From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 48/57] net/packet: fix slab-out-of-bounds access in packet_recvmsg()
Date: Mon, 21 Mar 2022 14:52:29 +0100 [thread overview]
Message-ID: <20220321133223.382568013@linuxfoundation.org> (raw)
In-Reply-To: <20220321133221.984120927@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c700525fcc06b05adfea78039de02628af79e07a ]
syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH
and mmap operations, tpacket_rcv() is queueing skbs with
garbage in skb->cb[], triggering a too big copy [1]
Presumably, users of af_packet using mmap() already gets correct
metadata from the mapped buffer, we can simply make sure
to clear 12 bytes that might be copied to user space later.
BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631
CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memcpy+0x39/0x60 mm/kasan/shadow.c:66
memcpy include/linux/fortify-string.h:225 [inline]
packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
sock_recvmsg_nosec net/socket.c:948 [inline]
sock_recvmsg net/socket.c:966 [inline]
sock_recvmsg net/socket.c:962 [inline]
____sys_recvmsg+0x2c4/0x600 net/socket.c:2632
___sys_recvmsg+0x127/0x200 net/socket.c:2674
__sys_recvmsg+0xe2/0x1a0 net/socket.c:2704
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fdfd5954c29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60
R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54
</TASK>
addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:
____sys_recvmsg+0x0/0x600 include/linux/uio.h:246
this frame has 1 object:
[32, 160) 'addr'
Memory state around the buggy address:
ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
^
ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1
ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00
==================================================================
Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20220312232958.3535620-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/packet/af_packet.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index bd7e8d406c71..d65051959f85 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2246,8 +2246,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
copy_skb = skb_get(skb);
skb_head = skb->data;
}
- if (copy_skb)
+ if (copy_skb) {
+ memset(&PACKET_SKB_CB(copy_skb)->sa.ll, 0,
+ sizeof(PACKET_SKB_CB(copy_skb)->sa.ll));
skb_set_owner_r(copy_skb, sk);
+ }
}
snaplen = po->rx_ring.frame_size - macoff;
if ((int)snaplen < 0) {
@@ -3406,6 +3409,8 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
sock_recv_ts_and_drops(msg, sk, skb);
if (msg->msg_name) {
+ const size_t max_len = min(sizeof(skb->cb),
+ sizeof(struct sockaddr_storage));
int copy_len;
/* If the address length field is there to be filled
@@ -3428,6 +3433,10 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
msg->msg_namelen = sizeof(struct sockaddr_ll);
}
}
+ if (WARN_ON_ONCE(copy_len > max_len)) {
+ copy_len = max_len;
+ msg->msg_namelen = copy_len;
+ }
memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len);
}
--
2.34.1
next prev parent reply other threads:[~2022-03-21 14:02 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-21 13:51 [PATCH 4.19 00/57] 4.19.236-rc1 review Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 01/57] Revert "xfrm: state and policy should fail if XFRMA_IF_ID 0" Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 02/57] sctp: fix the processing for INIT chunk Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 03/57] sctp: fix the processing for INIT_ACK chunk Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 04/57] xfrm: Check if_id in xfrm_migrate Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 05/57] xfrm: Fix xfrm migrate issues when address family changes Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 06/57] arm64: dts: rockchip: fix rk3399-puma eMMC HS400 signal integrity Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 07/57] arm64: dts: rockchip: reorder rk3399 hdmi clocks Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 08/57] ARM: dts: rockchip: fix a typo on rk3288 crypto-controller Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 09/57] MIPS: smp: fill in sibling and core maps earlier Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 10/57] ARM: 9178/1: fix unmet dependency on BITREVERSE for HAVE_ARCH_BITREVERSE Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 11/57] can: rcar_canfd: rcar_canfd_channel_probe(): register the CAN device when fully ready Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 12/57] atm: firestream: check the return value of ioremap() in fs_init() Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 13/57] nl80211: Update bss channel on channel switch for P2P_CLIENT Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 14/57] tcp: make tcp_read_sock() more robust Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 15/57] sfc: extend the locking on mcdi->seqno Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 16/57] kselftest/vm: fix tests build with old libc Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 17/57] sched/topology: Make sched_init_numa() use a set for the deduplicating sort Greg Kroah-Hartman
