From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Shigeru Yoshida <syoshida@redhat.com>,
Jiri Pirko <jiri@nvidia.com>, Jakub Kicinski <kuba@kernel.org>,
Sasha Levin <sashal@kernel.org>,
syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com,
syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com
Subject: [PATCH 4.14 38/45] tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
Date: Wed, 15 Nov 2023 14:33:15 -0500 [thread overview]
Message-ID: <20231115191421.829104382@linuxfoundation.org> (raw)
In-Reply-To: <20231115191419.641552204@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shigeru Yoshida <syoshida@redhat.com>
[ Upstream commit 19b3f72a41a8751e26bffc093bb7e1cef29ad579 ]
syzbot reported the following uninit-value access issue [1]:
=====================================================
BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]
BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756
strlen lib/string.c:418 [inline]
strstr+0xb8/0x2f0 lib/string.c:756
tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595
genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066
netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545
genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595
__sys_sendmsg net/socket.c:2624 [inline]
__do_sys_sendmsg net/socket.c:2633 [inline]
__se_sys_sendmsg net/socket.c:2631 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2631
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559
__alloc_skb+0x318/0x740 net/core/skbuff.c:650
alloc_skb include/linux/skbuff.h:1286 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]
netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595
__sys_sendmsg net/socket.c:2624 [inline]
__do_sys_sendmsg net/socket.c:2633 [inline]
__se_sys_sendmsg net/socket.c:2631 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2631
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
TIPC bearer-related names including link names must be null-terminated
strings. If a link name which is not null-terminated is passed through
netlink, strstr() and similar functions can cause buffer overrun. This
causes the above issue.
This patch changes the nla_policy for bearer-related names from NLA_STRING
to NLA_NUL_STRING. This resolves the issue by ensuring that only
null-terminated strings are accepted as bearer-related names.
syzbot reported similar uninit-value issue related to bearer names [2]. The
root cause of this issue is that a non-null-terminated bearer name was
passed. This patch also resolved this issue.
Fixes: 7be57fc69184 ("tipc: add link get/dump to new netlink api")
Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api")
Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574 [1]
Reported-and-tested-by: syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9425c47dccbcb4c17d51 [2]
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://lore.kernel.org/r/20231030075540.3784537-1-syoshida@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/netlink.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
index d4e0bbeee7279..f21d4b9e56c83 100644
--- a/net/tipc/netlink.c
+++ b/net/tipc/netlink.c
@@ -85,7 +85,7 @@ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = {
const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = {
[TIPC_NLA_LINK_UNSPEC] = { .type = NLA_UNSPEC },
- [TIPC_NLA_LINK_NAME] = { .type = NLA_STRING,
+ [TIPC_NLA_LINK_NAME] = { .type = NLA_NUL_STRING,
.len = TIPC_MAX_LINK_NAME },
[TIPC_NLA_LINK_MTU] = { .type = NLA_U32 },
[TIPC_NLA_LINK_BROADCAST] = { .type = NLA_FLAG },
@@ -113,7 +113,7 @@ const struct nla_policy tipc_nl_prop_policy[TIPC_NLA_PROP_MAX + 1] = {
const struct nla_policy tipc_nl_bearer_policy[TIPC_NLA_BEARER_MAX + 1] = {
[TIPC_NLA_BEARER_UNSPEC] = { .type = NLA_UNSPEC },
- [TIPC_NLA_BEARER_NAME] = { .type = NLA_STRING,
+ [TIPC_NLA_BEARER_NAME] = { .type = NLA_NUL_STRING,
.len = TIPC_MAX_BEARER_NAME },
[TIPC_NLA_BEARER_PROP] = { .type = NLA_NESTED },
[TIPC_NLA_BEARER_DOMAIN] = { .type = NLA_U32 }
--
2.42.0
next prev parent reply other threads:[~2023-11-15 20:04 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-15 19:32 [PATCH 4.14 00/45] 4.14.330-rc1 review Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 01/45] i40e: fix potential memory leaks in i40e_remove() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 02/45] tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 03/45] tcp_metrics: do not create an entry from tcp_init_metrics() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 04/45] wifi: rtlwifi: fix EDCA limit set by BT coexistence Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 05/45] thermal: core: prevent potential string overflow Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 06/45] ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 07/45] ipv6: avoid atomic fragment on GSO packets Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 08/45] clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 09/45] clk: keystone: pll: fix a couple NULL vs IS_ERR() checks Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 10/45] clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 11/45] clk: mediatek: clk-mt2701: " Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 12/45] platform/x86: wmi: Fix probe failure when failing to register WMI devices Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 13/45] drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 14/45] drm/radeon: possible buffer overflow Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 15/45] drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe() Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 16/45] ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 17/45] firmware: ti_sci: Mark driver as non removable Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 18/45] hwrng: geode - fix accessing registers Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 19/45] ARM: 9321/1: memset: cast the constant byte to unsigned char Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 20/45] ext4: move ix sanity check to corrent position Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 21/45] RDMA/hfi1: Workaround truncation compilation error Greg Kroah-Hartman
2023-11-15 19:32 ` [PATCH 4.14 22/45] sh: bios: Revive earlyprintk support Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 23/45] ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 24/45] mfd: dln2: Fix double put in dln2_probe Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 25/45] tty: tty_jobctrl: fix pid memleak in disassociate_ctty() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 26/45] usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 27/45] dmaengine: ti: edma: handle irq_of_parse_and_map() errors Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 28/45] misc: st_core: Do not call kfree_skb() under spin_lock_irqsave() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 29/45] USB: usbip: fix stub_dev hub disconnect Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 30/45] dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 31/45] pcmcia: cs: fix possible hung task and memory leak pccardd() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 32/45] pcmcia: ds: fix refcount leak in pcmcia_device_add() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 33/45] pcmcia: ds: fix possible name leak in error path " Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 34/45] media: s3c-camif: Avoid inappropriate kfree() Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 35/45] media: dvb-usb-v2: af9035: fix missing unlock Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 36/45] pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 37/45] llc: verify mac len before reading mac header Greg Kroah-Hartman
2023-11-15 19:33 ` Greg Kroah-Hartman [this message]
2023-11-15 19:33 ` [PATCH 4.14 39/45] dccp: Call security_inet_conn_request() after setting IPv4 addresses Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 40/45] dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 41/45] tg3: power down device only on SYSTEM_POWER_OFF Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 42/45] netfilter: xt_recent: fix (increase) ipv6 literal buffer length Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 43/45] fbdev: fsl-diu-fb: mark wr_reg_wa() static Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 44/45] Revert "mmc: core: Capture correct oemid-bits for eMMC cards" Greg Kroah-Hartman
2023-11-15 19:33 ` [PATCH 4.14 45/45] btrfs: use u64 for buffer sizes in the tree search ioctls Greg Kroah-Hartman
2023-11-16 11:29 ` [PATCH 4.14 00/45] 4.14.330-rc1 review Naresh Kamboju
2023-11-16 20:08 ` Harshit Mogalapalli
2023-11-17 4:10 ` Guenter Roeck
2023-11-17 17:00 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231115191421.829104382@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jiri@nvidia.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syoshida@redhat.com \
--cc=syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com \
--cc=syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.