From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Marek Lindner <mareklindner@neomailbox.ch>,
Simon Wunderlich <sw@simonwunderlich.de>,
Antonio Quartulli <a@unstable.cc>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 45/71] batman-adv: fix uninit-value in batadv_interface_tx()
Date: Mon, 25 Feb 2019 22:11:47 +0100 [thread overview]
Message-ID: <20190225195038.027803190@linuxfoundation.org> (raw)
In-Reply-To: <20190225195034.555044862@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 4ffcbfac60642f63ae3d80891f573ba7e94a265c ]
KMSAN reported batadv_interface_tx() was possibly using a
garbage value [1]
batadv_get_vid() does have a pskb_may_pull() call
but batadv_interface_tx() does not actually make sure
this did not fail.
[1]
BUG: KMSAN: uninit-value in batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231
CPU: 0 PID: 10006 Comm: syz-executor469 Not tainted 4.20.0-rc7+ #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
__msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
batadv_interface_tx+0x908/0x1e40 net/batman-adv/soft-interface.c:231
__netdev_start_xmit include/linux/netdevice.h:4356 [inline]
netdev_start_xmit include/linux/netdevice.h:4365 [inline]
xmit_one net/core/dev.c:3257 [inline]
dev_hard_start_xmit+0x607/0xc40 net/core/dev.c:3273
__dev_queue_xmit+0x2e42/0x3bc0 net/core/dev.c:3843
dev_queue_xmit+0x4b/0x60 net/core/dev.c:3876
packet_snd net/packet/af_packet.c:2928 [inline]
packet_sendmsg+0x8306/0x8f30 net/packet/af_packet.c:2953
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
__sys_sendto+0x8c4/0xac0 net/socket.c:1788
__do_sys_sendto net/socket.c:1800 [inline]
__se_sys_sendto+0x107/0x130 net/socket.c:1796
__x64_sys_sendto+0x6e/0x90 net/socket.c:1796
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x441889
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffdda6fd468 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 0000000000441889
RDX: 000000000000000e RSI: 00000000200000c0 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000216 R12: 00007ffdda6fd4c0
R13: 00007ffdda6fd4b0 R14: 0000000000000000 R15: 0000000000000000
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
slab_post_alloc_hook mm/slab.h:446 [inline]
slab_alloc_node mm/slub.c:2759 [inline]
__kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
__kmalloc_reserve net/core/skbuff.c:137 [inline]
__alloc_skb+0x309/0xa20 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:998 [inline]
alloc_skb_with_frags+0x1c7/0xac0 net/core/skbuff.c:5220
sock_alloc_send_pskb+0xafd/0x10e0 net/core/sock.c:2083
packet_alloc_skb net/packet/af_packet.c:2781 [inline]
packet_snd net/packet/af_packet.c:2872 [inline]
packet_sendmsg+0x661a/0x8f30 net/packet/af_packet.c:2953
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg net/socket.c:631 [inline]
__sys_sendto+0x8c4/0xac0 net/socket.c:1788
__do_sys_sendto net/socket.c:1800 [inline]
__se_sys_sendto+0x107/0x130 net/socket.c:1796
__x64_sys_sendto+0x6e/0x90 net/socket.c:1796
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Marek Lindner <mareklindner@neomailbox.ch>
Cc: Simon Wunderlich <sw@simonwunderlich.de>
Cc: Antonio Quartulli <a@unstable.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/soft-interface.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -219,6 +219,8 @@ static int batadv_interface_tx(struct sk
switch (ntohs(ethhdr->h_proto)) {
case ETH_P_8021Q:
+ if (!pskb_may_pull(skb, sizeof(*vhdr)))
+ goto dropped;
vhdr = vlan_eth_hdr(skb);
/* drop batman-in-batman packets to prevent loops */
next prev parent reply other threads:[~2019-02-25 21:18 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-25 21:11 [PATCH 4.14 00/71] 4.14.104-stable review Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 01/71] ARM: 8834/1: Fix: kprobes: optimized kprobes illegal instruction Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 02/71] tracing: Fix number of entries in trace header Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 03/71] MIPS: eBPF: Always return sign extended 32b values Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 04/71] mac80211: Restore vif beacon interval if start ap fails Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 05/71] mac80211: Free mpath object when rhashtable insertion fails Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 06/71] libceph: handle an empty authorize reply Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 07/71] ceph: avoid repeatedly adding inode to mdsc->snap_flush_list Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 08/71] numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 09/71] proc, oom: do not report alien mms when setting oom_score_adj Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 10/71] KEYS: allow reaching the keys quotas exactly Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 11/71] mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 12/71] pvcalls-back: set -ENOTCONN in pvcalls_conn_back_read Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 13/71] mfd: twl-core: Fix section annotations on {,un}protect_pm_master Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 14/71] mfd: db8500-prcmu: Fix some section annotations Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 15/71] mfd: mt6397: Do not call irq_domain_remove if PMIC unsupported Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 16/71] mfd: ab8500-core: Return zero in get_register_interruptible() Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 17/71] mfd: bd9571mwv: Add volatile register to make DVFS work Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 18/71] mfd: qcom_rpm: write fw_version to CTRL_REG Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 19/71] mfd: wm5110: Add missing ASRC rate register Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 20/71] mfd: tps65218: Use devm_regmap_add_irq_chip and clean up error path in probe() Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 21/71] mfd: mc13xxx: Fix a missing check of a register-read failure Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 