From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Soenke Huster <soenke.huster@eknoes.de>,
Johannes Berg <johannes.berg@intel.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 30/39] wifi: mac80211_hwsim: check length for virtio packets
Date: Wed, 21 Sep 2022 17:46:35 +0200 [thread overview]
Message-ID: <20220921153646.719004184@linuxfoundation.org> (raw)
In-Reply-To: <20220921153645.663680057@linuxfoundation.org>
From: Soenke Huster <soenke.huster@eknoes.de>
[ Upstream commit 8c0427842aaef161a38ac83b7e8d8fe050b4be04 ]
An invalid packet with a length shorter than the specified length in the
netlink header can lead to use-after-frees and slab-out-of-bounds in the
processing of the netlink attributes, such as the following:
BUG: KASAN: slab-out-of-bounds in __nla_validate_parse+0x1258/0x2010
Read of size 2 at addr ffff88800ac7952c by task kworker/0:1/12
Workqueue: events hwsim_virtio_rx_work
Call Trace:
<TASK>
dump_stack_lvl+0x45/0x5d
print_report.cold+0x5e/0x5e5
kasan_report+0xb1/0x1c0
__nla_validate_parse+0x1258/0x2010
__nla_parse+0x22/0x30
hwsim_virtio_handle_cmd.isra.0+0x13f/0x2d0
hwsim_virtio_rx_work+0x1b2/0x370
process_one_work+0x8df/0x1530
worker_thread+0x575/0x11a0
kthread+0x29d/0x340
ret_from_fork+0x22/0x30
</TASK>
Discarding packets with an invalid length solves this.
Therefore, skb->len must be set at reception.
Change-Id: Ieaeb9a4c62d3beede274881a7c2722c6c6f477b6
Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mac80211_hwsim.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 8e412125a49c..50190ded7edc 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -4209,6 +4209,10 @@ static int hwsim_virtio_handle_cmd(struct sk_buff *skb)
nlh = nlmsg_hdr(skb);
gnlh = nlmsg_data(nlh);
+
+ if (skb->len < nlh->nlmsg_len)
+ return -EINVAL;
+
err = genlmsg_parse(nlh, &hwsim_genl_family, tb, HWSIM_ATTR_MAX,
hwsim_genl_policy, NULL);
if (err) {
@@ -4251,7 +4255,8 @@ static void hwsim_virtio_rx_work(struct work_struct *work)
spin_unlock_irqrestore(&hwsim_virtio_lock, flags);
skb->data = skb->head;
- skb_set_tail_pointer(skb, len);
+ skb_reset_tail_pointer(skb);
+ skb_put(skb, len);
hwsim_virtio_handle_cmd(skb);
spin_lock_irqsave(&hwsim_virtio_lock, flags);
--
2.35.1
next prev parent reply other threads:[~2022-09-21 16:00 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-21 15:46 [PATCH 5.10 00/39] 5.10.145-rc1 review Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 01/39] KVM: PPC: Book3S HV: Context tracking exit guest context before enabling irqs Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 02/39] KVM: PPC: Tick accounting should defer vtime accounting til after IRQ handling Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 03/39] serial: 8250: Fix reporting real baudrate value in c_ospeed field Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 04/39] parisc: Optimize per-pagetable spinlocks Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 05/39] parisc: Flush kernel data mapping in set_pte_at() when installing pte for user page Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 06/39] dmaengine: bestcomm: fix system boot lockups Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 07/39] powerpc/pseries/mobility: refactor node lookup during DT update Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 08/39] powerpc/pseries/mobility: ignore ibm, platform-facilities updates Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 09/39] usb: cdns3: gadget: fix new urb never complete if ep cancel previous requests Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 10/39] platform/x86/intel: hid: add quirk to support Surface Go 3 Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 11/39] net: dsa: mv88e6xxx: allow use of PHYs on CPU and DSA ports Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 12/39] of: fdt: fix off-by-one error in unflatten_dt_nodes() Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 13/39] pinctrl: sunxi: Fix name for A100 R_PIO Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 14/39] NFSv4: Turn off open-by-filehandle and NFS re-export for NFSv4.0 Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 15/39] gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in mpc85xx Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 16/39] drm/meson: Correct OSD1 global alpha value Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 17/39] drm/meson: Fix OSD1 RGB to YCbCr coefficient Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 18/39] parisc: ccio-dma: Add missing iounmap in error path in ccio_probe() Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 19/39] tracing: hold caller_addr to hardirq_{enable,disable}_ip Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 20/39] of/device: Fix up of_dma_configure_id() stub Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 21/39] cifs: revalidate mapping when doing direct writes Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 22/39] cifs: dont send down the destination address to sendmsg for a SOCK_STREAM Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 23/39] tools/include/uapi: Fix <asm/errno.h> for parisc and xtensa Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 24/39] video: fbdev: i740fb: Error out if pixclock equals zero Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 25/39] Revert "serial: 8250: Fix reporting real baudrate value in c_ospeed field" Greg Kroah-Hartman
2022-09-21 20:05 ` Pavel Machek
2022-09-22 6:59 ` Greg Kroah-Hartman
2022-09-25 15:20 ` Sasha Levin
2022-09-21 15:46 ` [PATCH 5.10 26/39] ASoC: nau8824: Fix semaphore unbalance at error paths Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 27/39] regulator: pfuze100: Fix the global-out-of-bounds access in pfuze100_regulator_probe() Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 28/39] rxrpc: Fix local destruction being repeated Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 29/39] rxrpc: Fix calc of resend age Greg Kroah-Hartman
2022-09-21 15:46 ` Greg Kroah-Hartman [this message]
2022-09-21 15:46 ` [PATCH 5.10 31/39] ALSA: hda/sigmatel: Keep power up while beep is enabled Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 32/39] ALSA: hda/tegra: Align BDL entry to 4KB boundary Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 33/39] net: usb: qmi_wwan: add Quectel RM520N Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 34/39] afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 35/39] MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping() Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 36/39] mksysmap: Fix the mismatch of L0 symbols in System.map Greg Kroah-Hartman
2022-09-21 20:06 ` Pavel Machek
2022-09-21 15:46 ` [PATCH 5.10 37/39] video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 38/39] cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() Greg Kroah-Hartman
2022-09-21 15:46 ` [PATCH 5.10 39/39] ALSA: hda/sigmatel: Fix unused variable warning for beep power change Greg Kroah-Hartman
2022-09-21 20:03 ` [PATCH 5.10 00/39] 5.10.145-rc1 review Pavel Machek
2022-09-21 20:18 ` Allen Pais
2022-09-21 22:48 ` Florian Fainelli
2022-09-21 22:56 ` Shuah Khan
2022-09-22 7:25 ` Jon Hunter
2022-09-22 9:46 ` Naresh Kamboju
2022-09-22 10:28 ` Sudip Mukherjee (Codethink)
2022-09-22 16:44 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220921153646.719004184@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=soenke.huster@eknoes.de \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.