Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp201707pxa; Tue, 11 Aug 2020 00:09:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy0xpKnJmxpBaiTsnL4VPQ9G379PWfS/95yhP53R1cXueyjSahQ5AVMQGiQd9vxu50VQPh9 X-Received: by 2002:a17:906:3c10:: with SMTP id h16mr24842542ejg.233.1597129770656; Tue, 11 Aug 2020 00:09:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597129770; cv=none; d=google.com; s=arc-20160816; b=J5HtNxFWSHGJR/aLCbkOJSH783Yph9BzN44xAbbeFe7avH1lwZhP1vbMarQeIORe0t UxsxVh3fZ8KlxNzxQMBvcNG9tKeA0vwEx5RMnH74gl/XNhZGNVVbe6XghHNVY9llgn9R n/lTeu176hWRCpYeeNL3lCFBo+sJAPB0BKSqHLbKa6UwT9zZke2rzcscABd/ta5vRrIb Yn0rKeku6y+cfFab6j4uD1pzItnuRCjydvfu+WAy0lap+O2VHLDkKodgEzD+7pMksPN7 McOlqNwuSZxdsGYLGcxfy6IM25lhS97VcqNNPbo2oEwYRPkbnm6QMM30MNslI1D/rZ84 wfkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:message-id :in-reply-to:subject:cc:to:from:date; bh=aOx4pSwATIPPZY9cPqSW53ZWKxifhwsmS+JpMjWwc8c=; b=MfVb5BJEfv1grO2eFnIVvHxA8OVPnR0mAYFka1GBHmzgc7MWjsr5C9Mm5rG7705lZa buv75iyZeZRC+RlMw7nWl06L0irA1x4m3ivqyjDLuicoUOZX7rusFJ6jwkdgGH5GYDxU 9456ePzvMpV1y+wp51JDpKAbDJOCB6THFjVoVimMTzx2KidxadvJOI6mSSj/f7+gV0Kk ZTgqS6uMf9gNMIb26xv2JTpJ6T/fJEl6h4rgTygDBs5rU3H/S90VDASMm4iRhjH92UKv yNN+6DcPh7AwrQfzOwV4bflQP+nKX71MGnSP4UmHtzam3H+Qk7HmAX8nilK6pV0WIlrA ls1w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x18si11716442eds.427.2020.08.11.00.09.06; Tue, 11 Aug 2020 00:09:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728211AbgHKHG3 (ORCPT + 99 others); Tue, 11 Aug 2020 03:06:29 -0400 Received: from ja.ssi.bg ([178.16.129.10]:33622 "EHLO ja.ssi.bg" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1727846AbgHKHG2 (ORCPT ); Tue, 11 Aug 2020 03:06:28 -0400 X-Greylist: delayed 395 seconds by postgrey-1.27 at vger.kernel.org; Tue, 11 Aug 2020 03:06:28 EDT Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by ja.ssi.bg (8.15.2/8.15.2) with ESMTP id 07B6wk1t005940; Tue, 11 Aug 2020 09:58:46 +0300 Date: Tue, 11 Aug 2020 09:58:46 +0300 (EEST) From: Julian Anastasov To: Peilin Ye cc: Cong Wang , Wensong Zhang , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Jakub Kicinski , Greg Kroah-Hartman , Linux Kernel Network Developers , lvs-devel@vger.kernel.org, NetFilter , coreteam@netfilter.org, linux-kernel-mentees@lists.linuxfoundation.org, syzkaller-bugs , LKML Subject: Re: [Linux-kernel-mentees] [PATCH net] ipvs: Fix uninit-value in do_ip_vs_set_ctl() In-Reply-To: <20200811050929.GA821443@PWN> Message-ID: References: <20200810220703.796718-1-yepeilin.cs@gmail.com> <20200811050929.GA821443@PWN> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, On Tue, 11 Aug 2020, Peilin Ye wrote: > On Mon, Aug 10, 2020 at 08:57:19PM -0700, Cong Wang wrote: > > On Mon, Aug 10, 2020 at 3:10 PM Peilin Ye wrote: > > > > > > do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is > > > zero. Fix it. > > > > Which exact 'cmd' is it here? > > > > I _guess_ it is one of those uninitialized in set_arglen[], which is 0. > > Yes, it was `IP_VS_SO_SET_NONE`, implicitly initialized to zero. > > > But if that is the case, should it be initialized to > > sizeof(struct ip_vs_service_user) instead because ip_vs_copy_usvc_compat() > > is called anyway. Or, maybe we should just ban len==0 case. > > I see. I think the latter would be easier, but we cannot ban all of > them, since the function does something with `IP_VS_SO_SET_FLUSH`, which > is a `len == 0` case. > > Maybe we do something like this? Yes, only IP_VS_SO_SET_FLUSH uses len 0. We can go with this change but you do not need to target net tree, as the problem is not fatal net-next works too. What happens is that we may lookup services with random search keys which is harmless. Another option is to add new block after this one: } else if (cmd == IP_VS_SO_SET_TIMEOUT) { /* Set timeout values for (tcp tcpfin udp) */ ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg); goto out_unlock; } such as: } else if (!len) { /* No more commands with len=0 below */ ret = -EINVAL; goto out_unlock; } It give more chance for future commands to use len=0 but the drawback is that the check happens under mutex. So, I'm fine with both versions, it is up to you to decide :) > @@ -2432,6 +2432,8 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) > > if (cmd < IP_VS_BASE_CTL || cmd > IP_VS_SO_SET_MAX) > return -EINVAL; > + if (len == 0 && cmd != IP_VS_SO_SET_FLUSH) > + return -EINVAL; > if (len != set_arglen[CMDID(cmd)]) { > IP_VS_DBG(1, "set_ctl: len %u != %u\n", > len, set_arglen[CMDID(cmd)]); > @@ -2547,9 +2549,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) > break; > case IP_VS_SO_SET_DELDEST: > ret = ip_vs_del_dest(svc, &udest); > - break; > - default: > - ret = -EINVAL; > } > > out_unlock: Regards -- Julian Anastasov