Shigeru Yoshida 24ec8f0da9 tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() ... [ Upstream commit 3871aa01e1 ] syzbot reported the following general protection fault [1]: general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000080-0x0000000000000087] ... RIP: 0010:tipc_udp_is_known_peer+0x9c/0x250 net/tipc/udp_media.c:291 ... Call Trace: <TASK> tipc_udp_nl_bearer_add+0x212/0x2f0 net/tipc/udp_media.c:646 tipc_nl_bearer_add+0x21e/0x360 net/tipc/bearer.c:1089 genl_family_rcv_msg_doit+0x1fc/0x2e0 net/netlink/genetlink.c:972 genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline] genl_rcv_msg+0x561/0x800 net/netlink/genetlink.c:1067 netlink_rcv_skb+0x16b/0x440 net/netlink/af_netlink.c:2544 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1076 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x53b/0x810 net/netlink/af_netlink.c:1367 netlink_sendmsg+0x8b7/0xd70 net/netlink/af_netlink.c:1909 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0xd5/0x180 net/socket.c:745 ____sys_sendmsg+0x6ac/0x940 net/socket.c:2584 ___sys_sendmsg+0x135/0x1d0 net/socket.c:2638 __sys_sendmsg+0x117/0x1e0 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b The cause of this issue is that when tipc_nl_bearer_add() is called with the TIPC_NLA_BEARER_UDP_OPTS attribute, tipc_udp_nl_bearer_add() is called even if the bearer is not UDP. tipc_udp_is_known_peer() called by tipc_udp_nl_bearer_add() assumes that the media_ptr field of the tipc_bearer has an udp_bearer type object, so the function goes crazy for non-UDP bearers. This patch fixes the issue by checking the bearer type before calling tipc_udp_nl_bearer_add() in tipc_nl_bearer_add(). Fixes: ef20cd4dd1 ("tipc: introduce UDP replicast") Reported-and-tested-by: syzbot+5142b87a9abc510e14fa@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=5142b87a9abc510e14fa [1] Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> Reviewed-by: Tung Nguyen <tung.q.nguyen@dektech.com.au> Link: https://lore.kernel.org/r/20240131152310.4089541-1-syoshida@redhat.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org>		2024-02-23 08:12:54 +01:00
..
addr.c
addr.h
bcast.c	tipc: clean up skb list lock handling on send path	2020-07-29 10:16:47 +02:00
bcast.h
bearer.c	tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()	2024-02-23 08:12:54 +01:00
bearer.h
core.c	tipc: fix use-after-free in tipc_bcast_get_mode	2020-11-10 12:35:53 +01:00
core.h
diag.c
discover.c	tipc: check skb_linearize() return value in tipc_disc_rcv()	2022-12-08 11:18:30 +01:00
discover.h
eth_media.c
group.c	tipc: Fix memory leak in tipc_group_create_member()	2020-09-26 18:01:30 +02:00
group.h
ib_media.c
Kconfig
link.c	tipc: Fix potential OOB in tipc_link_proto_rcv()	2022-12-14 11:28:30 +01:00
link.h
Makefile
monitor.c	tipc: fix shift wrapping bug in map_get()	2022-09-15 12:17:05 +02:00
monitor.h
msg.c	tipc: skb_linearize the head skb when reassembling msgs	2021-06-03 08:38:08 +02:00
msg.h
name_distr.c	tipc: rate limit warning for received illegal binding update	2022-02-16 12:51:46 +01:00
name_distr.h
name_table.c	tipc: Fix end of loop tests for list_for_each_entry()	2022-03-02 11:38:11 +01:00
name_table.h
net.c
net.h
netlink.c	tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING	2023-11-20 10:29:21 +01:00
netlink.h
netlink_compat.c	tipc: Fix kernel-infoleak due to uninitialized TLV value	2023-11-28 16:46:33 +00:00
node.c	tipc: clean up skb list lock handling on send path	2020-07-29 10:16:47 +02:00
node.h
socket.c	tipc: improve function tipc_wait_for_cond()	2023-03-17 08:31:44 +01:00
socket.h
subscr.c
subscr.h
sysctl.c
topsrv.c	tipc: add an extra conn_get in tipc_conn_alloc	2022-12-08 11:18:30 +01:00
topsrv.h
udp_media.c
udp_media.h