From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com,
Cong Wang <xiyou.wangcong@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 23/55] net_sched: ematch: reject invalid TCF_EM_SIMPLE
Date: Thu, 30 Jan 2020 19:39:04 +0100 [thread overview]
Message-ID: <20200130183613.017934048@linuxfoundation.org> (raw)
In-Reply-To: <20200130183608.563083888@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 55cd9f67f1e45de8517cdaab985fb8e56c0bc1d8 ]
It is possible for malicious userspace to set TCF_EM_SIMPLE bit
even for matches that should not have this bit set.
This can fool two places using tcf_em_is_simple()
1) tcf_em_tree_destroy() -> memory leak of em->data
if ops->destroy() is NULL
2) tcf_em_tree_dump() wrongly report/leak 4 low-order bytes
of a kernel pointer.
BUG: memory leak
unreferenced object 0xffff888121850a40 (size 32):
comm "syz-executor927", pid 7193, jiffies 4294941655 (age 19.840s)
hex dump (first 32 bytes):
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000f67036ea>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
[<00000000f67036ea>] slab_post_alloc_hook mm/slab.h:586 [inline]
[<00000000f67036ea>] slab_alloc mm/slab.c:3320 [inline]
[<00000000f67036ea>] __do_kmalloc mm/slab.c:3654 [inline]
[<00000000f67036ea>] __kmalloc_track_caller+0x165/0x300 mm/slab.c:3671
[<00000000fab0cc8e>] kmemdup+0x27/0x60 mm/util.c:127
[<00000000d9992e0a>] kmemdup include/linux/string.h:453 [inline]
[<00000000d9992e0a>] em_nbyte_change+0x5b/0x90 net/sched/em_nbyte.c:32
[<000000007e04f711>] tcf_em_validate net/sched/ematch.c:241 [inline]
[<000000007e04f711>] tcf_em_tree_validate net/sched/ematch.c:359 [inline]
[<000000007e04f711>] tcf_em_tree_validate+0x332/0x46f net/sched/ematch.c:300
[<000000007a769204>] basic_set_parms net/sched/cls_basic.c:157 [inline]
[<000000007a769204>] basic_change+0x1d7/0x5f0 net/sched/cls_basic.c:219
[<00000000e57a5997>] tc_new_tfilter+0x566/0xf70 net/sched/cls_api.c:2104
[<0000000074b68559>] rtnetlink_rcv_msg+0x3b2/0x4b0 net/core/rtnetlink.c:5415
[<00000000b7fe53fb>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
[<00000000e83a40d0>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
[<00000000d62ba933>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
[<00000000d62ba933>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
[<0000000088070f72>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
[<00000000f70b15ea>] sock_sendmsg_nosec net/socket.c:639 [inline]
[<00000000f70b15ea>] sock_sendmsg+0x54/0x70 net/socket.c:659
[<00000000ef95a9be>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
[<00000000b650f1ab>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
[<0000000055bfa74a>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
[<000000002abac183>] __do_sys_sendmsg net/socket.c:2426 [inline]
[<000000002abac183>] __se_sys_sendmsg net/socket.c:2424 [inline]
[<000000002abac183>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/ematch.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -242,6 +242,9 @@ static int tcf_em_validate(struct tcf_pr
goto errout;
if (em->ops->change) {
+ err = -EINVAL;
+ if (em_hdr->flags & TCF_EM_SIMPLE)
+ goto errout;
err = em->ops->change(net, data, data_len, em);
if (err < 0)
goto errout;
next prev parent reply other threads:[~2020-01-30 18:50 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-30 18:38 [PATCH 4.19 00/55] 4.19.101-stable review Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 01/55] orinoco_usb: fix interface sanity check Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 02/55] rsi_91x_usb: " Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 03/55] usb: dwc3: pci: add ID for the Intel Comet Lake -V variant Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 04/55] USB: serial: ir-usb: add missing endpoint sanity check Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 05/55] USB: serial: ir-usb: fix link-speed handling Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 06/55] USB: serial: ir-usb: fix IrLAP framing Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 07/55] usb: dwc3: turn off VBUS when leaving host mode Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 08/55] staging: most: net: fix buffer overflow Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 09/55] staging: wlan-ng: ensure error return is actually returned Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 10/55] staging: vt6656: correct packet types for CTS protect, mode Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 11/55] staging: vt6656: use NULLFUCTION stack on mac80211 Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 12/55] staging: vt6656: Fix false Tx excessive retries reporting Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 13/55] serial: 8250_bcm2835aux: Fix line mismatch on driver unbind Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 14/55] component: do not dereference opaque pointer in debugfs Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 15/55] mei: me: add comet point (lake) H device ids Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 16/55] iio: st_gyro: Correct data for LSM9DS0 gyro Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 17/55] crypto: chelsio - fix writing tfm flags to wrong place Greg Kroah-Hartman
