Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4022565ybl; Mon, 3 Feb 2020 11:02:46 -0800 (PST) X-Google-Smtp-Source: APXvYqyMwruuqhsuPxbF49DABzAV7oKjwKCjZR7wp8EiRIs5i3x6GCto7QFxhnyZo1PVfOism/Bp X-Received: by 2002:a05:6830:160c:: with SMTP id g12mr18236863otr.82.1580756566308; Mon, 03 Feb 2020 11:02:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580756566; cv=none; d=google.com; s=arc-20160816; b=VHy3Xwgaq3UPwyjM6l+pyJAYCX+7WEE0fnlay/50ttpcT9VSWehQ0vVtPRLtc4nmAy iNbtm/2h8sFN1AMsVTQ2ynLG0nyAe0bKl5y43xSkeBz7/VOM2zUBTXoeIkUWlt3tV3eq qKirdIRv3ZN8HLTZSHAF26lD5kJsCrJlRywMD2zr3qPj3geYI3cQVO/EYEw/Sv6E1nXb p3EBzvFF88pMiOtNjVuuxh5OMbMMIdX80+gAVb+XHHUrI2LdWV5zc7JUC+jPa2eLPJi9 fC/aAR4afFKVkQLMSBlm+m2cx68O82hG7y4vGffkf900wJfFTYLTFS+owsX2Pr9xqgKe HLCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=vEGRtOtTnEpqXWo8UjO4mK99xUGzaonw5htRu5q5t3s=; b=hmJVt5wZlhVYmHKHy5hU7Jhtdmom11FcXI6NHfOp0JcB8cuzfxPzM6Ha6loynUM/M0 ZBMzfN1lTPUXYAbnQaDHH+RFs2TYjVP0lYaqPjT6pJrByT8GYRfGy5Em/Z77ebW96WxD aeQ+OlSIuVUZ/ZXA+2RGLRYRiJGP5wPSPagn1Kqnp3mn5LLBouiIHQMsx0Uvpy7C6j9p Q+tCY09gqSUeG9oae7p+qr7J/92LeANB7cbpgXxZxrixCR+rsIphu4DkIpp9grkPkJeM U8ayWiyeV06zqKAipDs6tAjUchMYBNwppZ7BQ36RFkz2vJuiiOsg5KkWOTEPsMIUSFIr Gpaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dj57FnYc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m24si9657975otf.101.2020.02.03.11.02.33; Mon, 03 Feb 2020 11:02:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dj57FnYc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728492AbgBCQZe (ORCPT + 99 others); Mon, 3 Feb 2020 11:25:34 -0500 Received: from mail.kernel.org ([198.145.29.99]:36252 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728369AbgBCQZb (ORCPT ); Mon, 3 Feb 2020 11:25:31 -0500 Received: from localhost (unknown [104.132.45.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 923952080C; Mon, 3 Feb 2020 16:25:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1580747131; bh=b6IVOamTvGku5jkgEhCb3/Ctk25jZQJJxSPkmWFjWbE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dj57FnYcFix05Qlyc+SL8ipakXkeCCEgQ2vagUXwYMvQ7sE0xSNuYYeGxHcKlU9fl Lh+Jzzxcb0xyeZfn+2O67TS1zAG5Jpem435Y7SeYzeRUvp2EfEUv9v5kjrZwvBfMtI GqeVgEV7auXXp7GLoYSMvkHVguRZAvrAEfsTjXTs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com, Cong Wang , "David S. Miller" Subject: [PATCH 4.9 24/68] net_sched: ematch: reject invalid TCF_EM_SIMPLE Date: Mon, 3 Feb 2020 16:19:20 +0000 Message-Id: <20200203161909.061635854@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200203161904.705434837@linuxfoundation.org> References: <20200203161904.705434837@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Eric Dumazet [ Upstream commit 55cd9f67f1e45de8517cdaab985fb8e56c0bc1d8 ] It is possible for malicious userspace to set TCF_EM_SIMPLE bit even for matches that should not have this bit set. This can fool two places using tcf_em_is_simple() 1) tcf_em_tree_destroy() -> memory leak of em->data if ops->destroy() is NULL 2) tcf_em_tree_dump() wrongly report/leak 4 low-order bytes of a kernel pointer. BUG: memory leak unreferenced object 0xffff888121850a40 (size 32): comm "syz-executor927", pid 7193, jiffies 4294941655 (age 19.840s) hex dump (first 32 bytes): 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000f67036ea>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<00000000f67036ea>] slab_post_alloc_hook mm/slab.h:586 [inline] [<00000000f67036ea>] slab_alloc mm/slab.c:3320 [inline] [<00000000f67036ea>] __do_kmalloc mm/slab.c:3654 [inline] [<00000000f67036ea>] __kmalloc_track_caller+0x165/0x300 mm/slab.c:3671 [<00000000fab0cc8e>] kmemdup+0x27/0x60 mm/util.c:127 [<00000000d9992e0a>] kmemdup include/linux/string.h:453 [inline] [<00000000d9992e0a>] em_nbyte_change+0x5b/0x90 net/sched/em_nbyte.c:32 [<000000007e04f711>] tcf_em_validate net/sched/ematch.c:241 [inline] [<000000007e04f711>] tcf_em_tree_validate net/sched/ematch.c:359 [inline] [<000000007e04f711>] tcf_em_tree_validate+0x332/0x46f net/sched/ematch.c:300 [<000000007a769204>] basic_set_parms net/sched/cls_basic.c:157 [inline] [<000000007a769204>] basic_change+0x1d7/0x5f0 net/sched/cls_basic.c:219 [<00000000e57a5997>] tc_new_tfilter+0x566/0xf70 net/sched/cls_api.c:2104 [<0000000074b68559>] rtnetlink_rcv_msg+0x3b2/0x4b0 net/core/rtnetlink.c:5415 [<00000000b7fe53fb>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 [<00000000e83a40d0>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 [<00000000d62ba933>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] [<00000000d62ba933>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328 [<0000000088070f72>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917 [<00000000f70b15ea>] sock_sendmsg_nosec net/socket.c:639 [inline] [<00000000f70b15ea>] sock_sendmsg+0x54/0x70 net/socket.c:659 [<00000000ef95a9be>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330 [<00000000b650f1ab>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384 [<0000000055bfa74a>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417 [<000000002abac183>] __do_sys_sendmsg net/socket.c:2426 [inline] [<000000002abac183>] __se_sys_sendmsg net/socket.c:2424 [inline] [<000000002abac183>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reported-by: syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com Cc: Cong Wang Acked-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sched/ematch.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/sched/ematch.c +++ b/net/sched/ematch.c @@ -242,6 +242,9 @@ static int tcf_em_validate(struct tcf_pr goto errout; if (em->ops->change) { + err = -EINVAL; + if (em_hdr->flags & TCF_EM_SIMPLE) + goto errout; err = em->ops->change(net, data, data_len, em); if (err < 0) goto errout;