mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-27 22:51:31 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/ncsi/ncsi-netlink.c
Samuel Mendoza-Jonas 0f51f3582f net/ncsi: Fix array size in dumpit handler 
With CONFIG_CC_STACKPROTECTOR enabled the kernel panics as below when
parsing a NCSI_CMD_PKG_INFO command:

[  150.149711] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: 805cff08
[  150.149711]
[  150.159919] CPU: 0 PID: 1301 Comm: ncsi-netlink Not tainted 4.13.16-468cbec6d2c91239332cb91b1f0a73aafcb6f0c6 #1
[  150.170004] Hardware name: Generic DT based system
[  150.174852] [<80109930>] (unwind_backtrace) from [<80106bc4>] (show_stack+0x20/0x24)
[  150.182641] [<80106bc4>] (show_stack) from [<805d36e4>] (dump_stack+0x20/0x28)
[  150.189888] [<805d36e4>] (dump_stack) from [<801163ac>] (panic+0xdc/0x278)
[  150.196780] [<801163ac>] (panic) from [<801162cc>] (__stack_chk_fail+0x20/0x24)
[  150.204111] [<801162cc>] (__stack_chk_fail) from [<805cff08>] (ncsi_pkg_info_all_nl+0x244/0x258)
[  150.212912] [<805cff08>] (ncsi_pkg_info_all_nl) from [<804f939c>] (genl_lock_dumpit+0x3c/0x54)
[  150.221535] [<804f939c>] (genl_lock_dumpit) from [<804f873c>] (netlink_dump+0xf8/0x284)
[  150.229550] [<804f873c>] (netlink_dump) from [<804f8d44>] (__netlink_dump_start+0x124/0x17c)
[  150.237992] [<804f8d44>] (__netlink_dump_start) from [<804f9880>] (genl_rcv_msg+0x1c8/0x3d4)
[  150.246440] [<804f9880>] (genl_rcv_msg) from [<804f9174>] (netlink_rcv_skb+0xd8/0x134)
[  150.254361] [<804f9174>] (netlink_rcv_skb) from [<804f96a4>] (genl_rcv+0x30/0x44)
[  150.261850] [<804f96a4>] (genl_rcv) from [<804f7790>] (netlink_unicast+0x198/0x234)
[  150.269511] [<804f7790>] (netlink_unicast) from [<804f7ffc>] (netlink_sendmsg+0x368/0x3b0)
[  150.277783] [<804f7ffc>] (netlink_sendmsg) from [<804abea4>] (sock_sendmsg+0x24/0x34)
[  150.285625] [<804abea4>] (sock_sendmsg) from [<804ac1dc>] (___sys_sendmsg+0x244/0x260)
[  150.293556] [<804ac1dc>] (___sys_sendmsg) from [<804ad98c>] (__sys_sendmsg+0x5c/0x9c)
[  150.301400] [<804ad98c>] (__sys_sendmsg) from [<804ad9e4>] (SyS_sendmsg+0x18/0x1c)
[  150.308984] [<804ad9e4>] (SyS_sendmsg) from [<80102640>] (ret_fast_syscall+0x0/0x3c)
[  150.316743] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: 805cff08

This turns out to be because the attrs array in ncsi_pkg_info_all_nl()
is initialised to a length of NCSI_ATTR_MAX which is the maximum
attribute number, not the number of attributes.

