Re: [PATCH net] netlink: do not hard code device address lenth in fdb dumps

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jiri Pirko <jiri@resnulli.us>
To: Eric Dumazet <edumazet@google.com>
Cc: "David S . Miller" <davem@davemloft.net>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	netdev@vger.kernel.org, eric.dumazet@gmail.com,
	syzbot <syzkaller@googlegroups.com>
Subject: Re: [PATCH net] netlink: do not hard code device address lenth in fdb dumps
Date: Thu, 22 Jun 2023 09:53:59 +0200	[thread overview]
Message-ID: <ZJP+F9cX8KP3M6Eh@nanopsycho> (raw)
In-Reply-To: <20230621174720.1845040-1-edumazet@google.com>

Wed, Jun 21, 2023 at 07:47:20PM CEST, edumazet@google.com wrote:
>syzbot reports that some netdev devices do not have a six bytes
>address [1]
>
>Replace ETH_ALEN by dev->addr_len.
>
>[1] (Case of a device where dev->addr_len = 4)
>
>BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
>BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169
>instrument_copy_to_user include/linux/instrumented.h:114 [inline]
>copyout+0xb8/0x100 lib/iov_iter.c:169
>_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536
>copy_to_iter include/linux/uio.h:206 [inline]
>simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513
>__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
>skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527
>skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
>netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970
>sock_recvmsg_nosec net/socket.c:1019 [inline]
>sock_recvmsg net/socket.c:1040 [inline]
>____sys_recvmsg+0x283/0x7f0 net/socket.c:2722
>___sys_recvmsg+0x223/0x840 net/socket.c:2764
>do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
>__sys_recvmmsg net/socket.c:2937 [inline]
>__do_sys_recvmmsg net/socket.c:2960 [inline]
>__se_sys_recvmmsg net/socket.c:2953 [inline]
>__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
>do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
>Uninit was stored to memory at:
>__nla_put lib/nlattr.c:1009 [inline]
>nla_put+0x1c6/0x230 lib/nlattr.c:1067
>nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071
>nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]
>ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456
>rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629
>netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268
>netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995
>sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019
>____sys_recvmsg+0x664/0x7f0 net/socket.c:2720
>___sys_recvmsg+0x223/0x840 net/socket.c:2764
>do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
>__sys_recvmmsg net/socket.c:2937 [inline]
>__do_sys_recvmmsg net/socket.c:2960 [inline]
>__se_sys_recvmmsg net/socket.c:2953 [inline]
>__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
>do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
>Uninit was created at:
>slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716
>slab_alloc_node mm/slub.c:3451 [inline]
>__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490
>kmalloc_trace+0x51/0x200 mm/slab_common.c:1057
>kmalloc include/linux/slab.h:559 [inline]
>__hw_addr_create net/core/dev_addr_lists.c:60 [inline]
>__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118
>__dev_mc_add net/core/dev_addr_lists.c:867 [inline]
>dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885
>igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680
>ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754
>ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708
>addrconf_type_change net/ipv6/addrconf.c:3731 [inline]
>addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699
>notifier_call_chain kernel/notifier.c:93 [inline]
>raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461
>call_netdevice_notifiers_info net/core/dev.c:1935 [inline]
>call_netdevice_notifiers_extack net/core/dev.c:1973 [inline]
>call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987
>bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906
>do_set_master net/core/rtnetlink.c:2626 [inline]
>rtnl_newlink_create net/core/rtnetlink.c:3460 [inline]
>__rtnl_newlink net/core/rtnetlink.c:3660 [inline]
>rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673
>rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395
>netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546
>rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413
>netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
>netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365
>netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913
>sock_sendmsg_nosec net/socket.c:724 [inline]
>sock_sendmsg net/socket.c:747 [inline]
>____sys_sendmsg+0x999/0xd50 net/socket.c:2503
>___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557
>__sys_sendmsg net/socket.c:2586 [inline]
>__do_sys_sendmsg net/socket.c:2595 [inline]
>__se_sys_sendmsg net/socket.c:2593 [inline]
>__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593
>do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
>Bytes 2856-2857 of 3500 are uninitialized
>Memory access of size 3500 starts at ffff888018d99104
>Data copied to user address 0000000020000480
>
>Fixes: d83b06036048 ("net: add fdb generic dump routine")
>Reported-by: syzbot <syzkaller@googlegroups.com>
>Signed-off-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Jiri Pirko <jiri@nvidia.com>

next prev parent reply	other threads:[~2023-06-22  7:54 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-21 17:47 [PATCH net] netlink: do not hard code device address lenth in fdb dumps Eric Dumazet
2023-06-22  7:53 ` Jiri Pirko [this message]
2023-06-23  2:40 ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZJP+F9cX8KP3M6Eh@nanopsycho \
    --to=jiri@resnulli.us \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=eric.dumazet@gmail.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzkaller@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.