From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Craig Gallek <kraigatgoog@gmail.com>
Cc: LKML <linux-kernel@vger.kernel.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH 3.18 08/20] tun/tap: sanitize TUNSETSNDBUF input
Date: Fri, 17 Nov 2017 08:59:57 +0100 [thread overview]
Message-ID: <20171117075957.GB4660@kroah.com> (raw)
In-Reply-To: <CAEfhGiwTzKWbF98fd6TYy5h2b3nB4NqA+B2+=-zJE7kQzSTOuA@mail.gmail.com>
On Thu, Nov 16, 2017 at 04:25:13PM -0500, Craig Gallek wrote:
> On Thu, Nov 16, 2017 at 12:28 PM, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> > 3.18-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Craig Gallek <kraig@google.com>
> >
> >
> > [ Upstream commit 93161922c658c714715686cd0cf69b090cb9bf1d ]
> >
> > Syzkaller found several variants of the lockup below by setting negative
> > values with the TUNSETSNDBUF ioctl. This patch adds a sanity check
> > to both the tun and tap versions of this ioctl.
> >
> > watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [repro:2389]
> > Modules linked in:
> > irq event stamp: 329692056
> > hardirqs last enabled at (329692055): [<ffffffff824b8381>] _raw_spin_unlock_irqrestore+0x31/0x75
> > hardirqs last disabled at (329692056): [<ffffffff824b9e58>] apic_timer_interrupt+0x98/0xb0
> > softirqs last enabled at (35659740): [<ffffffff824bc958>] __do_softirq+0x328/0x48c
> > softirqs last disabled at (35659731): [<ffffffff811c796c>] irq_exit+0xbc/0xd0
> > CPU: 0 PID: 2389 Comm: repro Not tainted 4.14.0-rc7 #23
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> > task: ffff880009452140 task.stack: ffff880006a20000
> > RIP: 0010:_raw_spin_lock_irqsave+0x11/0x80
> > RSP: 0018:ffff880006a27c50 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10
> > RAX: ffff880009ac68d0 RBX: ffff880006a27ce0 RCX: 0000000000000000
> > RDX: 0000000000000001 RSI: ffff880006a27ce0 RDI: ffff880009ac6900
> > RBP: ffff880006a27c60 R08: 0000000000000000 R09: 0000000000000000
> > R10: 0000000000000001 R11: 000000000063ff00 R12: ffff880009ac6900
> > R13: ffff880006a27cf8 R14: 0000000000000001 R15: ffff880006a27cf8
> > FS: 00007f4be4838700(0000) GS:ffff88000cc00000(0000) knlGS:0000000000000000
> > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: 0000000020101000 CR3: 0000000009616000 CR4: 00000000000006f0
> > Call Trace:
> > prepare_to_wait+0x26/0xc0
> > sock_alloc_send_pskb+0x14e/0x270
> > ? remove_wait_queue+0x60/0x60
> > tun_get_user+0x2cc/0x19d0
> > ? __tun_get+0x60/0x1b0
> > tun_chr_write_iter+0x57/0x86
> > __vfs_write+0x156/0x1e0
> > vfs_write+0xf7/0x230
> > SyS_write+0x57/0xd0
> > entry_SYSCALL_64_fastpath+0x1f/0xbe
> > RIP: 0033:0x7f4be4356df9
> > RSP: 002b:00007ffc18101c08 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
> > RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4be4356df9
> > RDX: 0000000000000046 RSI: 0000000020101000 RDI: 0000000000000005
> > RBP: 00007ffc18101c40 R08: 0000000000000001 R09: 0000000000000001
> > R10: 0000000000000001 R11: 0000000000000293 R12: 0000559c75f64780
> > R13: 00007ffc18101d30 R14: 0000000000000000 R15: 0000000000000000
> >
> > Fixes: 33dccbb050bb ("tun: Limit amount of queued packets per device")
> > Fixes: 20d29d7a916a ("net: macvtap driver")
> > Signed-off-by: Craig Gallek <kraig@google.com>
> > Reviewed-by: Eric Dumazet <edumazet@google.com>
> > Signed-off-by: David S. Miller <davem@davemloft.net>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> > drivers/net/macvtap.c | 2 ++
> > drivers/net/tun.c | 4 ++++
> > 2 files changed, 6 insertions(+)
> >
> > --- a/drivers/net/macvtap.c
> > +++ b/drivers/net/macvtap.c
> > @@ -1047,6 +1047,8 @@ static long macvtap_ioctl(struct file *f
> > case TUNSETSNDBUF:
> > if (get_user(u, up))
> > return -EFAULT;
> > + if (s <= 0)
> > + return -EINVAL;
> Yay build bot! This 's' should be a 'u' in the 3.18 version.
Yes, that was a good catch, I'll go fix this up, thanks.
greg k-h
next prev parent reply other threads:[~2017-11-17 8:00 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-16 17:28 [PATCH 3.18 00/20] 3.18.82-stable review Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 01/20] [PATCH] Revert "ceph: unlock dangling spinlock in try_flush_caps()" Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 02/20] mac80211: accept key reinstall without changing anything Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 03/20] mac80211: use constant time comparison with keys Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 04/20] mac80211: dont compare TKIP TX MIC key in reinstall prevention Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 05/20] usb: usbtest: fix NULL pointer dereference Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 06/20] Input: ims-psu - check if CDC union descriptor is sane Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 08/20] tun/tap: sanitize TUNSETSNDBUF input Greg Kroah-Hartman
2017-11-16 21:25 ` Craig Gallek
2017-11-17 7:59 ` Greg Kroah-Hartman [this message]
2017-11-16 17:28 ` [PATCH 3.18 09/20] tcp: fix tcp_mtu_probe() vs highest_sack Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 10/20] l2tp: check ps->sock before running pppol2tp_session_ioctl() Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 11/20] tun: call dev_get_valid_name() before register_netdevice() Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 12/20] sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 13/20] net/unix: dont show information about sockets from other namespaces Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 14/20] tun: allow positive return values on dev_get_valid_name() call Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 15/20] sctp: reset owner sk for data chunks on out queues when migrating a sock Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 16/20] ipv6: flowlabel: do not leave opt->tot_len with garbage Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 17/20] ipip: only increase err_count for some certain type icmp in ipip_err Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 18/20] ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 19/20] security/keys: add CONFIG_KEYS_COMPAT to Kconfig Greg Kroah-Hartman
2017-11-16 17:28 ` [PATCH 3.18 20/20] target/iscsi: Fix iSCSI task reassignment handling Greg Kroah-Hartman
2017-11-16 22:43 ` [PATCH 3.18 00/20] 3.18.82-stable review Shuah Khan
2017-11-17 2:00 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171117075957.GB4660@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kraigatgoog@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox