From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Pablo Neira <pablo@netfilter.org>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 03/46] gtp: make sure only SOCK_DGRAM UDP sockets are accepted
Date: Tue, 28 Jan 2020 14:57:37 +0100 [thread overview]
Message-ID: <20200128135750.528000471@linuxfoundation.org> (raw)
In-Reply-To: <20200128135749.822297911@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 940ba14986657a50c15f694efca1beba31fa568f ]
A malicious user could use RAW sockets and fool
GTP using them as standard SOCK_DGRAM UDP sockets.
BUG: KMSAN: uninit-value in udp_tunnel_encap_enable include/net/udp_tunnel.h:174 [inline]
BUG: KMSAN: uninit-value in setup_udp_tunnel_sock+0x45e/0x6f0 net/ipv4/udp_tunnel.c:85
CPU: 0 PID: 11262 Comm: syz-executor613 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x220 lib/dump_stack.c:118
kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
__msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
udp_tunnel_encap_enable include/net/udp_tunnel.h:174 [inline]
setup_udp_tunnel_sock+0x45e/0x6f0 net/ipv4/udp_tunnel.c:85
gtp_encap_enable_socket+0x37f/0x5a0 drivers/net/gtp.c:827
gtp_encap_enable drivers/net/gtp.c:844 [inline]
gtp_newlink+0xfb/0x1e50 drivers/net/gtp.c:666
__rtnl_newlink net/core/rtnetlink.c:3305 [inline]
rtnl_newlink+0x2973/0x3920 net/core/rtnetlink.c:3363
rtnetlink_rcv_msg+0x1153/0x1570 net/core/rtnetlink.c:5424
netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:639 [inline]
sock_sendmsg net/socket.c:659 [inline]
____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
___sys_sendmsg net/socket.c:2384 [inline]
__sys_sendmsg+0x451/0x5f0 net/socket.c:2417
__do_sys_sendmsg net/socket.c:2426 [inline]
__se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441359
Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff1cd0ac28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441359
RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020d0
R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000
Uninit was created at:
kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144
kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:307 [inline]
kmsan_alloc_page+0x12a/0x310 mm/kmsan/kmsan_shadow.c:336
__alloc_pages_nodemask+0x57f2/0x5f60 mm/page_alloc.c:4800
alloc_pages_current+0x67d/0x990 mm/mempolicy.c:2207
alloc_pages include/linux/gfp.h:534 [inline]
alloc_slab_page+0x111/0x12f0 mm/slub.c:1511
allocate_slab mm/slub.c:1656 [inline]
new_slab+0x2bc/0x1130 mm/slub.c:1722
new_slab_objects mm/slub.c:2473 [inline]
___slab_alloc+0x1533/0x1f30 mm/slub.c:2624
__slab_alloc mm/slub.c:2664 [inline]
slab_alloc_node mm/slub.c:2738 [inline]
slab_alloc mm/slub.c:2783 [inline]
kmem_cache_alloc+0xb23/0xd70 mm/slub.c:2788
sk_prot_alloc+0xf2/0x620 net/core/sock.c:1597
sk_alloc+0xf0/0xbe0 net/core/sock.c:1657
inet_create+0x7c7/0x1370 net/ipv4/af_inet.c:321
__sock_create+0x8eb/0xf00 net/socket.c:1420
sock_create net/socket.c:1471 [inline]
__sys_socket+0x1a1/0x600 net/socket.c:1513
__do_sys_socket net/socket.c:1522 [inline]
__se_sys_socket+0x8d/0xb0 net/socket.c:1520
__x64_sys_socket+0x4a/0x70 net/socket.c:1520
do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pablo Neira <pablo@netfilter.org>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/gtp.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -807,19 +807,21 @@ static struct sock *gtp_encap_enable_soc
return NULL;
}
- if (sock->sk->sk_protocol != IPPROTO_UDP) {
+ sk = sock->sk;
+ if (sk->sk_protocol != IPPROTO_UDP ||
+ sk->sk_type != SOCK_DGRAM ||
+ (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)) {
pr_debug("socket fd=%d not UDP\n", fd);
sk = ERR_PTR(-EINVAL);
goto out_sock;
}
- lock_sock(sock->sk);
- if (sock->sk->sk_user_data) {
+ lock_sock(sk);
+ if (sk->sk_user_data) {
sk = ERR_PTR(-EBUSY);
goto out_rel_sock;
}
- sk = sock->sk;
sock_hold(sk);
tuncfg.sk_user_data = gtp;
next prev parent reply other threads:[~2020-01-28 13:58 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 01/46] can, slip: Protect tty->disc_data in write_wakeup and close with RCU Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 02/46] firestream: fix memory leaks Greg Kroah-Hartman
2020-01-28 13:57 ` Greg Kroah-Hartman [this message]
