Skip to content

Commit 0762216

Browse files
ying-xuedavem330
ying-xue
authored and
davem330
committed
tipc: fix uninit-value in tipc_nl_compat_bearer_enable
syzbot reported: BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:484 CPU: 1 PID: 6371 Comm: syz-executor652 Not tainted 4.19.0-rc8+ #70 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x306/0x460 lib/dump_stack.c:113 kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917 __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500 strlen+0x3b/0xa0 lib/string.c:484 nla_put_string include/net/netlink.h:1011 [inline] tipc_nl_compat_bearer_enable+0x238/0x7b0 net/tipc/netlink_compat.c:389 __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline] tipc_nl_compat_doit+0x39f/0xae0 net/tipc/netlink_compat.c:344 tipc_nl_compat_recv+0x147c/0x2760 net/tipc/netlink_compat.c:1107 genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626 netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454 genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116 __sys_sendmsg net/socket.c:2154 [inline] __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg+0x307/0x460 net/socket.c:2161 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x440179 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fffef7beee8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179 RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00 R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline] kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180 kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113 slab_post_alloc_hook mm/slab.h:446 [inline] slab_alloc_node mm/slub.c:2727 [inline] __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x422/0xe90 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:996 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline] netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116 __sys_sendmsg net/socket.c:2154 [inline] __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg+0x307/0x460 net/socket.c:2161 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 The root cause is that we don't validate whether bear name is a valid string in tipc_nl_compat_bearer_enable(). Meanwhile, we also fix the same issue in the following functions: tipc_nl_compat_bearer_disable() tipc_nl_compat_link_stat_dump() tipc_nl_compat_media_set() tipc_nl_compat_bearer_set() Reported-by: [email protected] Signed-off-by: Ying Xue <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent 8b66fee commit 0762216

File tree

1 file changed

+26
-0
lines changed

1 file changed

+26
-0
lines changed

net/tipc/netlink_compat.c

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -389,13 +389,18 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd,
389389
struct nlattr *prop;
390390
struct nlattr *bearer;
391391
struct tipc_bearer_config *b;
392+
int len;
392393

393394
b = (struct tipc_bearer_config *)TLV_DATA(msg->req);
394395

395396
bearer = nla_nest_start(skb, TIPC_NLA_BEARER);
396397
if (!bearer)
397398
return -EMSGSIZE;
398399

400+
len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
401+
if (!string_is_valid(b->name, len))
402+
return -EINVAL;
403+
399404
if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, b->name))
400405
return -EMSGSIZE;
401406

@@ -421,13 +426,18 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd,
421426
{
422427
char *name;
423428
struct nlattr *bearer;
429+
int len;
424430

425431
name = (char *)TLV_DATA(msg->req);
426432

427433
bearer = nla_nest_start(skb, TIPC_NLA_BEARER);
428434
if (!bearer)
429435
return -EMSGSIZE;
430436

437+
len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
438+
if (!string_is_valid(name, len))
439+
return -EINVAL;
440+
431441
if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, name))
432442
return -EMSGSIZE;
433443

@@ -488,6 +498,7 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
488498
struct nlattr *prop[TIPC_NLA_PROP_MAX + 1];
489499
struct nlattr *stats[TIPC_NLA_STATS_MAX + 1];
490500
int err;
501+
int len;
491502

492503
if (!attrs[TIPC_NLA_LINK])
493504
return -EINVAL;
@@ -514,6 +525,11 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
514525
return err;
515526

516527
name = (char *)TLV_DATA(msg->req);
528+
529+
len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
530+
if (!string_is_valid(name, len))
531+
return -EINVAL;
532+
517533
if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0)
518534
return 0;
519535

@@ -654,13 +670,18 @@ static int tipc_nl_compat_media_set(struct sk_buff *skb,
654670
struct nlattr *prop;
655671
struct nlattr *media;
656672
struct tipc_link_config *lc;
673+
int len;
657674

658675
lc = (struct tipc_link_config *)TLV_DATA(msg->req);
659676

660677
media = nla_nest_start(skb, TIPC_NLA_MEDIA);
661678
if (!media)
662679
return -EMSGSIZE;
663680

681+
len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME);
682+
if (!string_is_valid(lc->name, len))
683+
return -EINVAL;
684+
664685
if (nla_put_string(skb, TIPC_NLA_MEDIA_NAME, lc->name))
665686
return -EMSGSIZE;
666687

@@ -681,13 +702,18 @@ static int tipc_nl_compat_bearer_set(struct sk_buff *skb,
681702
struct nlattr *prop;
682703
struct nlattr *bearer;
683704
struct tipc_link_config *lc;
705+
int len;
684706

685707
lc = (struct tipc_link_config *)TLV_DATA(msg->req);
686708

687709
bearer = nla_nest_start(skb, TIPC_NLA_BEARER);
688710
if (!bearer)
689711
return -EMSGSIZE;
690712

713+
len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME);
714+
if (!string_is_valid(lc->name, len))
715+
return -EINVAL;
716+
691717
if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, lc->name))
692718
return -EMSGSIZE;
693719

0 commit comments

Comments
 (0)