From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Lin Ma <linma@zju.edu.cn>,
Loic Poulain <loic.poulain@linaro.org>,
Simon Horman <horms@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 59/80] net: wwan: fix global oob in wwan_rtnl_policy
Date: Mon, 28 Oct 2024 07:25:39 +0100 [thread overview]
Message-ID: <20241028062254.253690710@linuxfoundation.org> (raw)
In-Reply-To: <20241028062252.611837461@linuxfoundation.org>
5.15-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit 47dd5447cab8ce30a847a0337d5341ae4c7476a7 ]
The variable wwan_rtnl_link_ops assign a *bigger* maxtype which leads to
a global out-of-bounds read when parsing the netlink attributes. Exactly
same bug cause as the oob fixed in commit b33fb5b801c6 ("net: qualcomm:
rmnet: fix global oob in rmnet_policy").
==================================================================
BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:388 [inline]
BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603
Read of size 1 at addr ffffffff8b09cb60 by task syz.1.66276/323862
CPU: 0 PID: 323862 Comm: syz.1.66276 Not tainted 6.1.70 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x177/0x231 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x14f/0x750 mm/kasan/report.c:395
kasan_report+0x139/0x170 mm/kasan/report.c:495
validate_nla lib/nlattr.c:388 [inline]
__nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603
__nla_parse+0x3c/0x50 lib/nlattr.c:700
nla_parse_nested_deprecated include/net/netlink.h:1269 [inline]
__rtnl_newlink net/core/rtnetlink.c:3514 [inline]
rtnl_newlink+0x7bc/0x1fd0 net/core/rtnetlink.c:3623
rtnetlink_rcv_msg+0x794/0xef0 net/core/rtnetlink.c:6122
netlink_rcv_skb+0x1de/0x420 net/netlink/af_netlink.c:2508
netlink_unicast_kernel net/netlink/af_netlink.c:1326 [inline]
netlink_unicast+0x74b/0x8c0 net/netlink/af_netlink.c:1352
netlink_sendmsg+0x882/0xb90 net/netlink/af_netlink.c:1874
sock_sendmsg_nosec net/socket.c:716 [inline]
__sock_sendmsg net/socket.c:728 [inline]
____sys_sendmsg+0x5cc/0x8f0 net/socket.c:2499
___sys_sendmsg+0x21c/0x290 net/socket.c:2553
__sys_sendmsg net/socket.c:2582 [inline]
__do_sys_sendmsg net/socket.c:2591 [inline]
__se_sys_sendmsg+0x19e/0x270 net/socket.c:2589
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x45/0x90 arch/x86/entry/common.c:81
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f67b19a24ad
RSP: 002b:00007f67b17febb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f67b1b45f80 RCX: 00007f67b19a24ad
RDX: 0000000000000000 RSI: 0000000020005e40 RDI: 0000000000000004
RBP: 00007f67b1a1e01d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffd2513764f R14: 00007ffd251376e0 R15: 00007f67b17fed40
</TASK>
The buggy address belongs to the variable:
wwan_rtnl_policy+0x20/0x40
The buggy address belongs to the physical page:
page:ffffea00002c2700 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb09c
flags: 0xfff00000001000(reserved|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000001000 ffffea00002c2708 ffffea00002c2708 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)
Memory state around the buggy address:
ffffffff8b09ca00: 05 f9 f9 f9 05 f9 f9 f9 00 01 f9 f9 00 01 f9 f9
ffffffff8b09ca80: 00 00 00 05 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
>ffffffff8b09cb00: 00 00 00 00 05 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
^
ffffffff8b09cb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
According to the comment of `nla_parse_nested_deprecated`, use correct size
`IFLA_WWAN_MAX` here to fix this issue.