2020-01-30 18:38 ` [PATCH 4.19 18/55] cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 19/55] ath9k: fix storage endpoint lookup Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 20/55] brcmfmac: fix interface sanity check Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 21/55] rtl8xxxu: " Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 22/55] zd1211rw: fix storage endpoint lookup Greg Kroah-Hartman
2020-01-30 18:39 ` Greg Kroah-Hartman [this message]
2020-01-30 18:39 ` [PATCH 4.19 24/55] net_sched: fix ops->bind_class() implementations Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 25/55] HID: multitouch: Add LG MELF0410 I2C touchscreen support Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 26/55] arc: eznps: fix allmodconfig kconfig warning Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 27/55] HID: Add quirk for Xin-Mo Dual Controller Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 28/55] HID: ite: Add USB id match for Acer SW5-012 keyboard dock Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 29/55] HID: Add quirk for incorrect input length on Lenovo Y720 Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 30/55] drivers/hid/hid-multitouch.c: fix a possible null pointer access Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 31/55] phy: qcom-qmp: Increase PHY ready timeout Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 32/55] phy: cpcap-usb: Prevent USB line glitches from waking up modem Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 33/55] watchdog: max77620_wdt: fix potential build errors Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 34/55] watchdog: rn5t618_wdt: fix module aliases Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 35/55] spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 36/55] drivers/net/b44: Change to non-atomic bit operations on pwol_mask Greg Kroah-Hartman
2020-01-31 12:57 ` Pavel Machek
2020-01-31 13:45 ` David Laight
2020-01-31 14:03 ` Peter Zijlstra
2020-01-31 21:44 ` Luck, Tony
2020-01-30 18:39 ` [PATCH 4.19 37/55] net: wan: sdla: Fix cast from pointer to integer of different size Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 38/55] gpio: max77620: Add missing dependency on GPIOLIB_IRQCHIP Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 39/55] atm: eni: fix uninitialized variable warning Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 40/55] HID: steam: Fix input device disappearing Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 41/55] platform/x86: dell-laptop: disable kbd backlight on Inspiron 10xx Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 42/55] PCI: Add DMA alias quirk for Intel VCA NTB Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 43/55] iommu/amd: Support multiple PCI DMA aliases in IRQ Remapping Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 44/55] ARM: OMAP2+: SmartReflex: add omap_sr_pdata definition Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 45/55] usb-storage: Disable UAS on JMicron SATA enclosure Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 46/55] sched/fair: Add tmp_alone_branch assertion Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 47/55] sched/fair: Fix insertion in rq->leaf_cfs_rq_list Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 48/55] rsi: fix use-after-free on probe errors Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 49/55] rsi: fix memory leak on failed URB submission Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 50/55] rsi: fix non-atomic allocation in completion handler Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 51/55] crypto: af_alg - Use bh_lock_sock in sk_destruct Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 52/55] random: try to actively add entropy rather than passively wait for it Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 53/55] block: cleanup __blkdev_issue_discard() Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 54/55] block: fix 32 bit overflow in __blkdev_issue_discard() Greg Kroah-Hartman
2020-01-30 18:39 ` [PATCH 4.19 55/55] KVM: arm64: Write arch.mdcr_el2 changes since last vcpu_load on VHE Greg Kroah-Hartman
2020-01-31 4:40 ` [PATCH 4.19 00/55] 4.19.101-stable review shuah
2020-01-31 11:03 ` Jon Hunter
2020-01-31 13:12 ` Pavel Machek
2020-01-31 21:30 ` Greg Kroah-Hartman
2020-01-31 14:40 ` Naresh Kamboju
2020-01-31 17:32 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200130183613.017934048@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).