[PATCH 4.4 21/53] net_sched: ematch: reject invalid TCF_EM_SIMPLE

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
	syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com,
	Cong Wang <xiyou.wangcong@gmail.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 21/53] net_sched: ematch: reject invalid TCF_EM_SIMPLE
Date: Mon,  3 Feb 2020 16:19:13 +0000	[thread overview]
Message-ID: <20200203161906.952496533@linuxfoundation.org> (raw)
In-Reply-To: <20200203161902.714326084@linuxfoundation.org>

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 55cd9f67f1e45de8517cdaab985fb8e56c0bc1d8 ]

It is possible for malicious userspace to set TCF_EM_SIMPLE bit
even for matches that should not have this bit set.

This can fool two places using tcf_em_is_simple()

1) tcf_em_tree_destroy() -> memory leak of em->data
   if ops->destroy() is NULL

2) tcf_em_tree_dump() wrongly report/leak 4 low-order bytes
   of a kernel pointer.

BUG: memory leak
unreferenced object 0xffff888121850a40 (size 32):
  comm "syz-executor927", pid 7193, jiffies 4294941655 (age 19.840s)
  hex dump (first 32 bytes):
    00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000f67036ea>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<00000000f67036ea>] slab_post_alloc_hook mm/slab.h:586 [inline]
    [<00000000f67036ea>] slab_alloc mm/slab.c:3320 [inline]
    [<00000000f67036ea>] __do_kmalloc mm/slab.c:3654 [inline]
    [<00000000f67036ea>] __kmalloc_track_caller+0x165/0x300 mm/slab.c:3671
    [<00000000fab0cc8e>] kmemdup+0x27/0x60 mm/util.c:127
    [<00000000d9992e0a>] kmemdup include/linux/string.h:453 [inline]
    [<00000000d9992e0a>] em_nbyte_change+0x5b/0x90 net/sched/em_nbyte.c:32
    [<000000007e04f711>] tcf_em_validate net/sched/ematch.c:241 [inline]
    [<000000007e04f711>] tcf_em_tree_validate net/sched/ematch.c:359 [inline]
    [<000000007e04f711>] tcf_em_tree_validate+0x332/0x46f net/sched/ematch.c:300
    [<000000007a769204>] basic_set_parms net/sched/cls_basic.c:157 [inline]
    [<000000007a769204>] basic_change+0x1d7/0x5f0 net/sched/cls_basic.c:219
    [<00000000e57a5997>] tc_new_tfilter+0x566/0xf70 net/sched/cls_api.c:2104
    [<0000000074b68559>] rtnetlink_rcv_msg+0x3b2/0x4b0 net/core/rtnetlink.c:5415
    [<00000000b7fe53fb>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
    [<00000000e83a40d0>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
    [<00000000d62ba933>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
    [<00000000d62ba933>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
    [<0000000088070f72>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
    [<00000000f70b15ea>] sock_sendmsg_nosec net/socket.c:639 [inline]
    [<00000000f70b15ea>] sock_sendmsg+0x54/0x70 net/socket.c:659
    [<00000000ef95a9be>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
    [<00000000b650f1ab>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
    [<0000000055bfa74a>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
    [<000000002abac183>] __do_sys_sendmsg net/socket.c:2426 [inline]
    [<000000002abac183>] __se_sys_sendmsg net/socket.c:2424 [inline]
    [<000000002abac183>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/ematch.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -242,6 +242,9 @@ static int tcf_em_validate(struct tcf_pr
 			goto errout;
 
 		if (em->ops->change) {
+			err = -EINVAL;
+			if (em_hdr->flags & TCF_EM_SIMPLE)
+				goto errout;
 			err = em->ops->change(net, data, data_len, em);
 			if (err < 0)
 				goto errout;

next prev parent reply	other threads:[~2020-02-03 16:23 UTC|newest]

Thread overview: 63+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-02-03 16:18 [PATCH 4.4 00/53] 4.4.213-stable review Greg Kroah-Hartman
2020-02-03 16:18 ` [PATCH 4.4 01/53] ALSA: pcm: Add missing copy ops check before clearing buffer Greg Kroah-Hartman
2020-02-03 16:18 ` [PATCH 4.4 02/53] orinoco_usb: fix interface sanity check Greg Kroah-Hartman
2020-02-03 16:18 ` [PATCH 4.4 03/53] rsi_91x_usb: " Greg Kroah-Hartman
2020-02-03 16:18 ` [PATCH 4.4 04/53] USB: serial: ir-usb: add missing endpoint " Greg Kroah-Hartman
2020-02-03 16:18 ` [PATCH 4.4 05/53] USB: serial: ir-usb: fix link-speed handling Greg Kroah-Hartman
2020-02-03 16:18 ` [PATCH 4.4 06/53] USB: serial: ir-usb: fix IrLAP framing Greg Kroah-Hartman
2020-02-03 16:18 ` [PATCH 4.4 07/53] staging: most: net: fix buffer overflow Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 08/53] staging: wlan-ng: ensure error return is actually returned Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 09/53] staging: vt6656: correct packet types for CTS protect, mode Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 10/53] staging: vt6656: use NULLFUCTION stack on mac80211 Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 11/53] staging: vt6656: Fix false Tx excessive retries reporting Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 12/53] ath9k: fix storage endpoint lookup Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 13/53] brcmfmac: fix interface sanity check Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 14/53] rtl8xxxu: " Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 15/53] zd1211rw: fix storage endpoint lookup Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 16/53] watchdog: rn5t618_wdt: fix module aliases Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 17/53] drivers/net/b44: Change to non-atomic bit operations on pwol_mask Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 18/53] net: wan: sdla: Fix cast from pointer to integer of different size Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 19/53] atm: eni: fix uninitialized variable warning Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 20/53] usb-storage: Disable UAS on JMicron SATA enclosure Greg Kroah-Hartman
2020-02-03 16:19 ` Greg Kroah-Hartman [this message]
2020-02-03 16:19 ` [PATCH 4.4 22/53] crypto: af_alg - Use bh_lock_sock in sk_destruct Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 23/53] vfs: fix do_last() regression Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 24/53] crypto: pcrypt - Fix user-after-free on module unload Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 25/53] arm64: kbuild: remove compressed images on make ARCH=arm64 (dist)clean Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 26/53] mm/mempolicy.c: fix out of bounds write in mpol_parse_str() Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 27/53] reiserfs: Fix memory leak of journal device string Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 28/53] media: digitv: dont continue if remote control state cant be read Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 29/53] media: gspca: zero usb_buf Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 30/53] media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 31/53] ttyprintk: fix a potential deadlock in interrupt context issue Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 32/53] usb: dwc3: turn off VBUS when leaving host mode Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 33/53] media: si470x-i2c: Move free() past last use of radio Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 34/53] clk: mmp2: Fix the order of timer mux parents Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 35/53] ixgbevf: Remove limit of 10 entries for unicast filter list Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 36/53] ixgbe: Fix calculation of queue with VFs and flow director on interface flap Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 37/53] wireless: wext: avoid gcc -O3 warning Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 38/53] Input: aiptek - use descriptors of current altsetting Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 39/53] vti[6]: fix packet tx through bpf_redirect() Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 40/53] scsi: fnic: do not queue commands during fwreset Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 41/53] ARM: 8955/1: virt: Relax arch timer version check during early boot Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 42/53] airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 43/53] airo: Add missing CAP_NET_ADMIN check " Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 44/53] r8152: get default setting of WOL before initializing Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 45/53] qlcnic: Fix CPU soft lockup while collecting firmware dump Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 46/53] net/fsl: treat fsl,erratum-a011043 Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 47/53] net/sonic: Add mutual exclusion for accessing shared state Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 48/53] net/sonic: Use MMIO accessors Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 49/53] net/sonic: Fix receive buffer handling Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 50/53] net/sonic: Quiesce SONIC before re-initializing descriptor memory Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 51/53] seq_tab_next() should increase position index Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 52/53] l2t_seq_next " Greg Kroah-Hartman
2020-02-03 16:19 ` [PATCH 4.4 53/53] net: Fix skb->csum update in inet_proto_csum_replace16() Greg Kroah-Hartman
2020-02-03 21:39 ` [PATCH 4.4 00/53] 4.4.213-stable review Jon Hunter
2020-02-04  9:50 ` Chris Paterson
2020-02-04 12:47   ` Pavel Machek
2020-02-05 13:02   ` Greg Kroah-Hartman
2020-02-05 22:37     ` [cip-dev] " Pavel Machek
2020-02-04 14:43 ` Guenter Roeck
2020-02-05 13:02   ` Greg Kroah-Hartman
2020-02-04 17:18 ` Guenter Roeck
2020-02-05  2:02 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200203161906.952496533@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).