From: Xin Long <lucien.xin@gmail.com>
To: linux-scsi@vger.kernel.org
Cc: jejb@linux.vnet.ibm.com
Subject: Re: [PATCH] scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
Date: Mon, 28 Aug 2017 00:37:56 +1200 [thread overview]
Message-ID: <CADvbK_f77ruyt3fQtcs+f=fKzG7RDtAym_OeFU9t5NLNAGGPGw@mail.gmail.com> (raw)
In-Reply-To: <0c9fd6fbc0f5fa7b72e6ae5b82d5499a38fd375e.1503836726.git.lucien.xin@gmail.com>
cc jejb@linux.vnet.ibm.com
On Mon, Aug 28, 2017 at 12:25 AM, Xin Long <lucien.xin@gmail.com> wrote:
> ChunYu found a kernel crash by syzkaller:
>
> [ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
> [ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
> [ 651.618731] general protection fault: 0000 [#1] SMP KASAN
> [ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
> [ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
> [ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
> [ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
> [...]
> [ 651.627260] Call Trace:
> [ 651.629156] skb_release_all+0x4f/0x60
> [ 651.629450] consume_skb+0x1a5/0x600
> [ 651.630705] netlink_unicast+0x505/0x720
> [ 651.632345] netlink_sendmsg+0xab2/0xe70
> [ 651.633704] sock_sendmsg+0xcf/0x110
> [ 651.633942] ___sys_sendmsg+0x833/0x980
> [ 651.637117] __sys_sendmsg+0xf3/0x240
> [ 651.638820] SyS_sendmsg+0x32/0x50
> [ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
>
> It's caused by skb_shared_info at the end of sk_buff was overwritten by
> ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
>
> During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
> ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
> new value to skb_shinfo(SKB)->nr_frags by ev->type.
>
> This patch is to fix it by checking nlh->nlmsg_len properly there to
> avoid over accessing sk_buff.
>
> Reported-by: ChunYu Wang <chunwang@redhat.com>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
> drivers/scsi/scsi_transport_iscsi.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
> index e4b3d8f..bb4ed7b 100644
> --- a/drivers/scsi/scsi_transport_iscsi.c
> +++ b/drivers/scsi/scsi_transport_iscsi.c
> @@ -3697,7 +3697,7 @@ iscsi_if_rx(struct sk_buff *skb)
> uint32_t group;
>
> nlh = nlmsg_hdr(skb);
> - if (nlh->nlmsg_len < sizeof(*nlh) ||
> + if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
> skb->len < nlh->nlmsg_len) {
> break;
> }
> --
> 2.1.0
>
next prev parent reply other threads:[~2017-08-27 12:37 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-27 12:25 [PATCH] scsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly Xin Long
2017-08-27 12:37 ` Xin Long [this message]
2017-09-13 15:51 ` Chris Leech
2017-09-25 10:56 ` Vladis Dronov
2017-09-25 19:28 ` [PATCH] " Martin K. Petersen
2017-09-29 13:33 ` Ewan D. Milne
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADvbK_f77ruyt3fQtcs+f=fKzG7RDtAym_OeFU9t5NLNAGGPGw@mail.gmail.com' \
--to=lucien.xin@gmail.com \
--cc=jejb@linux.vnet.ibm.com \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).