[PATCH AUTOSEL 5.19 10/22] wifi: mac80211_hwsim: check length for virtio packets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Soenke Huster <soenke.huster@eknoes.de>,
	Johannes Berg <johannes.berg@intel.com>,
	Sasha Levin <sashal@kernel.org>,
	johannes@sipsolutions.net, kvalo@kernel.org, davem@davemloft.net,
	edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
	linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.19 10/22] wifi: mac80211_hwsim: check length for virtio packets
Date: Wed, 14 Sep 2022 05:00:51 -0400	[thread overview]
Message-ID: <20220914090103.470630-10-sashal@kernel.org> (raw)
In-Reply-To: <20220914090103.470630-1-sashal@kernel.org>

From: Soenke Huster <soenke.huster@eknoes.de>

[ Upstream commit 8c0427842aaef161a38ac83b7e8d8fe050b4be04 ]

An invalid packet with a length shorter than the specified length in the
netlink header can lead to use-after-frees and slab-out-of-bounds in the
processing of the netlink attributes, such as the following:

  BUG: KASAN: slab-out-of-bounds in __nla_validate_parse+0x1258/0x2010
  Read of size 2 at addr ffff88800ac7952c by task kworker/0:1/12

  Workqueue: events hwsim_virtio_rx_work
  Call Trace:
   <TASK>
   dump_stack_lvl+0x45/0x5d
   print_report.cold+0x5e/0x5e5
   kasan_report+0xb1/0x1c0
   __nla_validate_parse+0x1258/0x2010
   __nla_parse+0x22/0x30
   hwsim_virtio_handle_cmd.isra.0+0x13f/0x2d0
   hwsim_virtio_rx_work+0x1b2/0x370
   process_one_work+0x8df/0x1530
   worker_thread+0x575/0x11a0
   kthread+0x29d/0x340
   ret_from_fork+0x22/0x30
 </TASK>

Discarding packets with an invalid length solves this.
Therefore, skb->len must be set at reception.

Change-Id: Ieaeb9a4c62d3beede274881a7c2722c6c6f477b6
Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/mac80211_hwsim.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index b511e705a46e4..3d5b0c1e5da30 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -4780,6 +4780,10 @@ static int hwsim_virtio_handle_cmd(struct sk_buff *skb)
 
 	nlh = nlmsg_hdr(skb);
 	gnlh = nlmsg_data(nlh);
+
+	if (skb->len < nlh->nlmsg_len)
+		return -EINVAL;
+
 	err = genlmsg_parse(nlh, &hwsim_genl_family, tb, HWSIM_ATTR_MAX,
 			    hwsim_genl_policy, NULL);
 	if (err) {
@@ -4822,7 +4826,8 @@ static void hwsim_virtio_rx_work(struct work_struct *work)
 	spin_unlock_irqrestore(&hwsim_virtio_lock, flags);
 
 	skb->data = skb->head;
-	skb_set_tail_pointer(skb, len);
+	skb_reset_tail_pointer(skb);
+	skb_put(skb, len);
 	hwsim_virtio_handle_cmd(skb);
 
 	spin_lock_irqsave(&hwsim_virtio_lock, flags);
-- 
2.35.1

next prev parent reply	other threads:[~2022-09-14  9:02 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-14  9:00 [PATCH AUTOSEL 5.19 01/22] arm64: dts: juno: Add missing MHU secure-irq Sasha Levin
2022-09-14  9:00 ` Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 02/22] spi: cadence-quadspi: Disable irqs during indirect reads Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 03/22] ASoC: nau8824: Fix semaphore unbalance at error paths Sasha Levin
2022-09-14  9:00   ` Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 04/22] regulator: pfuze100: Fix the global-out-of-bounds access in pfuze100_regulator_probe() Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 05/22] ASoC: fsl_aud2htx: register platform component before registering cpu dai Sasha Levin
2022-09-14  9:00   ` Sasha Levin
2022-09-14  9:00   ` Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 06/22] ASoC: fsl_aud2htx: Add error handler for pm_runtime_enable Sasha Levin
2022-09-14  9:00   ` Sasha Levin
2022-09-14  9:00   ` Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 07/22] scsi: lpfc: Return DID_TRANSPORT_DISRUPTED instead of DID_REQUEUE Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 08/22] rxrpc: Fix local destruction being repeated Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 09/22] rxrpc: Fix calc of resend age Sasha Levin
2022-09-14  9:00 ` Sasha Levin [this message]
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 11/22] ALSA: hda/sigmatel: Keep power up while beep is enabled Sasha Levin
2022-09-14  9:00   ` Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 12/22] erofs: avoid the potentially wrong m_plen for big pcluster Sasha Levin
2022-09-14  9:00   ` Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 13/22] ALSA: hda/tegra: Align BDL entry to 4KB boundary Sasha Levin
2022-09-14  9:00   ` Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 14/22] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Sasha Levin
2022-09-14  9:00   ` Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 15/22] drm/ttm: update bulk move object of ghost BO Sasha Levin
2022-09-14  9:00   ` Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 16/22] net: usb: qmi_wwan: add Quectel RM520N Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 17/22] afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked Sasha Levin
2022-09-14  9:00 ` [PATCH AUTOSEL 5.19 18/22] scsi: mpt3sas: Fix use-after-free warning Sasha Levin
2022-09-14  9:01 ` [PATCH AUTOSEL 5.19 19/22] MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping() Sasha Levin
2022-09-14  9:01 ` [PATCH AUTOSEL 5.19 20/22] drm/amdgpu: prevent toc firmware memory leak Sasha Levin
2022-09-14  9:01   ` Sasha Levin
2022-09-14  9:01   ` Sasha Levin
2022-09-14  9:01 ` [PATCH AUTOSEL 5.19 21/22] drm/panfrost: devfreq: set opp to the recommended one to configure regulator Sasha Levin
2022-09-14  9:01   ` Sasha Levin
2022-09-14  9:01 ` [PATCH AUTOSEL 5.19 22/22] mksysmap: Fix the mismatch of 'L0' symbols in System.map Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b511e705a46e dfblob:3d5b0c1e5da3 )
 OR (
bs:"[PATCH AUTOSEL 5.19 10/22] wifi: mac80211_hwsim: check length for virtio packets" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220914090103.470630-10-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=johannes.berg@intel.com \
    --cc=johannes@sipsolutions.net \
    --cc=kuba@kernel.org \
    --cc=kvalo@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=soenke.huster@eknoes.de \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.