mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-28 15:20:41 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/sched
History
Eric Dumazet 4d50e50045 net: flower: fix stack-out-of-bounds in fl_set_key_cfm() 
Typical misuse of

	nla_parse_nested(array, XXX_MAX, ...);

array must be declared as

	struct nlattr *array[XXX_MAX + 1];

v2: Based on feedbacks from Ido Schimmel and Zahari Doychev,
I also changed TCA_FLOWER_KEY_CFM_OPT_MAX and cfm_opt_policy
definitions.

syzbot reported:

BUG: KASAN: stack-out-of-bounds in __nla_validate_parse+0x136/0x2bd0 lib/nlattr.c:588
Write of size 32 at addr ffffc90003a0ee20 by task syz-executor296/5014

CPU: 0 PID: 5014 Comm: syz-executor296 Not tainted 6.5.0-rc2-syzkaller-00307-gd192f5382581 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x1e7/0x2d0 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:364 [inline]
print_report+0x163/0x540 mm/kasan/report.c:475
kasan_report+0x175/0x1b0 mm/kasan/report.c:588
kasan_check_range+0x27e/0x290 mm/kasan/generic.c:187
__asan_memset+0x23/0x40 mm/kasan/shadow.c:84
__nla_validate_parse+0x136/0x2bd0 lib/nlattr.c:588
__nla_parse+0x40/0x50 lib/nlattr.c:700
nla_parse_nested include/net/netlink.h:1262 [inline]
fl_set_key_cfm+0x1e3/0x440 net/sched/cls_flower.c:1718
fl_set_key+0x2168/0x6620 net/sched/cls_flower.c:1884
fl_tmplt_create+0x1fe/0x510 net/sched/cls_flower.c:2666
tc_chain_tmplt_add net/sched/cls_api.c:2959 [inline]
tc_ctl_chain+0x131d/0x1ac0 net/sched/cls_api.c:3068
rtnetlink_rcv_msg+0x82b/0xf50 net/core/rtnetlink.c:6424
netlink_rcv_skb+0x1df/0x430 net/netlink/af_netlink.c:2549
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x7c3/0x990 net/netlink/af_netlink.c:1365
netlink_sendmsg+0xa2a/0xd60 net/netlink/af_netlink.c:1914
sock_sendmsg_nosec net/socket.c:725 [inline]
sock_sendmsg net/socket.c:748 [inline]
____sys_sendmsg+0x592/0x890 net/socket.c:2494
___sys_sendmsg net/socket.c:2548 [inline]
__sys_sendmsg+0x2b0/0x3a0 net/socket.c:2577
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f54c6150759
Code: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffe06c30578 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f54c619902d RCX: 00007f54c6150759
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00007ffe06c30590 R08: 0000000000000000 R09: 00007ffe06c305f0
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f54c61c35f0
R13: 00007ffe06c30778 R14: 0000000000000001 R15: 0000000000000001
</TASK>

The buggy address belongs to stack of task syz-executor296/5014
and is located at offset 32 in frame:
fl_set_key_cfm+0x0/0x440 net/sched/cls_flower.c:374

This frame has 1 object:
[32, 56) 'nla_cfm_opt'

The buggy address belongs to the virtual mapping at
[ffffc90003a08000, ffffc90003a11000) created by:
copy_process+0x5c8/0x4290 kernel/fork.c:2330

