mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-21 10:01:00 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Eric Dumazet 42dd56266b net/smc: fix leak of kernel memory to user space 
[ Upstream commit 457fed775c ]

As nlmsg_put() does not clear the memory that is reserved,
it this the caller responsability to make sure all of this
memory will be written, in order to not reveal prior content.

While we are at it, we can provide the socket cookie even
if clsock is not set.

syzbot reported :

BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline]
BUG: KMSAN: uninit-value in __swab32p include/uapi/linux/swab.h:179 [inline]
BUG: KMSAN: uninit-value in __be32_to_cpup include/uapi/linux/byteorder/little_endian.h:82 [inline]
BUG: KMSAN: uninit-value in get_unaligned_be32 include/linux/unaligned/access_ok.h:30 [inline]
BUG: KMSAN: uninit-value in ____bpf_skb_load_helper_32 net/core/filter.c:240 [inline]
BUG: KMSAN: uninit-value in ____bpf_skb_load_helper_32_no_cache net/core/filter.c:255 [inline]
BUG: KMSAN: uninit-value in bpf_skb_load_helper_32_no_cache+0x14a/0x390 net/core/filter.c:252
CPU: 1 PID: 5262 Comm: syz-executor.5 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
 __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
 __fswab32 include/uapi/linux/swab.h:59 [inline]
 __swab32p include/uapi/linux/swab.h:179 [inline]
 __be32_to_cpup include/uapi/linux/byteorder/little_endian.h:82 [inline]
 get_unaligned_be32 include/linux/unaligned/access_ok.h:30 [inline]
 ____bpf_skb_load_helper_32 net/core/filter.c:240 [inline]
 ____bpf_skb_load_helper_32_no_cache net/core/filter.c:255 [inline]
 bpf_skb_load_helper_32_no_cache+0x14a/0x390 net/core/filter.c:252

