From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Sven Eckelmann <sven@narfation.org>,
Simon Wunderlich <sw@simonwunderlich.de>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.9 05/27] batman-adv: fix uninit-value in batadv_netlink_get_ifindex()
Date: Wed, 4 Sep 2019 12:01:58 -0400 [thread overview]
Message-ID: <20190904160220.4545-5-sashal@kernel.org> (raw)
In-Reply-To: <20190904160220.4545-1-sashal@kernel.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 3ee1bb7aae97324ec9078da1f00cb2176919563f ]
batadv_netlink_get_ifindex() needs to make sure user passed
a correct u32 attribute.
syzbot reported :
BUG: KMSAN: uninit-value in batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
CPU: 1 PID: 11705 Comm: syz-executor888 Not tainted 5.1.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x191/0x1f0 lib/dump_stack.c:113
kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
__msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
genl_lock_dumpit+0xc6/0x130 net/netlink/genetlink.c:482
netlink_dump+0xa84/0x1ab0 net/netlink/af_netlink.c:2253
__netlink_dump_start+0xa3a/0xb30 net/netlink/af_netlink.c:2361
genl_family_rcv_msg net/netlink/genetlink.c:550 [inline]
genl_rcv_msg+0xfc1/0x1a40 net/netlink/genetlink.c:627
netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2486
genl_rcv+0x63/0x80 net/netlink/genetlink.c:638
netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1337
netlink_sendmsg+0x127e/0x12f0 net/netlink/af_netlink.c:1926
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg net/socket.c:661 [inline]
___sys_sendmsg+0xcc6/0x1200 net/socket.c:2260
__sys_sendmsg net/socket.c:2298 [inline]
__do_sys_sendmsg net/socket.c:2307 [inline]
__se_sys_sendmsg+0x305/0x460 net/socket.c:2305
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2305
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x440209
Fixes: b60620cf567b ("batman-adv: netlink: hardif query")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/netlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c
index 64cb6acbe0a64..d7ba4fd24e3de 100644
--- a/net/batman-adv/netlink.c
+++ b/net/batman-adv/netlink.c
@@ -114,7 +114,7 @@ batadv_netlink_get_ifindex(const struct nlmsghdr *nlh, int attrtype)
{
struct nlattr *attr = nlmsg_find_attr(nlh, GENL_HDRLEN, attrtype);
- return attr ? nla_get_u32(attr) : 0;
+ return (attr && nla_len(attr) == sizeof(u32)) ? nla_get_u32(attr) : 0;
}
/**
--
2.20.1
next prev parent reply other threads:[~2019-09-04 16:06 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-04 16:01 [PATCH AUTOSEL 4.9 01/27] ARM: OMAP2+: Fix missing SYSC_HAS_RESET_STATUS for dra7 epwmss Sasha Levin
2019-09-04 16:01 ` [PATCH AUTOSEL 4.9 02/27] s390/bpf: fix lcgr instruction encoding Sasha Levin
2019-09-04 16:01 ` [PATCH AUTOSEL 4.9 03/27] ARM: OMAP2+: Fix omap4 errata warning on other SoCs Sasha Levin
2019-09-04 16:01 ` [PATCH AUTOSEL 4.9 04/27] s390/bpf: use 32-bit index for tail calls Sasha Levin
2019-09-04 16:01 ` Sasha Levin [this message]
2019-09-04 16:01 ` [PATCH AUTOSEL 4.9 06/27] NFSv4: Fix return values for nfs4_file_open() Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 07/27] NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 08/27] Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105 Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 09/27] qed: Add cleanup in qed_slowpath_start() Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 10/27] ARM: 8874/1: mm: only adjust sections of valid mm structures Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 11/27] batman-adv: Only read OGM tvlv_len after buffer len check Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 12/27] batman-adv: Only read OGM2 " Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 13/27] r8152: Set memory to all 0xFFs on failed reg reads Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 14/27] x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 15/27] netfilter: nf_conntrack_ftp: Fix debug output Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 16/27] NFSv2: Fix eof handling Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 17/27] NFSv2: Fix write regression Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 18/27] cifs: set domainName when a domain-key is used in multiuser Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 19/27] cifs: Use kzfree() to zero out the password Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 20/27] x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 21/27] ARM: 8901/1: add a criteria for pfn_valid of arm Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 22/27] sky2: Disable MSI on yet another ASUS boards (P6Xxxx) Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 23/27] perf/x86/intel: Restrict period on Nehalem Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 24/27] perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 25/27] net: stmmac: dwmac-rk: Don't fail if phy regulator is absent Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 26/27] tools/power turbostat: fix buffer overrun Sasha Levin
2019-09-04 16:02 ` [PATCH AUTOSEL 4.9 27/27] net: seeq: Fix the function used to release some memory in an error handling path Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190904160220.4545-5-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=sven@narfation.org \
--cc=sw@simonwunderlich.de \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.