Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp303868pxa;
        Tue, 11 Aug 2020 03:31:28 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyBdRjeNNJTvIX983ZmxK+knDpDpQQROpwbG3LKufx+/numsuqakaIYqPm9RZX03RXyeg7k
X-Received: by 2002:a17:906:c10d:: with SMTP id do13mr25114214ejc.109.1597141888422;
        Tue, 11 Aug 2020 03:31:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597141888; cv=none;
        d=google.com; s=arc-20160816;
        b=PGkpBczGpIPs/iQhHjL3nijUktJaJ22NSYDqo9L/Rs1S68JLANLRuIz1PGYDn/8ntC
         fHINUz7pjJV7nDrKyBKxuenwI4JlMGT+poMMExBmZJshfujYIF8Sj9a/BqzTH6K7xvCv
         9N2NsfUA8DIO1mdkXE92Z1oBvwBb/tuz3I7tWmFJF4eEM8gt3oyFj9P1E3fwhHO2iak9
         wbph7QiaFHl3o6c7s7pQLeJeJcyJ9ODNvdP5uPHOAW4yxDrp00tG/TzAlpNe7l+C8PQO
         ZCGcg5RQC6llirw3VS0HD4rQ1CKBpxtW7uERYfzTFiAXdYZor6eBgd6wVJKowHDGBuDN
         x4Fw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:references:message-id
         :in-reply-to:subject:cc:to:from:date;
        bh=kyh3TDbJvHmUI/x2YKuRhWtLWN1pMqFUjo8f2wJKejs=;
        b=bxltojOWWG0o2/rZKyUo6cxHP/+4pom426JWABR3KjXNva2PeJpcFFiliwDquzESqq
         9JgbqwUQ8cvBoBbwIyb/9FrwGUWFd314Dkp3vygi420Gc4uV/SGlE7rhGGAw6lOPs2V9
         ElrZp7VJE4vlnDI6tPJKVAUShcE1CAJsOkIrk1vqDz+rUYGAXhykgyEOcpcvq7xJ3xJv
         4CUXn5N3h0q2czWVB2yeodd1cUce7f2AF3Em9CzavOzO9+0gJA2V0lNRqnqf+toAE+qz
         PTb4v+Uu7YOU++13n3prFNLXyBriS1kqu+dqRWgbfqI6XGnN01feqbxKUHL/xrYhCKo0
         cQQw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id x25si12572419edr.231.2020.08.11.03.31.05;
        Tue, 11 Aug 2020 03:31:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728699AbgHKKaC (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Tue, 11 Aug 2020 06:30:02 -0400
Received: from ja.ssi.bg ([178.16.129.10]:33806 "EHLO ja.ssi.bg"
        rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP
        id S1728346AbgHKKaB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 11 Aug 2020 06:30:01 -0400
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
        by ja.ssi.bg (8.15.2/8.15.2) with ESMTP id 07BAT4fo009688;
        Tue, 11 Aug 2020 13:29:04 +0300
Date:   Tue, 11 Aug 2020 13:29:04 +0300 (EEST)
From:   Julian Anastasov <ja@ssi.bg>
To:     Peilin Ye <yepeilin.cs@gmail.com>
cc:     Wensong Zhang <wensong@linux-vs.org>,
        Simon Horman <horms@verge.net.au>,
        Cong Wang <xiyou.wangcong@gmail.com>,
        Pablo Neira Ayuso <pablo@netfilter.org>,
        Jozsef Kadlecsik <kadlec@netfilter.org>,
        Florian Westphal <fw@strlen.de>,
        "David S. Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        netdev@vger.kernel.org, lvs-devel@vger.kernel.org,
        netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
        linux-kernel-mentees@lists.linuxfoundation.org,
        syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org
Subject: Re: [Linux-kernel-mentees] [PATCH net-next v2] ipvs: Fix uninit-value
 in do_ip_vs_set_ctl()
In-Reply-To: <20200811074640.841693-1-yepeilin.cs@gmail.com>
Message-ID: <alpine.LFD.2.23.451.2008111324570.7428@ja.home.ssi.bg>
References: <20200810220703.796718-1-yepeilin.cs@gmail.com> <20200811074640.841693-1-yepeilin.cs@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org


	Hello,

On Tue, 11 Aug 2020, Peilin Ye wrote:

> do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
> zero. Fix it.
> 
> Reported-by: syzbot+23b5f9e7caf61d9a3898@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2
> Suggested-by: Julian Anastasov <ja@ssi.bg>
> Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>

	Looks good to me, thanks!

Acked-by: Julian Anastasov <ja@ssi.bg>

> ---
> Changes in v2:
>     - Target net-next tree. (Suggested by Julian Anastasov <ja@ssi.bg>)
>     - Reject all `len == 0` requests except `IP_VS_SO_SET_FLUSH`, instead
>       of initializing `arg`. (Suggested by Cong Wang
>       <xiyou.wangcong@gmail.com>, Julian Anastasov <ja@ssi.bg>)
> 
>  net/netfilter/ipvs/ip_vs_ctl.c | 7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index 412656c34f20..beeafa42aad7 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> @@ -2471,6 +2471,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
>  		/* Set timeout values for (tcp tcpfin udp) */
>  		ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg);
>  		goto out_unlock;
> +	} else if (!len) {
> +		/* No more commands with len == 0 below */
> +		ret = -EINVAL;
> +		goto out_unlock;
>  	}
>  
>  	usvc_compat = (struct ip_vs_service_user *)arg;
> @@ -2547,9 +2551,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len)
>  		break;
>  	case IP_VS_SO_SET_DELDEST:
>  		ret = ip_vs_del_dest(svc, &udest);
> -		break;
> -	default:
> -		ret = -EINVAL;
>  	}
>  
>    out_unlock:
> -- 
> 2.25.1

Regards

--
Julian Anastasov <ja@ssi.bg>