Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp303868pxa; Tue, 11 Aug 2020 03:31:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyBdRjeNNJTvIX983ZmxK+knDpDpQQROpwbG3LKufx+/numsuqakaIYqPm9RZX03RXyeg7k X-Received: by 2002:a17:906:c10d:: with SMTP id do13mr25114214ejc.109.1597141888422; Tue, 11 Aug 2020 03:31:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597141888; cv=none; d=google.com; s=arc-20160816; b=PGkpBczGpIPs/iQhHjL3nijUktJaJ22NSYDqo9L/Rs1S68JLANLRuIz1PGYDn/8ntC fHINUz7pjJV7nDrKyBKxuenwI4JlMGT+poMMExBmZJshfujYIF8Sj9a/BqzTH6K7xvCv 9N2NsfUA8DIO1mdkXE92Z1oBvwBb/tuz3I7tWmFJF4eEM8gt3oyFj9P1E3fwhHO2iak9 wbph7QiaFHl3o6c7s7pQLeJeJcyJ9ODNvdP5uPHOAW4yxDrp00tG/TzAlpNe7l+C8PQO ZCGcg5RQC6llirw3VS0HD4rQ1CKBpxtW7uERYfzTFiAXdYZor6eBgd6wVJKowHDGBuDN x4Fw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:message-id :in-reply-to:subject:cc:to:from:date; bh=kyh3TDbJvHmUI/x2YKuRhWtLWN1pMqFUjo8f2wJKejs=; b=bxltojOWWG0o2/rZKyUo6cxHP/+4pom426JWABR3KjXNva2PeJpcFFiliwDquzESqq 9JgbqwUQ8cvBoBbwIyb/9FrwGUWFd314Dkp3vygi420Gc4uV/SGlE7rhGGAw6lOPs2V9 ElrZp7VJE4vlnDI6tPJKVAUShcE1CAJsOkIrk1vqDz+rUYGAXhykgyEOcpcvq7xJ3xJv 4CUXn5N3h0q2czWVB2yeodd1cUce7f2AF3Em9CzavOzO9+0gJA2V0lNRqnqf+toAE+qz PTb4v+Uu7YOU++13n3prFNLXyBriS1kqu+dqRWgbfqI6XGnN01feqbxKUHL/xrYhCKo0 cQQw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x25si12572419edr.231.2020.08.11.03.31.05; Tue, 11 Aug 2020 03:31:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728699AbgHKKaC (ORCPT + 99 others); Tue, 11 Aug 2020 06:30:02 -0400 Received: from ja.ssi.bg ([178.16.129.10]:33806 "EHLO ja.ssi.bg" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1728346AbgHKKaB (ORCPT ); Tue, 11 Aug 2020 06:30:01 -0400 Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by ja.ssi.bg (8.15.2/8.15.2) with ESMTP id 07BAT4fo009688; Tue, 11 Aug 2020 13:29:04 +0300 Date: Tue, 11 Aug 2020 13:29:04 +0300 (EEST) From: Julian Anastasov To: Peilin Ye cc: Wensong Zhang , Simon Horman , Cong Wang , Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Jakub Kicinski , Greg Kroah-Hartman , netdev@vger.kernel.org, lvs-devel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel-mentees@lists.linuxfoundation.org, syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org Subject: Re: [Linux-kernel-mentees] [PATCH net-next v2] ipvs: Fix uninit-value in do_ip_vs_set_ctl() In-Reply-To: <20200811074640.841693-1-yepeilin.cs@gmail.com> Message-ID: References: <20200810220703.796718-1-yepeilin.cs@gmail.com> <20200811074640.841693-1-yepeilin.cs@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, On Tue, 11 Aug 2020, Peilin Ye wrote: > do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is > zero. Fix it. > > Reported-by: syzbot+23b5f9e7caf61d9a3898@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2 > Suggested-by: Julian Anastasov > Signed-off-by: Peilin Ye Looks good to me, thanks! Acked-by: Julian Anastasov > --- > Changes in v2: > - Target net-next tree. (Suggested by Julian Anastasov ) > - Reject all `len == 0` requests except `IP_VS_SO_SET_FLUSH`, instead > of initializing `arg`. (Suggested by Cong Wang > , Julian Anastasov ) > > net/netfilter/ipvs/ip_vs_ctl.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c > index 412656c34f20..beeafa42aad7 100644 > --- a/net/netfilter/ipvs/ip_vs_ctl.c > +++ b/net/netfilter/ipvs/ip_vs_ctl.c > @@ -2471,6 +2471,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) > /* Set timeout values for (tcp tcpfin udp) */ > ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg); > goto out_unlock; > + } else if (!len) { > + /* No more commands with len == 0 below */ > + ret = -EINVAL; > + goto out_unlock; > } > > usvc_compat = (struct ip_vs_service_user *)arg; > @@ -2547,9 +2551,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) > break; > case IP_VS_SO_SET_DELDEST: > ret = ip_vs_del_dest(svc, &udest); > - break; > - default: > - ret = -EINVAL; > } > > out_unlock: > -- > 2.25.1 Regards -- Julian Anastasov