22/71] xen/pvcalls: remove set but not used variable intf Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 23/71] qed: Fix qed_chain_set_prod() for PBL chains with non power of 2 page count Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 24/71] qed: Fix qed_ll2_post_rx_buffer_notify_fw() by adding a write memory barrier Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 25/71] net: hns: Fix use after free identified by SLUB debug Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 26/71] MIPS: ath79: Enable OF serial ports in the default config Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 27/71] netfilter: nf_tables: fix leaking object reference count Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 28/71] scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 29/71] scsi: isci: initialize shost fully before calling scsi_add_host() Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 30/71] MIPS: jazz: fix 64bit build Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 31/71] bpf: correctly set initial window on active Fast Open sender Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 32/71] net: stmmac: Fix PCI module removal leak Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 33/71] isdn: i4l: isdn_tty: Fix some concurrency double-free bugs Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 34/71] scsi: ufs: Fix system suspend status Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 35/71] scsi: qedi: Add ep_state for login completion on un-reachable targets Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 36/71] always clear the X2APIC_ENABLE bit for PV guest Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 37/71] drm/meson: add missing of_node_put Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 38/71] atm: he: fix sign-extension overflow on large shift Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 39/71] hwmon: (tmp421) Correct the misspelling of the tmp442 compatible attribute in OF device ID table Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 40/71] leds: lp5523: fix a missing check of return value of lp55xx_read Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 41/71] bpf: bpf_setsockopt: reset sock dst on SO_MARK changes Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 42/71] mlxsw: spectrum_switchdev: Do not treat static FDB entries as sticky Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 43/71] net/mlx5e: Fix wrong (zero) TX drop counter indication for representor Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 44/71] isdn: avm: Fix string plus integer warning from Clang Greg Kroah-Hartman
2019-02-25 21:11 ` Greg Kroah-Hartman [this message]
2019-02-25 21:11 ` [PATCH 4.14 46/71] ipv6: propagate genlmsg_reply return code Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 47/71] net/mlx5e: Dont overwrite pedit action when multiple pedit used Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 48/71] net/packet: fix 4gb buffer limit due to overflow check Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 49/71] net: sfp: do not probe SFP module before were attached Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 50/71] sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 51/71] team: avoid complex list operations in team_nl_cmd_options_set() Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 52/71] sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 53/71] net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 54/71] inet_diag: fix reporting cgroup classid and fallback to priority Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 55/71] RDMA/srp: Rework SCSI device reset handling Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 56/71] KEYS: user: Align the payload buffer Greg Kroah-Hartman
2019-02-25 21:11 ` [PATCH 4.14 57/71] KEYS: always initialize keyring_index_key::desc_len Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 58/71] parisc: Fix ptrace syscall number modification Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 59/71] ARCv2: Enable unaligned access in early ASM code Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 60/71] ARC: U-boot: check arguments paranoidly Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 61/71] ARC: define ARCH_SLAB_MINALIGN = 8 Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 62/71] drm/i915/fbdev: Actually configure untiled displays Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 63/71] net: validate untrusted gso packets without csum offload Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 64/71] net: avoid false positives in untrusted gso validation Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 65/71] Revert "bridge: do not add port to router list when receives query with source 0.0.0.0" Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 66/71] netfilter: nf_tables: fix flush after rule deletion in the same batch Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 67/71] netfilter: nft_compat: use-after-free when deleting targets Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 68/71] netfilter: ipv6: Dont preserve original oif for loopback address Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 69/71] pinctrl: max77620: Use define directive for max77620_pinconf_param values Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 70/71] phy: tegra: remove redundant self assignment of map Greg Kroah-Hartman
2019-02-25 21:12 ` [PATCH 4.14 71/71] sched/sysctl: Fix attributes of some extern declarations Greg Kroah-Hartman
2019-02-26 8:44 ` [PATCH 4.14 00/71] 4.14.104-stable review Naresh Kamboju
2019-02-26 12:24 ` Jon Hunter
2019-02-26 14:20 ` kernelci.org bot
2019-02-26 15:40 ` shuah
2019-02-26 17:46 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190225195038.027803190@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=a@unstable.cc \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mareklindner@neomailbox.ch \
--cc=stable@vger.kernel.org \
--cc=sw@simonwunderlich.de \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox