From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Taehee Yoo <ap420073@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 22/48] net: rmnet: fix NULL pointer dereference in rmnet_newlink()
Date: Thu, 19 Mar 2020 14:04:04 +0100 [thread overview]
Message-ID: <20200319123910.067354815@linuxfoundation.org> (raw)
In-Reply-To: <20200319123902.941451241@linuxfoundation.org>
From: Taehee Yoo <ap420073@gmail.com>
[ Upstream commit 93b5cbfa9636d385126f211dca9efa7e3f683202 ]
rmnet registers IFLA_LINK interface as a lower interface.
But, IFLA_LINK could be NULL.
In the current code, rmnet doesn't check IFLA_LINK.
So, panic would occur.
Test commands:
modprobe rmnet
ip link add rmnet0 type rmnet mux_id 1
Splat looks like:
[ 36.826109][ T1115] general protection fault, probably for non-canonical address 0xdffffc0000000000I
[ 36.838817][ T1115] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
[ 36.839908][ T1115] CPU: 1 PID: 1115 Comm: ip Not tainted 5.6.0-rc1+ #447
[ 36.840569][ T1115] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 36.841408][ T1115] RIP: 0010:rmnet_newlink+0x54/0x510 [rmnet]
[ 36.841986][ T1115] Code: 83 ec 18 48 c1 e9 03 80 3c 01 00 0f 85 d4 03 00 00 48 8b 6a 28 48 b8 00 00 00 00 00 c
[ 36.843923][ T1115] RSP: 0018:ffff8880b7e0f1c0 EFLAGS: 00010247
[ 36.844756][ T1115] RAX: dffffc0000000000 RBX: ffff8880d14cca00 RCX: 1ffff11016fc1e99
[ 36.845859][ T1115] RDX: 0000000000000000 RSI: ffff8880c3d04000 RDI: 0000000000000004
[ 36.846961][ T1115] RBP: 0000000000000000 R08: ffff8880b7e0f8b0 R09: ffff8880b6ac2d90
[ 36.848020][ T1115] R10: ffffffffc0589a40 R11: ffffed1016d585b7 R12: ffffffff88ceaf80
[ 36.848788][ T1115] R13: ffff8880c3d04000 R14: ffff8880b7e0f8b0 R15: ffff8880c3d04000
[ 36.849546][ T1115] FS: 00007f50ab3360c0(0000) GS:ffff8880da000000(0000) knlGS:0000000000000000
[ 36.851784][ T1115] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 36.852422][ T1115] CR2: 000055871afe5ab0 CR3: 00000000ae246001 CR4: 00000000000606e0
[ 36.853181][ T1115] Call Trace:
[ 36.853514][ T1115] __rtnl_newlink+0xbdb/0x1270
[ 36.853967][ T1115] ? lock_downgrade+0x6e0/0x6e0
[ 36.854420][ T1115] ? rtnl_link_unregister+0x220/0x220
[ 36.854936][ T1115] ? lock_acquire+0x164/0x3b0
[ 36.855376][ T1115] ? is_bpf_image_address+0xff/0x1d0
[ 36.855884][ T1115] ? rtnl_newlink+0x4c/0x90
[ 36.856304][ T1115] ? kernel_text_address+0x111/0x140
[ 36.856857][ T1115] ? __kernel_text_address+0xe/0x30
[ 36.857440][ T1115] ? unwind_get_return_address+0x5f/0xa0
[ 36.858063][ T1115] ? create_prof_cpu_mask+0x20/0x20
[ 36.858644][ T1115] ? arch_stack_walk+0x83/0xb0
[ 36.859171][ T1115] ? stack_trace_save+0x82/0xb0
[ 36.859710][ T1115] ? stack_trace_consume_entry+0x160/0x160
[ 36.860357][ T1115] ? deactivate_slab.isra.78+0x2c5/0x800
[ 36.860928][ T1115] ? kasan_unpoison_shadow+0x30/0x40
[ 36.861520][ T1115] ? kmem_cache_alloc_trace+0x135/0x350
[ 36.862125][ T1115] ? rtnl_newlink+0x4c/0x90
[ 36.864073][ T1115] rtnl_newlink+0x65/0x90
[ ... ]
Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
index 4c476fac78358..0fb9375b4f69e 100644
--- a/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
+++ b/drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c
@@ -144,6 +144,11 @@ static int rmnet_newlink(struct net *src_net, struct net_device *dev,
int err = 0;
u16 mux_id;
+ if (!tb[IFLA_LINK]) {
+ NL_SET_ERR_MSG_MOD(extack, "link not specified");
+ return -EINVAL;
+ }
+
real_dev = __dev_get_by_index(src_net, nla_get_u32(tb[IFLA_LINK]));
if (!real_dev || !dev)
return -ENODEV;
--
2.20.1
next prev parent reply other threads:[~2020-03-19 13:19 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-19 13:03 [PATCH 4.19 00/48] 4.19.112-rc1 review Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 01/48] perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 02/48] mmc: core: Default to generic_cmd6_time as timeout in __mmc_switch() Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 03/48] mmc: sdhci-omap: Add platform specific reset callback Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 04/48] mmc: sdhci-omap: Workaround errata regarding SDR104/HS200 tuning failures (i929) Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 05/48] mmc: host: Fix Kconfig warnings on keystone_defconfig Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 06/48] mmc: sdhci-omap: Fix busy detection by enabling MMC_CAP_NEED_RSP_BUSY Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 07/48] mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for eMMC sleep command Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 08/48] mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for erase/trim/discard Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 09/48] mmc: core: Allow host controllers to require R1B for CMD6 Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 10/48] ACPI: watchdog: Allow