2020-01-28 13:57 ` [PATCH 4.14 04/46] ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 05/46] net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 06/46] net, ip6_tunnel: fix namespaces move Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 07/46] net, ip_tunnel: " Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 08/46] net_sched: fix datalen for ematch Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 09/46] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 10/46] net-sysfs: fix netdev_queue_add_kobject() breakage Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 11/46] net-sysfs: Call dev_hold always in netdev_queue_add_kobject Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 12/46] net-sysfs: Call dev_hold always in rx_queue_add_kobject Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 13/46] net-sysfs: Fix reference count leak Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 14/46] net: usb: lan78xx: Add .ndo_features_check Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 15/46] tcp_bbr: improve arithmetic division in bbr_update_bw() Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 16/46] net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 17/46] hwmon: (adt7475) Make volt2reg return same reg as reg2volt input Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 18/46] hwmon: Deal with errors from the thermal subsystem Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 19/46] hwmon: (core) Fix double-free in __hwmon_device_register() Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 20/46] hwmon: (core) Do not use device managed functions for memory allocations Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 21/46] Input: keyspan-remote - fix control-message timeouts Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 22/46] Revert "Input: synaptics-rmi4 - dont increment rmiaddr for SMBus transfers" Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 23/46] ARM: 8950/1: ftrace/recordmcount: filter relocation types Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 24/46] mmc: tegra: fix SDR50 tuning override Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 25/46] mmc: sdhci: fix minimum clock rate for v3 controller Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 26/46] Documentation: Document arm64 kpti control Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 27/46] Input: pm8xxx-vib - fix handling of separate enable register Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 28/46] Input: sur40 - fix interface sanity checks Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 29/46] Input: gtco - fix endpoint sanity check Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 30/46] Input: aiptek " Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 31/46] Input: pegasus_notetaker " Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 32/46] Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 33/46] hwmon: (nct7802) Fix voltage limits to wrong registers Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 34/46] scsi: RDMA/isert: Fix a recently introduced regression related to logout Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 35/46] tracing: xen: Ordered comparison of function pointers Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 36/46] do_last(): fetch directory ->i_mode and ->i_uid before its too late Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 37/46] sd: Fix REQ_OP_ZONE_REPORT completion handling Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 38/46] coresight: etb10: Do not call smp_processor_id from preemptible Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 39/46] coresight: tmc-etf: " Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 40/46] libertas: Fix two buffer overflows at parsing bss descriptor Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 41/46] media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 42/46] scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 43/46] md: Avoid namespace collision with bitmap API Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 44/46] bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free() Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 45/46] netfilter: ipset: use bitmap infrastructure completely Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 46/46] net/x25: fix nonblocking connect Greg Kroah-Hartman
2020-01-28 23:05 ` [PATCH 4.14 00/46] 4.14.169-stable review shuah
2020-01-29 4:53 ` [LTP] " Naresh Kamboju
2020-01-29 4:53 ` Naresh Kamboju
2020-01-29 9:16 ` [LTP] " Jan Stancek
2020-01-29 10:27 ` Naresh Kamboju
2020-01-31 9:45 ` Jan Stancek
2020-01-29 13:13 ` Jon Hunter
2020-01-29 13:13 ` Jon Hunter
2020-01-29 14:42 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200128135750.528000471@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.