2022-03-21 13:51 ` [PATCH 4.19 18/57] sched/topology: Fix sched_domain_topology_level alloc in sched_init_numa() Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 19/57] ia64: ensure proper NUMA distance and possible map initialization Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 20/57] cpuset: Fix unsafe lock order between cpuset lock and cpuslock Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 21/57] mm: fix dereference a null pointer in migrate[_huge]_page_move_mapping() Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 22/57] fs: sysfs_emit: Remove PAGE_SIZE alignment check Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 23/57] arm64: Add part number for Arm Cortex-A77 Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 24/57] arm64: Add Neoverse-N2, Cortex-A710 CPU part definition Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 25/57] arm64: Add Cortex-X2 " Greg Kroah-Hartman
2022-03-21 13:52 ` Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 26/57] arm64: entry.S: Add ventry overflow sanity checks Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 27/57] arm64: entry: Make the trampoline cleanup optional Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 28/57] arm64: entry: Free up another register on kptis tramp_exit path Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 29/57] arm64: entry: Move the trampoline data page before the text page Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 30/57] arm64: entry: Allow tramp_alias to access symbols after the 4K boundary Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 31/57] arm64: entry: Dont assume tramp_vectors is the start of the vectors Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 32/57] arm64: entry: Move trampoline macros out of ifdefd section Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 33/57] arm64: entry: Make the kpti trampolines kpti sequence optional Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 34/57] arm64: entry: Allow the trampoline text to occupy multiple pages Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 35/57] arm64: entry: Add non-kpti __bp_harden_el1_vectors for mitigations Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 36/57] arm64: entry: Add vectors that have the bhb mitigation sequences Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 37/57] arm64: entry: Add macro for reading symbol addresses from the trampoline Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 38/57] arm64: Add percpu vectors for EL1 Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 39/57] arm64: proton-pack: Report Spectre-BHB vulnerabilities as part of Spectre-v2 Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 40/57] KVM: arm64: Add templates for BHB mitigation sequences Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 41/57] arm64: Mitigate spectre style branch history side channels Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 42/57] KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered and migrated Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 43/57] arm64: add ID_AA64ISAR2_EL1 sys register Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 44/57] arm64: Use the clearbhb instruction in mitigations Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 45/57] crypto: qcom-rng - ensure buffer for generate is completely filled Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 46/57] ocfs2: fix crash when initialize filecheck kobj fails Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 47/57] efi: fix return value of __setup handlers Greg Kroah-Hartman
2022-03-21 13:52 ` Greg Kroah-Hartman [this message]
2022-03-21 13:52 ` [PATCH 4.19 49/57] atm: eni: Add check for dma_map_single Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 50/57] hv_netvsc: Add check for kvmalloc_array Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 51/57] drm/panel: simple: Fix Innolux G070Y2-L01 BPP settings Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 52/57] net: handle ARPHRD_PIMREG in dev_is_mac_header_xmit() Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 53/57] net: dsa: Add missing of_node_put() in dsa_port_parse_of Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 54/57] usb: gadget: rndis: prevent integer overflow in rndis_set_response() Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 55/57] usb: gadget: Fix use-after-free bug by not setting udc->dev.driver Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 56/57] Input: aiptek - properly check endpoint type Greg Kroah-Hartman
2022-03-21 13:52 ` [PATCH 4.19 57/57] perf symbols: Fix symbol size calculation condition Greg Kroah-Hartman
2022-03-21 18:00 ` [PATCH 4.19 00/57] 4.19.236-rc1 review Pavel Machek
2022-03-21 19:16 ` Jon Hunter
2022-03-21 23:24 ` Shuah Khan
2022-03-22 1:59 ` Guenter Roeck
2022-03-22 12:54 ` Sudip Mukherjee
2022-03-22 15:23 ` Naresh Kamboju
2022-03-23 0:55 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220321133223.382568013@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.