Fixes: 955dc68cb9 ("net/ncsi: Add generic netlink family")
Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-05-31 15:57:54 -04:00

427 lines
9.7 KiB
C
Raw Blame History

/*
* Copyright Samuel Mendoza-Jonas, IBM Corporation 2018.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/if_arp.h>
#include <linux/rtnetlink.h>
#include <linux/etherdevice.h>
#include <linux/module.h>
#include <net/genetlink.h>
#include <net/ncsi.h>
#include <linux/skbuff.h>
#include <net/sock.h>
#include <uapi/linux/ncsi.h>
#include "internal.h"
#include "ncsi-netlink.h"
static struct genl_family ncsi_genl_family;
static const struct nla_policy ncsi_genl_policy[NCSI_ATTR_MAX + 1] = {
[NCSI_ATTR_IFINDEX] = { .type = NLA_U32 },
[NCSI_ATTR_PACKAGE_LIST] = { .type = NLA_NESTED },
[NCSI_ATTR_PACKAGE_ID] = { .type = NLA_U32 },
[NCSI_ATTR_CHANNEL_ID] = { .type = NLA_U32 },
};
static struct ncsi_dev_priv *ndp_from_ifindex(struct net *net, u32 ifindex)
{
struct ncsi_dev_priv *ndp;
struct net_device *dev;
struct ncsi_dev *nd;
struct ncsi_dev;
if (!net)
return NULL;
dev = dev_get_by_index(net, ifindex);
if (!dev) {
pr_err("NCSI netlink: No device for ifindex %u\n", ifindex);
return NULL;
}
nd = ncsi_find_dev(dev);
ndp = nd ? TO_NCSI_DEV_PRIV(nd) : NULL;
dev_put(dev);
return ndp;
}
static int ncsi_write_channel_info(struct sk_buff *skb,
struct ncsi_dev_priv *ndp,
struct ncsi_channel *nc)
{
struct nlattr *vid_nest;
struct ncsi_channel_filter *ncf;
struct ncsi_channel_mode *m;
u32 *data;
int i;
nla_put_u32(skb, NCSI_CHANNEL_ATTR_ID, nc->id);
m = &nc->modes[NCSI_MODE_LINK];
nla_put_u32(skb, NCSI_CHANNEL_ATTR_LINK_STATE, m->data[2]);
if (nc->state == NCSI_CHANNEL_ACTIVE)
nla_put_flag(skb, NCSI_CHANNEL_ATTR_ACTIVE);
if (ndp->force_channel == nc)
nla_put_flag(skb, NCSI_CHANNEL_ATTR_FORCED);
nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MAJOR, nc->version.version);
nla_put_u32(skb, NCSI_CHANNEL_ATTR_VERSION_MINOR, nc->version.alpha2);
nla_put_string(skb, NCSI_CHANNEL_ATTR_VERSION_STR, nc->version.fw_name);
vid_nest = nla_nest_start(skb, NCSI_CHANNEL_ATTR_VLAN_LIST);
if (!vid_nest)
return -ENOMEM;
ncf = nc->filters[NCSI_FILTER_VLAN];
i = -1;
if (ncf) {
while ((i = find_next_bit((void *)&ncf->bitmap, ncf->total,
i + 1)) < ncf->total) {
data = ncsi_get_filter(nc, NCSI_FILTER_VLAN, i);
/* Uninitialised channels will have 'zero' vlan ids */
if (!data || !*data)
continue;
nla_put_u16(skb, NCSI_CHANNEL_ATTR_VLAN_ID,
*(u16 *)data);
}
}
nla_nest_end(skb, vid_nest);
return 0;
}
static int ncsi_write_package_info(struct sk_buff *skb,
struct ncsi_dev_priv *ndp, unsigned int id)
{
struct nlattr *pnest, *cnest, *nest;
struct ncsi_package *np;
struct ncsi_channel *nc;
bool found;
int rc;
if (id > ndp->package_num) {
netdev_info(ndp->ndev.dev, "NCSI: No package with id %u\n", id);
return -ENODEV;
}
found = false;
NCSI_FOR_EACH_PACKAGE(ndp, np) {
if (np->id != id)
continue;
pnest = nla_nest_start(skb, NCSI_PKG_ATTR);
if (!pnest)
return -ENOMEM;
nla_put_u32(skb, NCSI_PKG_ATTR_ID, np->id);
if (ndp->force_package == np)
nla_put_flag(skb, NCSI_PKG_ATTR_FORCED);
cnest = nla_nest_start(skb, NCSI_PKG_ATTR_CHANNEL_LIST);
