From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jon Maloy <jmaloy@redhat.com>,
Ying Xue <ying.xue@windriver.com>,
Richard Alpe <richard.alpe@ericsson.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
syzbot+0e7181deafa7e0b79923@syzkaller.appspotmail.com
Subject: [PATCH 4.4 02/62] tipc: fix uninit skb->data in tipc_nl_compat_dumpit()
Date: Tue, 1 Sep 2020 17:09:45 +0200 [thread overview]
Message-ID: <20200901150920.835668850@linuxfoundation.org> (raw)
In-Reply-To: <20200901150920.697676718@linuxfoundation.org>
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit 47733f9daf4fe4f7e0eb9e273f21ad3a19130487 ]
__tipc_nl_compat_dumpit() has two callers, and it expects them to
pass a valid nlmsghdr via arg->data. This header is artificial and
crafted just for __tipc_nl_compat_dumpit().
tipc_nl_compat_publ_dump() does so by putting a genlmsghdr as well
as some nested attribute, TIPC_NLA_SOCK. But the other caller
tipc_nl_compat_dumpit() does not, this leaves arg->data uninitialized
on this call path.
Fix this by just adding a similar nlmsghdr without any payload in
tipc_nl_compat_dumpit().
This bug exists since day 1, but the recent commit 6ea67769ff33
("net: tipc: prepare attrs in __tipc_nl_compat_dumpit()") makes it
easier to appear.
Reported-and-tested-by: syzbot+0e7181deafa7e0b79923@syzkaller.appspotmail.com
Fixes: d0796d1ef63d ("tipc: convert legacy nl bearer dump to nl compat")
Cc: Jon Maloy <jmaloy@redhat.com>
Cc: Ying Xue <ying.xue@windriver.com>
Cc: Richard Alpe <richard.alpe@ericsson.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/netlink_compat.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -250,8 +250,9 @@ err_out:
static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
struct tipc_nl_compat_msg *msg)
{
- int err;
+ struct nlmsghdr *nlh;
struct sk_buff *arg;
+ int err;
if (msg->req_type && (!msg->req_size ||
!TLV_CHECK_TYPE(msg->req, msg->req_type)))
@@ -280,6 +281,15 @@ static int tipc_nl_compat_dumpit(struct
return -ENOMEM;
}
+ nlh = nlmsg_put(arg, 0, 0, tipc_genl_family.id, 0, NLM_F_MULTI);
+ if (!nlh) {
+ kfree_skb(arg);
+ kfree_skb(msg->rep);
+ msg->rep = NULL;
+ return -EMSGSIZE;
+ }
+ nlmsg_end(arg, nlh);
+
err = __tipc_nl_compat_dumpit(cmd, msg, arg);
if (err) {
kfree_skb(msg->rep);
next prev parent reply other threads:[~2020-09-01 17:22 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-01 15:09 [PATCH 4.4 00/62] 4.4.235-rc1 review Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 01/62] net: Fix potential wrong skb->protocol in skb_vlan_untag() Greg Kroah-Hartman
2020-09-01 15:09 ` Greg Kroah-Hartman [this message]
2020-09-01 15:09 ` [PATCH 4.4 03/62] ipvlan: fix device features Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 04/62] bonding: show saner speed for broadcast mode Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 05/62] bonding: fix a potential double-unregister Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 06/62] powerpc/pseries: Do not initiate shutdown when system is running on UPS Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 07/62] ALSA: pci: delete repeated words in comments Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 08/62] ASoC: tegra: Fix reference count leaks Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 09/62] media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 10/62] scsi: target: tcmu: Fix crash on ARM during cmd completion Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 11/62] drm/amdkfd: Fix reference count leaks Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 12/62] drm/radeon: fix multiple reference count leak Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 13/62] drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 14/62] drm/amd/display: fix ref count leak in amdgpu_drm_ioctl Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 15/62] drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config Greg Kroah-Hartman
2020-09-01 15:09 ` [PATCH 4.4 16/62] drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 17/62] scsi: lpfc: Fix shost refcount mismatch when deleting vport Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 18/62] selftests/powerpc: Purge extra count_pmc() calls of ebb selftests Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 19/62] PCI: Fix pci_create_slot() reference count leak Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 20/62] rtlwifi: rtl8192cu: Prevent leaking urb Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 21/62] mips/vdso: Fix resource leaks in genvdso.c Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 22/62] drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 23/62] drm/nouveau: Fix reference count leak in nouveau_connector_detect Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 24/62] locking/lockdep: Fix overflow in presentation of average lock-time Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 25/62] scsi: iscsi: Do not put host in iscsi_set_flashnode_param() Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 26/62] ceph: fix potential mdsc use-after-free crash Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 27/62] scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del() Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 28/62] EDAC/ie31200: Fallback if host bridge device is already initialized Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 29/62] media: davinci: vpif_capture: fix potential double free Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 30/62] powerpc/spufs: add CONFIG_COREDUMP dependency Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 31/62] USB: sisusbvga: Fix a potential UB casued by left shifting a negative value Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 32/62] Revert "ath10k: fix DMA related firmware crashes on multiple devices" Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 33/62] i2c: rcar: in slave mode, clear NACK earlier Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 34/62] jbd2: make sure jh have b_transaction set in refile/unfile_buffer Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 35/62] jbd2: abort journal if free a async write error metadata buffer Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 36/62] s390/cio: add cond_resched() in the slow_eval_known_fn() loop Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 37/62] scsi: ufs: Fix possible infinite loop in ufshcd_hold Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 38/62] net: gianfar: Add of_node_put() before goto statement Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 39/62] powerpc/perf: Fix soft lockups due to missed interrupt accounting Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 40/62] fbcon: prevent user font height or width change from causing potential out-of-bounds access Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 41/62] USB: lvtest: return proper error code in probe Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 42/62] vt: defer kfree() of vc_screenbuf in vc_do_resize() Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 43/62] vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize() Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 44/62] serial: samsung: Removes the IRQ not found warning Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 45/62] serial: pl011: Dont leak amba_ports entry on driver register error Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 46/62] serial: 8250: change lock order in serial8250_do_startup() Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 47/62] writeback: Protect inode->i_io_list with inode->i_lock Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 48/62] writeback: Avoid skipping inode writeback Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 49/62] writeback: Fix sync livelock due to b_dirty_time processing Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 50/62] XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information Greg Kroah-Hartman
2020-09-29 13:13 ` Stefan Bader
2020-09-29 14:05 ` Jürgen Groß
2020-09-29 14:21 ` Stefan Bader
2020-09-30 8:52 ` Stefan Bader
2020-09-30 9:01 ` Jürgen Groß
2020-09-01 15:10 ` [PATCH 4.4 51/62] xhci: Do warm-reset when both CAS and XDEV_RESUME are set Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 52/62] PM: sleep: core: Fix the handling of pending runtime resume requests Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 53/62] device property: Fix the secondary firmware node handling in set_primary_fwnode() Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 54/62] USB: yurex: Fix bad gfp argument Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 55/62] usb: uas: Add quirk for PNY Pro Elite Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 56/62] USB: quirks: Add no-lpm quirk for another Raydium touchscreen Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 57/62] USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 58/62] usb: host: ohci-exynos: Fix error handling in exynos_ohci_probe() Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 59/62] usb: storage: Add unusual_uas entry for Sony PSZ drives Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 60/62] btrfs: check the right error variable in btrfs_del_dir_entries_in_log Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 61/62] HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() Greg Kroah-Hartman
2020-09-01 15:10 ` [PATCH 4.4 62/62] ALSA: usb-audio: Update documentation comment for MS2109 quirk Greg Kroah-Hartman
2020-09-01 18:58 ` [PATCH 4.4 00/62] 4.4.235-rc1 review Guenter Roeck
2020-09-02 7:37 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200901150920.835668850@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jmaloy@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=richard.alpe@ericsson.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+0e7181deafa7e0b79923@syzkaller.appspotmail.com \
--cc=xiyou.wangcong@gmail.com \
--cc=ying.xue@windriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.