From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, ChunYu Wang <chunwang@redhat.com>,
Xin Long <lucien.xin@gmail.com>, Chris Leech <cleech@redhat.com>,
"Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 3.18 07/24] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesnt parse nlmsg properly
Date: Tue, 3 Oct 2017 14:18:28 +0200 [thread overview]
Message-ID: <20171003113647.667203967@linuxfoundation.org> (raw)
In-Reply-To: <20171003113646.772919167@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit c88f0e6b06f4092995688211a631bb436125d77b upstream.
ChunYu found a kernel crash by syzkaller:
[ 651.617875] kasan: CONFIG_KASAN_INLINE enabled
[ 651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
[ 651.618731] general protection fault: 0000 [#1] SMP KASAN
[ 651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
[ 651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[ 651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
[ 651.622762] RIP: 0010:skb_release_data+0x26c/0x590
[...]
[ 651.627260] Call Trace:
[ 651.629156] skb_release_all+0x4f/0x60
[ 651.629450] consume_skb+0x1a5/0x600
[ 651.630705] netlink_unicast+0x505/0x720
[ 651.632345] netlink_sendmsg+0xab2/0xe70
[ 651.633704] sock_sendmsg+0xcf/0x110
[ 651.633942] ___sys_sendmsg+0x833/0x980
[ 651.637117] __sys_sendmsg+0xf3/0x240
[ 651.638820] SyS_sendmsg+0x32/0x50
[ 651.639048] entry_SYSCALL_64_fastpath+0x1f/0xc2
It's caused by skb_shared_info at the end of sk_buff was overwritten by
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.
During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
new value to skb_shinfo(SKB)->nr_frags by ev->type.
This patch is to fix it by checking nlh->nlmsg_len properly there to
avoid over accessing sk_buff.
Reported-by: ChunYu Wang <chunwang@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/scsi_transport_iscsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -3693,7 +3693,7 @@ iscsi_if_rx(struct sk_buff *skb)
uint32_t group;
nlh = nlmsg_hdr(skb);
- if (nlh->nlmsg_len < sizeof(*nlh) ||
+ if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
skb->len < nlh->nlmsg_len) {
break;
}
next prev parent reply other threads:[~2017-10-03 12:18 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-03 12:18 [PATCH 3.18 00/24] 3.18.73-stable review Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 01/24] cifs: release cifs root_cred after exit_cifs Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 02/24] cifs: release auth_key.response for reconnect Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 03/24] mac80211: flush hw_roc_start work before cancelling the ROC Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 04/24] KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce() Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 05/24] tracing: Fix trace_pipe behavior for instance traces Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 06/24] tracing: Erase irqsoff trace with empty write Greg Kroah-Hartman
2017-10-03 12:18 ` Greg Kroah-Hartman [this message]
2017-10-03 12:18 ` [PATCH 3.18 08/24] crypto: talitos - fix sha224 Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 09/24] KEYS: fix writing past end of user-supplied buffer in keyring_read() Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 10/24] KEYS: prevent creating a different users keyrings Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 11/24] KEYS: prevent KEYCTL_READ on negative key Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 12/24] powerpc/pseries: Fix parent_dn reference leak in add_dt_node() Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 13/24] SMB: Validate negotiate (to protect against downgrade) even if signing off Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 14/24] SMB3: Dont ignore O_SYNC/O_DSYNC and O_DIRECT flags Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 15/24] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 16/24] nl80211: check for the required netlink attributes presence Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 17/24] bsg-lib: dont free job in bsg_prepare_job Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 18/24] arm64: Make sure SPsel is always set Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 19/24] kvm: nVMX: Dont allow L2 to access the hardware CR8 Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 20/24] PCI: Fix race condition with driver_override Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 21/24] btrfs: prevent to set invalid default subvolid Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 22/24] x86/fpu: Dont let userspace set bogus xcomp_bv Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 23/24] video: fbdev: aty: do not leak uninitialized padding in clk to userspace Greg Kroah-Hartman
2017-10-03 12:18 ` [PATCH 3.18 24/24] swiotlb-xen: implement xen_swiotlb_dma_mmap callback Greg Kroah-Hartman
2017-10-03 19:25 ` [PATCH 3.18 00/24] 3.18.73-stable review Shuah Khan
2017-10-04 7:53 ` Greg Kroah-Hartman
2017-10-03 20:29 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171003113647.667203967@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chunwang@redhat.com \
--cc=cleech@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=martin.petersen@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).