Fixes: 7cfffd5fed ("net: flower: add support for matching cfm fields")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Simon Horman <simon.horman@corigine.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Zahari Doychev <zdoychev@maxlinear.com>
Link: https://lore.kernel.org/r/20230726145815.943910-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-07-27 20:01:29 -07:00
..
act_api.c net: sched: Replace strlcpy with strscpy 2023-07-10 08:23:53 +01:00
act_bpf.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_connmark.c net/sched: act_connmark: handle errno on tcf_idr_check_alloc 2023-03-01 08:19:09 +00:00
act_csum.c net: skbuff: hide csum_not_inet when CONFIG_IP_SCTP not set 2023-04-19 13:04:30 +01:00
act_ct.c net/sched: act_ct: Fix promotion of offloaded unreplied tuple 2023-06-14 09:56:50 +02:00
act_ctinfo.c net/sched: act_ctinfo: use percpu stats 2023-02-13 20:09:01 -08:00
act_gact.c Networking changes for 6.2. 2022-12-13 15:47:48 -08:00
act_gate.c net/sched: act_gate: use percpu stats 2023-02-16 10:39:28 +01:00
act_ife.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_ipt.c net/sched: act_ipt: zero skb->cb before calling target 2023-06-29 12:10:37 +02:00
act_meta_mark.c
act_meta_skbprio.c
act_meta_skbtcindex.c
act_mirred.c net/sched: act_mirred: Add carrier check 2023-05-01 07:26:10 +01:00
act_mpls.c net/sched: remove two skb_mac_header() uses 2023-03-22 22:43:23 -07:00
act_nat.c net/sched: act_nat: transition to percpu stats and rcu 2023-02-16 10:39:28 +01:00
act_pedit.c net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX 2023-07-04 10:31:38 +02:00
act_police.c net: move gso declarations and functions to their own files 2023-06-10 00:11:41 -07:00
act_sample.c net/sched: act_sample: fix action bind logic 2023-02-26 18:27:45 +00:00
act_simple.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_skbedit.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_skbmod.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
act_tunnel_key.c net/sched: act_tunnel_key: add support for "don't fragment" 2023-03-30 23:24:24 -07:00
act_vlan.c net/sched: avoid indirect act functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_api.c net/sched: cls_api: Fix lockup on flushing explicitly created chain 2023-06-14 23:03:16 -07:00
cls_basic.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_bpf.c net: sched: cls_bpf: Undo tcf_bind_filter in case of an error 2023-07-17 07:33:39 +01:00
cls_cgroup.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_flow.c treewide: Convert del_timer*() to timer_shutdown*() 2022-12-25 13:38:09 -08:00
cls_flower.c net: flower: fix stack-out-of-bounds in fl_set_key_cfm() 2023-07-27 20:01:29 -07:00
cls_fw.c net/sched: cls_fw: Fix improper refcount update leads to use-after-free 2023-07-06 19:10:49 -07:00
cls_matchall.c net: sched: cls_matchall: Undo tcf_bind_filter in case of failure after mall_set_parms 2023-07-17 07:33:38 +01:00
cls_route.c net/sched: avoid indirect classify functions on retpoline kernels 2022-12-09 09:18:07 +00:00
cls_u32.c net: sched: cls_u32: Undo refcount decrement in case update failed 2023-07-17 07:33:38 +01:00
em_canid.c
em_cmp.c
em_ipset.c
em_ipt.c
em_meta.c fix typos in net/sched/* files 2023-03-24 09:05:03 +00:00
em_nbyte.c
em_text.c
em_u32.c
ematch.c net_sched: reject TCF_EM_SIMPLE case for complex ematch module 2022-12-19 09:43:18 +00:00
Kconfig net/sched: Retire rsvp classifier 2023-02-16 09:27:07 +01:00
Makefile net/sched: Retire rsvp classifier 2023-02-16 09:27:07 +01:00
sch_api.c net/sched: qdisc_destroy() old ingress and clsact Qdiscs before grafting 2023-06-14 10:31:39 +02:00
sch_blackhole.c
sch_cake.c net: move gso declarations and functions to their own files 2023-06-10 00:11:41 -07:00
sch_cbs.c
sch_choke.c
sch_codel.c
sch_drr.c
sch_etf.c
sch_ets.c
sch_fifo.c
sch_fq.c net/sched: sch_fq: fix integer overflow of "credit" 2023-04-21 20:24:29 -07:00
sch_fq_codel.c
sch_fq_pie.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-07 10:25:39 +01:00
sch_frag.c
sch_generic.c net/sched: qdisc_destroy() old ingress and clsact Qdiscs before grafting 2023-06-14 10:31:39 +02:00
sch_gred.c net: sched: gred: prevent races when adding offloads to stats 2023-01-18 20:28:25 -08:00
sch_hfsc.c
sch_hhf.c
sch_htb.c sch_htb: Allow HTB priority parameter in offload mode 2023-05-15 09:31:07 +01:00
sch_ingress.c net/sched: Reserve TC_H_INGRESS (TC_H_CLSACT) for ingress (clsact) Qdiscs 2023-05-30 23:31:05 -07:00
sch_mq.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-07 10:25:39 +01:00
sch_mqprio.c net/sched: mqprio: Add length check for TCA_MQPRIO_{MAX/MIN}_RATE64 2023-07-26 22:08:14 -07:00
sch_mqprio_lib.c net/sched: mqprio: allow per-TC user input of FP adminStatus 2023-04-13 22:22:10 -07:00
sch_mqprio_lib.h net/sched: mqprio: allow per-TC user input of FP adminStatus 2023-04-13 22:22:10 -07:00
sch_multiq.c
sch_netem.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-06-27 09:45:22 -07:00
sch_pie.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-07 10:25:39 +01:00
sch_plug.c
sch_prio.c
sch_qfq.c net/sched: sch_qfq: account for stab overhead in qfq_enqueue 2023-07-13 11:11:59 +02:00
sch_red.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-07 10:25:39 +01:00
sch_sfb.c
sch_sfq.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-07 10:25:39 +01:00
sch_skbprio.c
sch_taprio.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-06-15 22:19:41 -07:00
sch_tbf.c net: move gso declarations and functions to their own files 2023-06-10 00:11:41 -07:00
sch_teql.c net: sched: add rcu annotations around qdisc->qdisc_sleeping 2023-06-07 10:25:39 +01:00