Fixes: 88b710532e53 ("wwan: add interface creation support")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Loic Poulain <loic.poulain@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20241015131621.47503-1-linma@zju.edu.cn
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wwan/wwan_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wwan/wwan_core.c b/drivers/net/wwan/wwan_core.c
index d293ab6880448..a83de4e3c189c 100644
--- a/drivers/net/wwan/wwan_core.c
+++ b/drivers/net/wwan/wwan_core.c
@@ -927,7 +927,7 @@ static const struct nla_policy wwan_rtnl_policy[IFLA_WWAN_MAX + 1] = {
static struct rtnl_link_ops wwan_rtnl_link_ops __read_mostly = {
.kind = "wwan",
- .maxtype = __IFLA_WWAN_MAX,
+ .maxtype = IFLA_WWAN_MAX,
.alloc = wwan_rtnl_alloc,
.validate = wwan_rtnl_validate,
.newlink = wwan_rtnl_newlink,
--
2.43.0
next prev parent reply other threads:[~2024-10-28 6:29 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-28 6:24 [PATCH 5.15 00/80] 5.15.170-rc1 review Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 01/80] bpf: Make sure internal and UAPI bpf_redirect flags dont overlap Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 02/80] bpf: devmap: provide rxq after redirect Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 03/80] RDMA/bnxt_re: Fix incorrect AVID type in WQE structure Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 04/80] RDMA/bnxt_re: Add a check for memory allocation Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 05/80] x86/resctrl: Avoid overflow in MB settings in bw_validate() Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 06/80] ARM: dts: bcm2837-rpi-cm3-io3: Fix HDMI hpd-gpio pin Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 07/80] ALSA: hda/cs8409: Fix possible NULL dereference Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 08/80] RDMA/cxgb4: Fix RDMA_CM_EVENT_UNREACHABLE error for iWARP Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 09/80] RDMA/irdma: Fix misspelling of "accept*" Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 10/80] ipv4: give an IPv4 dev to blackhole_netdev Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 11/80] RDMA/bnxt_re: Return more meaningful error Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 12/80] RDMA/bnxt_re: Fix a bug while setting up Level-2 PBL pages Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 13/80] drm/msm/dsi: fix 32-bit signed integer extension in pclk_rate calculation Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 14/80] drm/msm: Avoid NULL dereference in msm_disp_state_print_regs() Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 15/80] drm/msm: Allocate memory for disp snapshot with kvzalloc() Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 16/80] net: usb: usbnet: fix race in probe failure Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 17/80] octeontx2-af: Fix potential integer overflows on integer shifts Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 18/80] macsec: dont increment counters for an unrelated SA Greg Kroah-Hartman
2024-10-28 6:24 ` [PATCH 5.15 19/80] net: ethernet: aeroflex: fix potential memory leak in greth_start_xmit_gbit() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 20/80] net/smc: Fix searching in list of known pnetids in smc_pnet_add_pnetid Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 21/80] net: xilinx: axienet: fix potential memory leak in axienet_start_xmit() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 22/80] net: systemport: fix potential memory leak in bcm_sysport_xmit() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 23/80] tcp/dccp: Dont use timer_pending() in reqsk_queue_unlink() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 24/80] genetlink: hold RCU in genlmsg_mcast() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 25/80] scsi: target: core: Fix null-ptr-deref in target_alloc_device() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 26/80] smb: client: fix OOBs when building SMB2_IOCTL request Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 27/80] usb: typec: altmode should keep reference to parent Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 28/80] s390: Initialize psw mask in perf_arch_fetch_caller_regs() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 29/80] Bluetooth: bnep: fix wild-memory-access in proto_unregister Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 30/80] arm64:uprobe fix the uprobe SWBP_INSN in big-endian Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 31/80] arm64: probes: Fix uprobes for big-endian kernels Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 32/80] KVM: s390: gaccess: Refactor gpa and length calculation Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 33/80] KVM: s390: gaccess: Refactor access address range check Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 34/80] KVM: s390: gaccess: Cleanup access to guest pages Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 35/80] KVM: s390: gaccess: Check if guest address is in memslot Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 36/80] usb: gadget: Add function wakeup support Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 37/80] XHCI: Separate PORT and CAPs macros into dedicated file Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 38/80] usb: dwc3: core: Fix system suspend on TI AM62 platforms Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 