if (!cnest) {
nla_nest_cancel(skb, pnest);
return -ENOMEM;
}
NCSI_FOR_EACH_CHANNEL(np, nc) {
nest = nla_nest_start(skb, NCSI_CHANNEL_ATTR);
if (!nest) {
nla_nest_cancel(skb, cnest);
nla_nest_cancel(skb, pnest);
return -ENOMEM;
}
rc = ncsi_write_channel_info(skb, ndp, nc);
if (rc) {
nla_nest_cancel(skb, nest);
nla_nest_cancel(skb, cnest);
nla_nest_cancel(skb, pnest);
return rc;
}
nla_nest_end(skb, nest);
}
nla_nest_end(skb, cnest);
nla_nest_end(skb, pnest);
found = true;
}
if (!found)
return -ENODEV;
return 0;
}
static int ncsi_pkg_info_nl(struct sk_buff *msg, struct genl_info *info)
{
struct ncsi_dev_priv *ndp;
unsigned int package_id;
struct sk_buff *skb;
struct nlattr *attr;
void *hdr;
int rc;
if (!info || !info->attrs)
return -EINVAL;
if (!info->attrs[NCSI_ATTR_IFINDEX])
return -EINVAL;
if (!info->attrs[NCSI_ATTR_PACKAGE_ID])
return -EINVAL;
ndp = ndp_from_ifindex(genl_info_net(info),
nla_get_u32(info->attrs[NCSI_ATTR_IFINDEX]));
if (!ndp)
return -ENODEV;
skb = genlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
if (!skb)
return -ENOMEM;
hdr = genlmsg_put(skb, info->snd_portid, info->snd_seq,
&ncsi_genl_family, 0, NCSI_CMD_PKG_INFO);
if (!hdr) {
kfree_skb(skb);
return -EMSGSIZE;
}
package_id = nla_get_u32(info->attrs[NCSI_ATTR_PACKAGE_ID]);
attr = nla_nest_start(skb, NCSI_ATTR_PACKAGE_LIST);
if (!attr) {
kfree_skb(skb);
return -EMSGSIZE;
}
rc = ncsi_write_package_info(skb, ndp, package_id);
if (rc) {
nla_nest_cancel(skb, attr);
goto err;
}
nla_nest_end(skb, attr);
genlmsg_end(skb, hdr);
return genlmsg_reply(skb, info);
err:
genlmsg_cancel(skb, hdr);
kfree_skb(skb);
return rc;
}
static int ncsi_pkg_info_all_nl(struct sk_buff *skb,
struct netlink_callback *cb)
{
struct nlattr *attrs[NCSI_ATTR_MAX + 1];
struct ncsi_package *np, *package;
struct ncsi_dev_priv *ndp;
unsigned int package_id;
struct nlattr *attr;
void *hdr;
int rc;
rc = genlmsg_parse(cb->nlh, &ncsi_genl_family, attrs, NCSI_ATTR_MAX,
ncsi_genl_policy, NULL);
if (rc)
return rc;
if (!attrs[NCSI_ATTR_IFINDEX])
return -EINVAL;
ndp = ndp_from_ifindex(get_net(sock_net(skb->sk)),
nla_get_u32(attrs[NCSI_ATTR_IFINDEX]));
if (!ndp)
return -ENODEV;
package_id = cb->args[0];
package = NULL;
NCSI_FOR_EACH_PACKAGE(ndp, np)
if (np->id == package_id)
package = np;
if (!package)
return 0; /* done */
hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
&ncsi_genl_family, 0, NCSI_CMD_PKG_INFO);
if (!hdr) {
rc = -EMSGSIZE;
goto err;
}
attr = nla_nest_start(skb, NCSI_ATTR_PACKAGE_LIST);
rc = ncsi_write_package_info(skb, ndp, package->id);
if (rc) {
nla_nest_cancel(skb, attr);
goto err;
}
nla_nest_end(skb, attr);
genlmsg_end(skb, hdr);
cb->args[0] = package_id + 1;
return skb->len;
err:
genlmsg_cancel(skb, hdr);
return rc;
}
static int ncsi_set_interface_nl(struct sk_buff *msg, struct genl_info *info)
{
struct ncsi_package *np, *package;
struct ncsi_channel *nc, *channel;
u32 package_id, channel_id;
struct ncsi_dev_priv *ndp;
unsigned long flags;
if (!info || !info->attrs)
return -EINVAL;
if (!info->attrs[NCSI_ATTR_IFINDEX])
return -EINVAL;
if (!info->attrs[NCSI_ATTR_PACKAGE_ID])
