From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Craig Gallek <kraigatgoog@gmail.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 3.18 08/20] tun/tap: sanitize TUNSETSNDBUF input
Date: Fri, 17 Nov 2017 08:59:57 +0100 [thread overview]
Message-ID: <20171117075957.GB4660@kroah.com> (raw)
In-Reply-To: <CAEfhGiwTzKWbF98fd6TYy5h2b3nB4NqA+B2+=-zJE7kQzSTOuA@mail.gmail.com>
On Thu, Nov 16, 2017 at 04:25:13PM -0500, Craig Gallek wrote:
> On Thu, Nov 16, 2017 at 12:28 PM, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> > 3.18-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Craig Gallek <kraig@google.com>
> >
> >
> > [ Upstream commit 93161922c658c714715686cd0cf69b090cb9bf1d ]
> >
> > Syzkaller found several variants of the lockup below by setting negative
> > values with the TUNSETSNDBUF ioctl. This patch adds a sanity check
> > to both the tun and tap versions of this ioctl.
> >
> > watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [repro:2389]
> > Modules linked in:
> > irq event stamp: 329692056
> > hardirqs last enabled at (329692055): [<ffffffff824b8381>] _raw_spin_unlock_irqrestore+0x31/0x75
> > hardirqs last disabled at (329692056): [<ffffffff824b9e58>] apic_timer_interrupt+0x98/0xb0
> > softirqs last enabled at (35659740): [<ffffffff824bc958>] __do_softirq+0x328/0x48c
> > softirqs last disabled at (35659731): [<ffffffff811c796c>] irq_exit+0xbc/0xd0
> > CPU: 0 PID: 2389 Comm: repro Not tainted 4.14.0-rc7 #23
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> > task: ffff880009452140 task.stack: ffff880006a20000
> > RIP: 0010:_raw_spin_lock_irqsave+0x11/0x80
> > RSP: 0018:ffff880006a27c50 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
> > RAX: ffff880009ac68d0 RBX: ffff880006a27ce0 RCX: 0000000000000000
> > RDX: 0000000000000001 RSI: ffff880006a27ce0 RDI: ffff880009ac6900
> > RBP: ffff880006a27c60 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000001 R11: 000000000063ff00 R12: ffff880009ac6900
> > R13: ffff880006a27cf8 R14: 0000000000000001 R15: ffff880006a27cf8
> > FS: 00007f4be4838700(0000) GS:ffff88000cc00000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000020101000 CR3: 0000000009616000 CR4: 00000000000006f0
> > Call Trace:
> > prepare_to_wait+0x26/0xc0
> > sock_alloc_send_pskb+0x14e/0x270
> > ? remove_wait_queue+0x60/0x60
> > tun_get_user+0x2cc/0x19d0
> > ? __tun_get+0x60/0x1b0
> > tun_chr_write_iter+0x57/0x86
> > __vfs_write+0x156/0x1e0
> > vfs_write+0xf7/0x230
> > SyS_write+0x57/0xd0
> > entry_SYSCALL_64_fastpath+0x1f/0xbe
> > RIP: 0033:0x7f4be4356df9
> > RSP: 002b:00007ffc18101c08 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
> > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4be4356df9
> > RDX: 0000000000000046 RSI: 0000000020101000 RDI: 0000000000000005
> > RBP: 00007ffc18101c40 R08: 0000000000000001 R09: 0000000000000001
> > R10: 0000000000000001 R11: 0000000000000293 R12: 0000559c75f64780
> > R13: 00007ffc18101d30 R14: 0000000000000000 R15: 0000000000000000
> >
> > Fixes: 33dccbb050bb ("tun: Limit amount of queued packets per device")
> > Fixes: 20d29d7a916a ("net: macvtap driver")
> > Signed-off-by: Craig Gallek <kraig@google.com>
> > Reviewed-by: Eric Dumazet <edumazet@google.com>
> > Signed-off-by: David S. Miller <davem@davemloft.net>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > drivers/net/macvtap.c | 2 ++
> > drivers/net/tun.c | 4 ++++
> > 2 files changed, 6 insertions(+)
> >
> > --- a/drivers/net/macvtap.c
> > +++ b/drivers/net/macvtap.c
> > @@ -1047,6 +1047,8 @@ static long macvtap_ioctl(struct file *f
> > case TUNSETSNDBUF:
> > if (get_user(u, up))
> > return -EFAULT;
> > + if (s <= 0)
> > + return -EINVAL;
> Yay build bot! This 's' should be a 'u' in the 3.18 version.
Yes, that was a good catch, I'll go fix this up, thanks.
greg k-h
next prev parent reply other threads:[~2017-11-17 8:00 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-16 17:28 [PATCH 3.18 00/20] 3.18.82-stable review Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 01/20] [PATCH] Revert "ceph: unlock dangling spinlock in try_flush_caps()" Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 02/20] mac80211: accept key reinstall without changing anything Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 03/20] mac80211: use constant time comparison with keys Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 04/20] mac80211: dont compare TKIP TX MIC key in reinstall prevention Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 05/20] usb: usbtest: fix NULL pointer dereference Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 06/20] Input: ims-psu - check if CDC union descriptor is sane Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 08/20] tun/tap: sanitize TUNSETSNDBUF input Greg Kroah-Hartman
2017-11-16 21:25 ` Craig Gallek
2017-11-17 7:59 ` Greg Kroah-Hartman [this message]
2017-11-16 17:28 ` [PATCH 3.18 09/20] tcp: fix tcp_mtu_probe() vs highest_sack Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 10/20] l2tp: check ps->sock before running pppol2tp_session_ioctl() Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 11/20] tun: call dev_get_valid_name() before register_netdevice() Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 12/20] sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 13/20] net/unix: dont show information about sockets from other namespaces Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 14/20] tun: allow positive return values on dev_get_valid_name() call Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 15/20] sctp: reset owner sk for data chunks on out queues when migrating a sock Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 16/20] ipv6: flowlabel: do not leave opt->tot_len with garbage Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 17/20] ipip: only increase err_count for some certain type icmp in ipip_err Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 18/20] ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 19/20] security/keys: add CONFIG_KEYS_COMPAT to Kconfig Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 20/20] target/iscsi: Fix iSCSI task reassignment handling Greg Kroah-Hartman
2017-11-16 22:43 ` [PATCH 3.18 00/20] 3.18.82-stable review Shuah Khan
2017-11-17 2:00 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171117075957.GB4660@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kraigatgoog@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.