Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp220402pxa; Tue, 11 Aug 2020 00:50:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzvbRvPRJsZ3jQlpxwOf+A3DQg3cmJJeEIV3MBZ7y8rFSvKAIGV+XQVKVaygeXf6uRsDwC0 X-Received: by 2002:a17:906:3c10:: with SMTP id h16mr24952906ejg.233.1597132215137; Tue, 11 Aug 2020 00:50:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597132215; cv=none; d=google.com; s=arc-20160816; b=hTsVkVsuXFTKxEIj+pOr3e/25a7ASbW4ylHB6lV2KwHav7DtbVacwJl+mxfvdZkEfW Cb/7C7XlvYMVt/pb25M7Nt5xekNnQQDWVrQQ0d1EYgP7KLxAxFGptvsAylqSanwqQMbY 20vKT6L/b7pDdvwl4fHsYmf1ggOsRU82Fe6USP13GO2ZVzCP2B6xZDpR2ybsWJFYIrF/ dNWQOknB6o6MfTWTTAd0VrpGcoHni9aF+LaaYZSxjXp4ymC2iXk32qsn1gyU3FIEjCVD Mjn9Pj7bmHDpf4ZQeEnqUl0JBuQwWry85cMSjjd4sisyW2ZRLfKG02loayMYgmxJ/rxB BWaA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=OOMSJE9xSBil9mXDx2Lia4KUqWqXBp/e2t+xm7m3Qh8=; b=utjmFL7dAlm8dsEpuxyafUMdFzMG223R8E7k+Nf1/kNZIFUaRYApTtx1LhK8odNwdS oUAg0ipq9fncJ8aHHXZROdXuud1FTfqzZ21yfVPGQXstpAQ+kUVoca8KOUPz84n/VXPf jhqVQuPW/7x7sduBL6rUVZ/F5Q928XM/yvojvvdwIx3UkbHDYCujvulQaXfWB5Nq38XO 5FMBWQp7rVD/Bon8hQL8eC61L/W6Jbltsqu8Kioj83kxvtE8Pgh9WUk7Fk0fgkUeW0LB 3B21fD7D7kur3aAucggKNxWvpBneWFTcnQFik84g0JbjoxGhPfhcEFcSc9HWmS4oGDeU XLcw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=F1f7ZE4K; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b23si12584484ejv.299.2020.08.11.00.49.51; Tue, 11 Aug 2020 00:50:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=F1f7ZE4K; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728246AbgHKHtT (ORCPT + 99 others); Tue, 11 Aug 2020 03:49:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45720 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728133AbgHKHtS (ORCPT ); Tue, 11 Aug 2020 03:49:18 -0400 Received: from mail-qv1-xf44.google.com (mail-qv1-xf44.google.com [IPv6:2607:f8b0:4864:20::f44]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D4539C061787; Tue, 11 Aug 2020 00:49:16 -0700 (PDT) Received: by mail-qv1-xf44.google.com with SMTP id j10so5523284qvo.13; Tue, 11 Aug 2020 00:49:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=OOMSJE9xSBil9mXDx2Lia4KUqWqXBp/e2t+xm7m3Qh8=; b=F1f7ZE4KDjPF6dImWkq/5Gb5Ibw/zsrD+Y+bAFrUMb2y8iUJult1fm9hB0McdzouIP JdDgEL1T2JKzUfHwWYdBwmkOObOmECVPSE43vBjnO8kfMo4FuMKCwhbmdiKeIPv5iz7L IE25z3GCJwOCUWTeQCgIZMZ8PIMkHN+IFDgY8wMNCbsC3ngJJuI7/lB+STIlvY2ysxqF ldKh+gEuY1fZUGum5vnuiVAGZ4fX/Dcx3RTT3RcYeK3t/7XuKa7ZhV+D86LSpYOVn+GG d4Gr2ojxTkHSGSiIKscJVFKq+vyJBGOqJiFz5iMLUNPcjV+SCQjFLjVaYbqOvQ2CLPI0 j6gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OOMSJE9xSBil9mXDx2Lia4KUqWqXBp/e2t+xm7m3Qh8=; b=flffocutCjA8Eh/YhJjeeEisxilaDpD54uIB0rnaNZKZhgAI+2mUwerOTKh5An2PZN uAksgfqeCjsrnaXkxZ5Uj/vw1sztRuuqDNjsBObnL8DsbokzJ2YmEvQrMt5YCxewtSDh W8lQ2VGHlKygEnEeqvHNC8wXbdDWzYTl4RthsM0OGW2vUF/a8PudBG/iSKb7UCHmahdu 5og7JaWHHQtwHWlxaFoUgp2Dwx45TgTSYTAXB/nrkxkEZ5yz05LsELPIeDwr8uGC7qZK L7Axf3AOH++f2uKTWnNDstFyZeEJi+9U0DQwMKSVIaB1fHxEc2p4Cj85UgEG/NX6giwV ri3Q== X-Gm-Message-State: AOAM532QgwnoCPJwf/LOypc3EMRh6W0/B23UvvQHcQ9fNADavzMj2ouz aa7W7TY0Aa0buECBd7gC0Q== X-Received: by 2002:ad4:44e5:: with SMTP id p5mr32058968qvt.197.1597132155990; Tue, 11 Aug 2020 00:49:15 -0700 (PDT) Received: from localhost.localdomain (146-115-88-66.s3894.c3-0.sbo-ubr1.sbo.ma.cable.rcncustomer.com. [146.115.88.66]) by smtp.gmail.com with ESMTPSA id j16sm16693897qke.87.2020.08.11.00.49.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Aug 2020 00:49:15 -0700 (PDT) From: Peilin Ye To: Wensong Zhang , Simon Horman , Julian Anastasov Cc: Peilin Ye , Cong Wang , Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Jakub Kicinski , Greg Kroah-Hartman , netdev@vger.kernel.org, lvs-devel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel-mentees@lists.linuxfoundation.org, syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org Subject: [Linux-kernel-mentees] [PATCH net-next v2] ipvs: Fix uninit-value in do_ip_vs_set_ctl() Date: Tue, 11 Aug 2020 03:46:40 -0400 Message-Id: <20200811074640.841693-1-yepeilin.cs@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200810220703.796718-1-yepeilin.cs@gmail.com> References: <20200810220703.796718-1-yepeilin.cs@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is zero. Fix it. Reported-by: syzbot+23b5f9e7caf61d9a3898@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2 Suggested-by: Julian Anastasov Signed-off-by: Peilin Ye --- Changes in v2: - Target net-next tree. (Suggested by Julian Anastasov ) - Reject all `len == 0` requests except `IP_VS_SO_SET_FLUSH`, instead of initializing `arg`. (Suggested by Cong Wang , Julian Anastasov ) net/netfilter/ipvs/ip_vs_ctl.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 412656c34f20..beeafa42aad7 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -2471,6 +2471,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) /* Set timeout values for (tcp tcpfin udp) */ ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg); goto out_unlock; + } else if (!len) { + /* No more commands with len == 0 below */ + ret = -EINVAL; + goto out_unlock; } usvc_compat = (struct ip_vs_service_user *)arg; @@ -2547,9 +2551,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) break; case IP_VS_SO_SET_DELDEST: ret = ip_vs_del_dest(svc, &udest); - break; - default: - ret = -EINVAL; } out_unlock: -- 2.25.1