return -EINVAL;
ndp = ndp_from_ifindex(get_net(sock_net(msg->sk)),
nla_get_u32(info->attrs[NCSI_ATTR_IFINDEX]));
if (!ndp)
return -ENODEV;
package_id = nla_get_u32(info->attrs[NCSI_ATTR_PACKAGE_ID]);
package = NULL;
spin_lock_irqsave(&ndp->lock, flags);
NCSI_FOR_EACH_PACKAGE(ndp, np)
if (np->id == package_id)
package = np;
if (!package) {
/* The user has set a package that does not exist */
spin_unlock_irqrestore(&ndp->lock, flags);
return -ERANGE;
}
channel = NULL;
if (!info->attrs[NCSI_ATTR_CHANNEL_ID]) {
/* Allow any channel */
channel_id = NCSI_RESERVED_CHANNEL;
} else {
channel_id = nla_get_u32(info->attrs[NCSI_ATTR_CHANNEL_ID]);
NCSI_FOR_EACH_CHANNEL(package, nc)
if (nc->id == channel_id)
channel = nc;
}
if (channel_id != NCSI_RESERVED_CHANNEL && !channel) {
/* The user has set a channel that does not exist on this
* package
*/
spin_unlock_irqrestore(&ndp->lock, flags);
netdev_info(ndp->ndev.dev, "NCSI: Channel %u does not exist!\n",
channel_id);
return -ERANGE;
}
ndp->force_package = package;
ndp->force_channel = channel;
spin_unlock_irqrestore(&ndp->lock, flags);
netdev_info(ndp->ndev.dev, "Set package 0x%x, channel 0x%x%s as preferred\n",
package_id, channel_id,
channel_id == NCSI_RESERVED_CHANNEL ? " (any)" : "");
/* Bounce the NCSI channel to set changes */
ncsi_stop_dev(&ndp->ndev);
ncsi_start_dev(&ndp->ndev);
return 0;
}
static int ncsi_clear_interface_nl(struct sk_buff *msg, struct genl_info *info)
{
struct ncsi_dev_priv *ndp;
unsigned long flags;
if (!info || !info->attrs)
return -EINVAL;
if (!info->attrs[NCSI_ATTR_IFINDEX])
return -EINVAL;
ndp = ndp_from_ifindex(get_net(sock_net(msg->sk)),
nla_get_u32(info->attrs[NCSI_ATTR_IFINDEX]));
if (!ndp)
return -ENODEV;
/* Clear any override */
spin_lock_irqsave(&ndp->lock, flags);
ndp->force_package = NULL;
ndp->force_channel = NULL;
spin_unlock_irqrestore(&ndp->lock, flags);
netdev_info(ndp->ndev.dev, "NCSI: Cleared preferred package/channel\n");
/* Bounce the NCSI channel to set changes */
ncsi_stop_dev(&ndp->ndev);
ncsi_start_dev(&ndp->ndev);
return 0;
}
static const struct genl_ops ncsi_ops[] = {
{
.cmd = NCSI_CMD_PKG_INFO,
.policy = ncsi_genl_policy,
.doit = ncsi_pkg_info_nl,
.dumpit = ncsi_pkg_info_all_nl,
.flags = 0,
},
{
.cmd = NCSI_CMD_SET_INTERFACE,
.policy = ncsi_genl_policy,
.doit = ncsi_set_interface_nl,
.flags = GENL_ADMIN_PERM,
},
{
.cmd = NCSI_CMD_CLEAR_INTERFACE,
.policy = ncsi_genl_policy,
.doit = ncsi_clear_interface_nl,
.flags = GENL_ADMIN_PERM,
},
};
static struct genl_family ncsi_genl_family __ro_after_init = {
.name = "NCSI",
.version = 0,
.maxattr = NCSI_ATTR_MAX,
.module = THIS_MODULE,
.ops = ncsi_ops,
.n_ops = ARRAY_SIZE(ncsi_ops),
};
int ncsi_init_netlink(struct net_device *dev)
{
int rc;
rc = genl_register_family(&ncsi_genl_family);
if (rc)
netdev_err(dev, "ncsi: failed to register netlink family\n");
return rc;
}
int ncsi_unregister_netlink(struct net_device *dev)
{
int rc;
rc = genl_unregister_family(&ncsi_genl_family);
if (rc)
netdev_err(dev, "ncsi: failed to unregister netlink family\n");
return rc;
}
Reference in a new issue View git blame Copy permalink