Skip to content

Commit 7d0cb25

Browse files
ying-xuegregkh
ying-xue
authored and
gregkh
committed
tipc: fix uninit-value in tipc_nl_compat_bearer_enable
commit 0762216 upstream. syzbot reported: BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:484 CPU: 1 PID: 6371 Comm: syz-executor652 Not tainted 4.19.0-rc8+ #70 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x306/0x460 lib/dump_stack.c:113 kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917 __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500 strlen+0x3b/0xa0 lib/string.c:484 nla_put_string include/net/netlink.h:1011 [inline] tipc_nl_compat_bearer_enable+0x238/0x7b0 net/tipc/netlink_compat.c:389 __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline] tipc_nl_compat_doit+0x39f/0xae0 net/tipc/netlink_compat.c:344 tipc_nl_compat_recv+0x147c/0x2760 net/tipc/netlink_compat.c:1107 genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626 netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454 genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116 __sys_sendmsg net/socket.c:2154 [inline] __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg+0x307/0x460 net/socket.c:2161 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x440179 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fffef7beee8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179 RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00 R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline] kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180 kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113 slab_post_alloc_hook mm/slab.h:446 [inline] slab_alloc_node mm/slub.c:2727 [inline] __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x422/0xe90 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:996 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline] netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116 __sys_sendmsg net/socket.c:2154 [inline] __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg+0x307/0x460 net/socket.c:2161 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 The root cause is that we don't validate whether bear name is a valid string in tipc_nl_compat_bearer_enable(). Meanwhile, we also fix the same issue in the following functions: tipc_nl_compat_bearer_disable() tipc_nl_compat_link_stat_dump() tipc_nl_compat_media_set() tipc_nl_compat_bearer_set() Reported-by: [email protected] Signed-off-by: Ying Xue <[email protected]> Signed-off-by: David S. Miller <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent 4cd995a commit 7d0cb25

File tree

1 file changed

+26
-0
lines changed

1 file changed

+26
-0
lines changed

net/tipc/netlink_compat.c

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -380,13 +380,18 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd,
380380
struct nlattr *prop;
381381
struct nlattr *bearer;
382382
struct tipc_bearer_config *b;
383+
int len;
383384

384385
b = (struct tipc_bearer_config *)TLV_DATA(msg->req);
385386

386387
bearer = nla_nest_start(skb, TIPC_NLA_BEARER);
387388
if (!bearer)
388389
return -EMSGSIZE;
389390

391+
len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
392+
if (!string_is_valid(b->name, len))
393+
return -EINVAL;
394+
390395
if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, b->name))
391396
return -EMSGSIZE;
392397

@@ -412,13 +417,18 @@ static int tipc_nl_compat_bearer_disable(struct tipc_nl_compat_cmd_doit *cmd,
412417
{
413418
char *name;
414419
struct nlattr *bearer;
420+
int len;
415421

416422
name = (char *)TLV_DATA(msg->req);
417423

418424
bearer = nla_nest_start(skb, TIPC_NLA_BEARER);
419425
if (!bearer)
420426
return -EMSGSIZE;
421427

428+
len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
429+
if (!string_is_valid(name, len))
430+
return -EINVAL;
431+
422432
if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, name))
423433
return -EMSGSIZE;
424434

@@ -479,6 +489,7 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
479489
struct nlattr *prop[TIPC_NLA_PROP_MAX + 1];
480490
struct nlattr *stats[TIPC_NLA_STATS_MAX + 1];
481491
int err;
492+
int len;
482493

483494
if (!attrs[TIPC_NLA_LINK])
484495
return -EINVAL;
@@ -505,6 +516,11 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg,
505516
return err;
506517

507518
name = (char *)TLV_DATA(msg->req);
519+
520+
len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
521+
if (!string_is_valid(name, len))
522+
return -EINVAL;
523+
508524
if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0)
509525
return 0;
510526

@@ -645,13 +661,18 @@ static int tipc_nl_compat_media_set(struct sk_buff *skb,
645661
struct nlattr *prop;
646662
struct nlattr *media;
647663
struct tipc_link_config *lc;
664+
int len;
648665

649666
lc = (struct tipc_link_config *)TLV_DATA(msg->req);
650667

651668
media = nla_nest_start(skb, TIPC_NLA_MEDIA);
652669
if (!media)
653670
return -EMSGSIZE;
654671

672+
len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME);
673+
if (!string_is_valid(lc->name, len))
674+
return -EINVAL;
675+
655676
if (nla_put_string(skb, TIPC_NLA_MEDIA_NAME, lc->name))
656677
return -EMSGSIZE;
657678

@@ -672,13 +693,18 @@ static int tipc_nl_compat_bearer_set(struct sk_buff *skb,
672693
struct nlattr *prop;
673694
struct nlattr *bearer;
674695
struct tipc_link_config *lc;
696+
int len;
675697

676698
lc = (struct tipc_link_config *)TLV_DATA(msg->req);
677699

678700
bearer = nla_nest_start(skb, TIPC_NLA_BEARER);
679701
if (!bearer)
680702
return -EMSGSIZE;
681703

704+
len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_MEDIA_NAME);
705+
if (!string_is_valid(lc->name, len))
706+
return -EINVAL;
707+
682708
if (nla_put_string(skb, TIPC_NLA_BEARER_NAME, lc->name))
683709
return -EMSGSIZE;
684710

0 commit comments

Comments
 (0)