disabling WDAT at boot Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 11/48] HID: apple: Add support for recent firmware on Magic Keyboards Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 12/48] HID: i2c-hid: add Trekstor Surfbook E11B to descriptor override Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 13/48] cfg80211: check reg_rule for NULL in handle_channel_custom() Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 14/48] scsi: libfc: free response frame from GPN_ID Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 15/48] net: usb: qmi_wwan: restore mtu min/max values after raw_ip switch Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 16/48] net: ks8851-ml: Fix IRQ handling and locking Greg Kroah-Hartman
2020-03-19 13:03 ` [PATCH 4.19 17/48] mac80211: rx: avoid RCU list traversal under mutex Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 18/48] signal: avoid double atomic counter increments for user accounting Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 19/48] slip: not call free_netdev before rtnl_unlock in slip_open Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 20/48] hinic: fix a irq affinity bug Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 21/48] hinic: fix a bug of setting hw_ioctxt Greg Kroah-Hartman
2020-03-19 13:04 ` Greg Kroah-Hartman [this message]
2020-03-19 13:04 ` [PATCH 4.19 23/48] net: rmnet: fix NULL pointer dereference in rmnet_changelink() Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 24/48] net: rmnet: fix suspicious RCU usage Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 25/48] net: rmnet: remove rcu_read_lock in rmnet_force_unassociate_device() Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 26/48] net: rmnet: do not allow to change mux id if mux id is duplicated Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 27/48] net: rmnet: use upper/lower device infrastructure Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 28/48] net: rmnet: fix bridge mode bugs Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 29/48] net: rmnet: fix packet forwarding in rmnet bridge mode Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 30/48] sfc: fix timestamp reconstruction at 16-bit rollover points Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 31/48] jbd2: fix data races at struct journal_head Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 32/48] wimax: i2400: fix memory leak Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 33/48] wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 34/48] mmc: sdhci-omap: Dont finish_mrq() on a command error during tuning Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 35/48] mmc: sdhci-omap: Fix Tuning procedure for temperatures < -20C Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 36/48] driver core: Remove the link if there is no driver with AUTO flag Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 37/48] driver core: Fix adding device links to probing suppliers Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 38/48] driver core: Make driver core own stateful device links Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 39/48] driver core: Add device link flag DL_FLAG_AUTOPROBE_CONSUMER Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 40/48] driver core: Remove device link creation limitation Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 41/48] driver core: Fix creation of device links with PM-runtime flags Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 42/48] net: qrtr: fix len of skb_put_padto in qrtr_node_enqueue Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 43/48] ARM: 8957/1: VDSO: Match ARMv8 timer in cntvct_functional() Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 44/48] ARM: 8958/1: rename missed uaccess .fixup section Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 45/48] mm: slub: add missing TID bump in kmem_cache_alloc_bulk() Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 46/48] HID: google: add moonball USB id Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 47/48] efi: Fix debugobjects warning on efi_rts_work Greg Kroah-Hartman
2020-03-19 13:04 ` [PATCH 4.19 48/48] ipv4: ensure rcu_read_lock() in cipso_v4_error() Greg Kroah-Hartman
2020-03-19 19:42 ` [PATCH 4.19 00/48] 4.19.112-rc1 review Naresh Kamboju
2020-03-19 20:00 ` Ben Hutchings
2020-03-20 8:03 ` Greg Kroah-Hartman
2020-03-20 8:11 ` Greg Kroah-Hartman
2020-03-20 16:41 ` Naresh Kamboju
2020-03-21 7:09 ` Greg Kroah-Hartman
2020-03-20 17:58 ` Guenter Roeck
2020-03-21 7:08 ` Greg Kroah-Hartman
2020-03-22 1:25 ` Sasha Levin
2020-03-19 23:36 ` Guenter Roeck
2020-03-20 21:01 ` Chris Paterson
2020-03-21 7:13 ` Greg Kroah-Hartman
2020-03-21 0:40 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200319123910.067354815@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).