGreOJc2NP2ioNG9XW1oF05bcziXy9y0AIegtaZgq0gI AbuZOhBjI0rWsSLY6qgfVP0BtUxaNcFJSTRXvGdE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com, Cong Wang , "David S. Miller" Subject: [PATCH 5.4 035/110] net_sched: ematch: reject invalid TCF_EM_SIMPLE Date: Thu, 30 Jan 2020 19:38:11 +0100 Message-Id: <20200130183619.517719472@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200130183613.810054545@linuxfoundation.org> References: <20200130183613.810054545@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit 55cd9f67f1e45de8517cdaab985fb8e56c0bc1d8 ] It is possible for malicious userspace to set TCF_EM_SIMPLE bit even for matches that should not have this bit set. This can fool two places using tcf_em_is_simple() 1) tcf_em_tree_destroy() -> memory leak of em->data if ops->destroy() is NULL 2) tcf_em_tree_dump() wrongly report/leak 4 low-order bytes of a kernel pointer. BUG: memory leak unreferenced object 0xffff888121850a40 (size 32): comm "syz-executor927", pid 7193, jiffies 4294941655 (age 19.840s) hex dump (first 32 bytes): 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000f67036ea>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<00000000f67036ea>] slab_post_alloc_hook mm/slab.h:586 [inline] [<00000000f67036ea>] slab_alloc mm/slab.c:3320 [inline] [<00000000f67036ea>] __do_kmalloc mm/slab.c:3654 [inline] [<00000000f67036ea>] __kmalloc_track_caller+0x165/0x300 mm/slab.c:3671 [<00000000fab0cc8e>] kmemdup+0x27/0x60 mm/util.c:127 [<00000000d9992e0a>] kmemdup include/linux/string.h:453 [inline] [<00000000d9992e0a>] em_nbyte_change+0x5b/0x90 net/sched/em_nbyte.c:32 [<000000007e04f711>] tcf_em_validate net/sched/ematch.c:241 [inline] [<000000007e04f711>] tcf_em_tree_validate net/sched/ematch.c:359 [inline] [<000000007e04f711>] tcf_em_tree_validate+0x332/0x46f net/sched/ematch.c:300 [<000000007a769204>] basic_set_parms net/sched/cls_basic.c:157 [inline] [<000000007a769204>] basic_change+0x1d7/0x5f0 net/sched/cls_basic.c:219 [<00000000e57a5997>] tc_new_tfilter+0x566/0xf70 net/sched/cls_api.c:2104 [<0000000074b68559>] rtnetlink_rcv_msg+0x3b2/0x4b0 net/core/rtnetlink.c:5415 [<00000000b7fe53fb>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 [<00000000e83a40d0>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 [<00000000d62ba933>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] [<00000000d62ba933>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328 [<0000000088070f72>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917 [<00000000f70b15ea>] sock_sendmsg_nosec net/socket.c:639 [inline] [<00000000f70b15ea>] sock_sendmsg+0x54/0x70 net/socket.c:659 [<00000000ef95a9be>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330 [<00000000b650f1ab>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384 [<0000000055bfa74a>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417 [<000000002abac183>] __do_sys_sendmsg net/socket.c:2426 [inline] [<000000002abac183>] __se_sys_sendmsg net/socket.c:2424 [inline] [<000000002abac183>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reported-by: syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com Cc: Cong Wang Acked-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sched/ematch.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/sched/ematch.c +++ b/net/sched/ematch.c @@ -238,6 +238,9 @@ static int tcf_em_validate(struct tcf_pr goto errout; if (em->ops->change) { + err = -EINVAL; + if (em_hdr->flags & TCF_EM_SIMPLE) + goto errout; err = em->ops->change(net, data, data_len, em); if (err < 0) goto errout;