39/80] block, bfq: fix procress reference leakage for bfqq in merge chain Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 40/80] exec: dont WARN for racy path_noexec check Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 41/80] drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 42/80] ASoC: codecs: lpass-rx-macro: add missing CDC_RX_BCL_VBAT_RF_PROC2 to default regs values Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 43/80] ASoC: fsl_sai: Enable FIFO continue on error FCONT bit Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 44/80] arm64: Force position-independent veneers Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 45/80] udf: fix uninit-value use in udf_get_fileshortad Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 46/80] platform/x86: dell-wmi: Ignore suspend notifications Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 47/80] arm64/uprobes: change the uprobe_opcode_t typedef to fix the sparse warning Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 48/80] ASoC: qcom: sm8250: add qrb4210-rb2-sndcard compatible string Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 49/80] platform/x86: dell-sysman: add support for alienware products Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 50/80] jfs: Fix sanity check in dbMount Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 51/80] tracing: Consider the NULL character when validating the event length Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 52/80] xfrm: extract dst lookup parameters into a struct Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 53/80] xfrm: respect ip protocols rules criteria when performing dst lookups Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 54/80] net/sun3_82586: fix potential memory leak in sun3_82586_send_packet() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 55/80] be2net: fix potential memory leak in be_xmit() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 56/80] net: plip: fix break; causing plip to never transmit Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 57/80] net: dsa: mv88e6xxx: Fix error when setting port policy on mv88e6393x Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 58/80] netfilter: xtables: fix typo causing some targets not to load on IPv6 Greg Kroah-Hartman
2024-10-28 6:25 ` Greg Kroah-Hartman [this message]
2024-10-28 6:25 ` [PATCH 5.15 60/80] net: usb: usbnet: fix name regression Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 61/80] net: sched: fix use-after-free in taprio_change() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 62/80] r8169: avoid unsolicited interrupts Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 63/80] posix-clock: posix-clock: Fix unbalanced locking in pc_clock_settime() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 64/80] bpf,perf: Fix perf_event_detach_bpf_prog error handling Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 65/80] ALSA: firewire-lib: Avoid division by zero in apply_constraint_to_size() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 66/80] ALSA: hda/realtek: Update default depop procedure Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 67/80] btrfs: zoned: fix zone unusable accounting for freed reserved extent Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 68/80] drm/amd: Guard against bad data for ATIF ACPI method Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 69/80] ACPI: resource: Add LG 16T90SP to irq1_level_low_skip_override[] Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 70/80] ACPI: button: Add DMI quirk for Samsung Galaxy Book2 to fix initial lid detection issue Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 71/80] nilfs2: fix kernel bug due to missing clearing of buffer delay flag Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 72/80] openat2: explicitly return -E2BIG for (usize > PAGE_SIZE) Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 73/80] KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 74/80] ALSA: hda/realtek: Add subwoofer quirk for Acer Predator G9-593 Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 75/80] xfrm: fix one more kernel-infoleak in algo dumping Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 76/80] hv_netvsc: Fix VF namespace also in synthetic NIC NETDEV_REGISTER event Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 77/80] selinux: improve error checking in sel_write_load() Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 78/80] serial: protect uart_port_dtr_rts() in uart_shutdown() too Greg Kroah-Hartman
2024-10-28 6:25 ` [PATCH 5.15 79/80] net: phy: dp83822: Fix reset pin definitions Greg Kroah-Hartman
2024-10-28 6:26 ` [PATCH 5.15 80/80] ASoC: qcom: Fix NULL Dereference in asoc_qcom_lpass_cpu_platform_probe() Greg Kroah-Hartman
2024-10-28 14:21 ` [PATCH 5.15 00/80] 5.15.170-rc1 review Mark Brown
2024-10-28 17:49 ` SeongJae Park
2024-10-28 19:08 ` Florian Fainelli
2024-10-29 2:07 ` [PATCH 5.15] " Hardik Garg
2024-10-29 5:05 ` [PATCH 5.15 00/80] " Harshit Mogalapalli
2024-10-29 7:34 ` Naresh Kamboju
2024-10-29 13:49 ` Muhammad Usama Anjum
2024-10-30 1:46 ` Ron Economos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241028062254.253690710@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=horms@kernel.org \
--cc=linma@zju.edu.cn \
--cc=loic.poulain@linaro.org \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.