Received: by 2002:a25:2c96:0:0:0:0:0 with SMTP id s144csp1187805ybs; Mon, 25 May 2020 09:14:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw6S67w0Q30DxbSJI/FHuTstfuNkypGZBNYkiI1L/k1mxKJWxJ9vEFsheXvw3IcnE5RFmIi X-Received: by 2002:a17:906:27c2:: with SMTP id k2mr18900563ejc.239.1590423258584; Mon, 25 May 2020 09:14:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1590423258; cv=none; d=google.com; s=arc-20160816; b=YPcdsgrqm5WWova7/JitiUHwwckABTxl9AFfdFPeoyDV+PK/1luQHtNVxoeh+XOrUd TkO8KX+zKr8cXb7nVqyhk+Gu73gK7+sIyO6Y9V6YQtWhx5n4z5dzxtjZ2x53Dm4Th3Hj pWU1CbVmzHU++eXgtnvKVlk30OZQfbUHdrlFixzAQYtF1DM9nKhGAjMkQUc3zk1thdfz 4b8pDyitgK3bp5ZMe9VwPVSiKAQmQ98z2KQ+hY4FZ42cCD7bf7/cAdLSRCeavYYFdLu8 /vbF+gk+9rIAVRJvcO5sU/e3iJe0OjEnpw3LOzDlYDXge1a6SXj8d8DFhCekY4QZocw2 o2yg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:ironport-sdr:dkim-signature; bh=qslBaUfWF7+DVn0pTCTuliqMC9L7yt7eNiWfUnCpp2c=; b=leCQrpBgOzcTgtxfvSpSwZpVCLwvXMakrl5LCMjpRH4D/lNDEj9ASvplcB7sRaHmhO q3XcByqM8c+y6c4irM50MIrp1adSLuLv0laB+xZh1xKo+QcKEbYaknsTRtDLKc+EnK2s dNFxXK4VMMKgdLr+nuqUCJG3ETVDh0i1R2ddz51ARj9q4G/DP4mGZN/0IVu095rlpD8s WWysVb/i0AHlSKZk/VfwJGvDP+hEjm+524RWJV4FyQawKxetVcJlPdpj89GNcl9DXTaI znyyb50Hn1aJ3pR98fL1I1vNO5cPcBwvqdDUjRYlW90fyqGq4OQa1wTPLr+pzcD/cp7b tOUQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@microchip.com header.s=mchp header.b=YyIwB8za; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=microchip.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p13si9601859eja.585.2020.05.25.09.13.55; Mon, 25 May 2020 09:14:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@microchip.com header.s=mchp header.b=YyIwB8za; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=microchip.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726788AbgEYH4X (ORCPT + 99 others); Mon, 25 May 2020 03:56:23 -0400 Received: from esa6.microchip.iphmx.com ([216.71.154.253]:44907 "EHLO esa6.microchip.iphmx.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725809AbgEYH4W (ORCPT ); Mon, 25 May 2020 03:56:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=microchip.com; i=@microchip.com; q=dns/txt; s=mchp; t=1590393381; x=1621929381; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=gka3xhQHdVujI+DvQjAJqTOsOu9U8CaV+bHB/w8dE/o=; b=YyIwB8za8r2vJdfhDQU+5CVvtDoAlCxV2w513h3UyP0FCQ4sDaFKI4EU HyEJL7a+otopljhrXC3rp9D20UNtt48Ls26mB+hBvjk2mNlE6U2EgM16W h+p5OgAvFGYTwJ+uuGuOUBPfP3yD9jXn2iY3LKmasUzlOYFBYINMOyHCE 2vtk2VGlU+2gRQqnQwuNNTJxKFcPYzSBrv9DNhsDJexeJGb4YkgQ/ntlT /KjNxduk89yYEGpQZpuWW3+uRYA5k3uxiD7rbaCVpsRRTsXDjIOvaGIzW 0eTaQtUhyvIBut6jS9RG4njEx0VOgs6z2Y1NAByrCxODO3oGjHbaFU51X Q==; IronPort-SDR: Ku69RMxDc/Tw6URFoi4cr3b7iyBayER/a+CE1TVr4cboF+zCp4QXr0yIO0Pp2n7W9zFu10SaTX VgWUNjMsFn5BPEnc7TiTexBUrXT76fvPrFq3lL7fds7XUsH3t+jaNq2vCtUa56eqflh7LogrE+ n7Kb9WRgi6JvSP1EyZA3OI5d1DogIajNEVhIchGkaJJXYdxtQn9SF7zT0O4hmE7vYwHfjSjnTN Z/djyDiR90H/vR7J3EGgBpG3mgTx4aLk+TPb7NqXHyknlvpvJU40ColsgtH7HLxEJemQbS/Bdu oNg= X-IronPort-AV: E=Sophos;i="5.73,432,1583218800"; d="scan'208";a="13408235" Received: from smtpout.microchip.com (HELO email.microchip.com) ([198.175.253.82]) by esa6.microchip.iphmx.com with ESMTP/TLS/AES256-SHA256; 25 May 2020 00:56:20 -0700 Received: from chn-vm-ex01.mchp-main.com (10.10.85.143) by chn-vm-ex02.mchp-main.com (10.10.85.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Mon, 25 May 2020 00:56:22 -0700 Received: from soft-dev3.localdomain (10.10.115.15) by chn-vm-ex01.mchp-main.com (10.10.85.143) with Microsoft SMTP Server id 15.1.1713.5 via Frontend Transport; Mon, 25 May 2020 00:56:13 -0700 From: Horatiu Vultur To: , , , , , , , , CC: Horatiu Vultur , Subject: [PATCH] bridge: mrp: Fix out-of-bounds read in br_mrp_parse Date: Mon, 25 May 2020 09:55:41 +0000 Message-ID: <20200525095541.46673-1-horatiu.vultur@microchip.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The issue was reported by syzbot. When the function br_mrp_parse was called with a valid net_bridge_port, the net_bridge was an invalid pointer. Therefore the check br->stp_enabled could pass/fail depending where it was pointing in memory. The fix consists of setting the net_bridge pointer if the port is a valid pointer. Reported-by: syzbot+9c6f0f1f8e32223df9a4@syzkaller.appspotmail.com Fixes: 6536993371fa ("bridge: mrp: Integrate MRP into the bridge") Signed-off-by: Horatiu Vultur --- net/bridge/br_mrp_netlink.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/bridge/br_mrp_netlink.c b/net/bridge/br_mrp_netlink.c index 397e7f710772a..4a08a99519b04 100644 --- a/net/bridge/br_mrp_netlink.c +++ b/net/bridge/br_mrp_netlink.c @@ -27,6 +27,12 @@ int br_mrp_parse(struct net_bridge *br, struct net_bridge_port *p, struct nlattr *tb[IFLA_BRIDGE_MRP_MAX + 1]; int err; + /* When this function is called for a port then the br pointer is + * invalid, therefor set the br to point correctly + */ + if (p) + br = p->br; + if (br->stp_enabled != BR_NO_STP) { NL_SET_ERR_MSG_MOD(extack, "MRP can't be enabled if STP is already enabled"); return -EINVAL; -- 2.26.2