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
 kmsan_kmalloc_large+0x73/0xc0 mm/kmsan/kmsan_hooks.c:128
 kmalloc_large_node_hook mm/slub.c:1406 [inline]
 kmalloc_large_node+0x282/0x2c0 mm/slub.c:3841
 __kmalloc_node_track_caller+0x44b/0x1200 mm/slub.c:4368
 __kmalloc_reserve net/core/skbuff.c:141 [inline]
 __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
 alloc_skb include/linux/skbuff.h:1049 [inline]
 netlink_dump+0x44b/0x1ab0 net/netlink/af_netlink.c:2224
 __netlink_dump_start+0xbb2/0xcf0 net/netlink/af_netlink.c:2352
 netlink_dump_start include/linux/netlink.h:233 [inline]
 smc_diag_handler_dump+0x2ba/0x300 net/smc/smc_diag.c:242
 sock_diag_rcv_msg+0x211/0x610 net/core/sock_diag.c:256
 netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:275
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg net/socket.c:659 [inline]
 kernel_sendmsg+0x433/0x440 net/socket.c:679
 sock_no_sendpage+0x235/0x300 net/core/sock.c:2740
 kernel_sendpage net/socket.c:3776 [inline]
 sock_sendpage+0x1e1/0x2c0 net/socket.c:937
 pipe_to_sendpage+0x38c/0x4c0 fs/splice.c:458
 splice_from_pipe_feed fs/splice.c:512 [inline]
 __splice_from_pipe+0x539/0xed0 fs/splice.c:636
 splice_from_pipe fs/splice.c:671 [inline]
 generic_splice_sendpage+0x1d5/0x2d0 fs/splice.c:844
 do_splice_from fs/splice.c:863 [inline]
 do_splice fs/splice.c:1170 [inline]
 __do_sys_splice fs/splice.c:1447 [inline]
 __se_sys_splice+0x2380/0x3350 fs/splice.c:1427
 __x64_sys_splice+0x6e/0x90 fs/splice.c:1427
 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: f16a7dd5cf ("smc: netlink interface for SMC sockets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ursula Braun <ubraun@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-02-24 08:36:21 +01:00
..
6lowpan
9p 9p pull request for inclusion in 5.4 2019-09-27 15:10:34 -07:00
802
8021q vlan: vlan_changelink() should propagate errors 2020-01-12 12:21:50 +01:00
appletalk appletalk: enforce CAP_NET_RAW for raw sockets 2019-09-24 16:37:18 +02:00
atm net: atm: Reduce the severity of logging in unlink_clip_vcc 2019-11-18 17:08:20 -08:00
ax25 ax25: enforce CAP_NET_RAW for raw sockets 2019-09-24 16:37:18 +02:00
batman-adv batman-adv: Fix DAT candidate selection on little endian systems 2020-01-23 08:22:49 +01:00
bluetooth Bluetooth: Fix race condition in hci_release_sock() 2020-02-05 21:22:42 +00:00
bpf
bpfilter
bridge net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:18:58 +01:00
caif net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
can can: j1939: j1939_sk_bind(): take priv after lock is held 2019-12-31 16:45:56 +01:00
ceph
core core: Don't skip generic XDP program execution for cloned SKBs 2020-02-24 08:36:21 +01:00
dcb
dccp net: ipv6: add net argument to ip6_dst_lookup_flow 2019-12-18 16:08:40 +01:00
decnet net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:18:58 +01:00
dns_resolver
dsa net: dsa: tag_gswip: fix typo in tagger name 2020-01-23 08:22:52 +01:00
ethernet net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:20:06 +01:00
hsr net: hsr: fix possible NULL deref in hsr_handle_frame() 2020-02-11 04:35:04 -08:00
ieee802154 net: core: add generic lockdep keys 2019-10-24 14:53:48 -07:00
ife net: Fix Kconfig indentation 2019-09-26 08:56:17 +02:00
ipv4 tcp: clear tp->segs_{in|out} in tcp_disconnect() 2020-02-11 04:35:06 -08:00
ipv6 ipv6/addrconf: fix potential NULL deref in inet6_set_link_af() 2020-02-11 04:35:51 -08:00
iucv
kcm kcm: disable preemption in kcm_parse_func_strparser() 2019-09-27 10:27:14 +02:00
key
l2tp l2tp: Allow duplicate session creation with UDP 2020-02-11 04:35:04 -08:00
l3mdev
lapb
llc llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) 2020-01-12 12:21:45 +01:00
mac80211 mac80211: fix quiet mode activation in action frames 2020-02-19 19:53:08 +01:00
mac802154
mpls net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup 2019-12-18 16:08:42 +01:00
ncsi
netfilter netfilter: ipset: fix suspicious RCU usage in find_set_and_id 2020-02-11 04:35:07 -08:00
netlabel
netlink
netrom net: core: add generic lockdep keys 2019-10-24 14:53:48 -07:00
nfc net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() 2019-12-31 16:41:23 +01:00
nsh
openvswitch net: openvswitch: don't unlock mutex when changing the user_features fails 2020-01-26 10:01:05 +01:00
packet packet: fix data-race in fanout_flow_is_huge() 2020-01-26 10:01:06 +01:00
phonet net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
psample net: psample: fix skb_over_panic 2019-12-04 22:30:54 +01:00
qrtr net: qrtr: Stop rx_worker before freeing node 2019-09-21 18:45:46 -07:00
rds rds: ib: update WR sizes when bringing up connection 2019-11-16 12:59:08 -08:00
rfkill rfkill: Fix incorrect check to avoid NULL pointer dereference 2020-01-12 12:21:33 +01:00
rose net: core: add generic lockdep keys 2019-10-24 14:53:48 -07:00
rxrpc rxrpc: Fix service call disconnection 2020-02-11 04:35:55 -08:00
sched taprio: Fix dropping packets when using taprio + ETF offloading 2020-02-11 04:35:51 -08:00
sctp sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY 2020-01-12 12:21:48 +01:00
smc net/smc: fix leak of kernel memory to user space 2020-02-24 08:36:21 +01:00
strparser
sunrpc xprtrdma: Fix DMA scatter-gather list mapping imbalance 2020-02-19 19:53:02 +01:00
switchdev
tipc tipc: fix wrong timeout input for tipc_wait_for_cond() 2020-01-26 10:01:00 +01:00
tls net/tls: fix async operation 2020-01-29 16:45:28 +01:00
unix af_unix: add compat_ioctl support 2020-01-17 19:48:52 +01:00
vmw_vsock hv_sock: Remove the accept port restriction 2020-02-14 16:34:07 -05:00
wimax
wireless wireless: wext: avoid gcc -O3 warning 2020-02-05 21:22:47 +00:00
x25 net/x25: fix nonblocking connect 2020-01-29 16:45:33 +01:00
xdp xsk: Add rcu_read_lock around the XSK wakeup 2020-01-12 12:21:41 +01:00
xfrm xfrm: interface: do not confirm neighbor when do pmtu update 2020-02-05 21:22:48 +00:00
compat.c
Kconfig
Makefile
socket.c compat_ioctl: handle SIOCOUTQNSD 2020-01-17 19:48:52 +01:00
sysctl_net.c