[net-next] netlink: Fix potential skb memleak in netlink_ack

Message ID 7a382b9503d10d235238ca55938bc933d92a1de7.1667389213.git.chentao.kernel@linux.alibaba.com
State New
Headers
Series [net-next] netlink: Fix potential skb memleak in netlink_ack |

Commit Message

Tao Chen Nov. 2, 2022, 12:08 p.m. UTC
  We should clean the skb resource if nlmsg_put/append failed
, so fix it.

Fiexs: commit 738136a0e375 ("netlink: split up copies in the
ack construction")
Signed-off-by: Tao Chen <chentao.kernel@linux.alibaba.com>
---
 net/netlink/af_netlink.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
  

Comments

Kees Cook Nov. 2, 2022, 3:05 p.m. UTC | #1
On November 2, 2022 5:08:20 AM PDT, Tao Chen <chentao.kernel@linux.alibaba.com> wrote:
>We should clean the skb resource if nlmsg_put/append failed
>, so fix it.
>
>Fiexs: commit 738136a0e375 ("netlink: split up copies in the
>ack construction")
>Signed-off-by: Tao Chen <chentao.kernel@linux.alibaba.com>
>---
> net/netlink/af_netlink.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
>diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
>index c6b8207e..9d73dae 100644
>--- a/net/netlink/af_netlink.c
>+++ b/net/netlink/af_netlink.c
>@@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
> 
> 	skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
> 	if (!skb)
>-		goto err_bad_put;
>+		goto err_skb;
> 
> 	rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
> 			NLMSG_ERROR, sizeof(*errmsg), flags);
>@@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
> 	return;
> 
> err_bad_put:
>+	kfree_skb(skb);
>+err_skb:
> 	NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
> 	sk_error_report(NETLINK_CB(in_skb).sk);
> }

It didn't do this before... Is this right?
  
Jakub Kicinski Nov. 2, 2022, 9:39 p.m. UTC | #2
On Wed,  2 Nov 2022 20:08:20 +0800 Tao Chen wrote:
> We should clean the skb resource if nlmsg_put/append failed
> , so fix it.

The comma should be at the end of the previous line.
But really the entire ", so fix it." is redundant.

> Fiexs: commit 738136a0e375 ("netlink: split up copies in the
> ack construction")

Please look around to see how to correctly format a Fixes tag
(including not line wrapping it).

How did you find this bug? An automated tool? Syzbot?

One more note below on the code itself.

> Signed-off-by: Tao Chen <chentao.kernel@linux.alibaba.com>
> ---
>  net/netlink/af_netlink.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
> index c6b8207e..9d73dae 100644
> --- a/net/netlink/af_netlink.c
> +++ b/net/netlink/af_netlink.c
> @@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
>  
>  	skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
>  	if (!skb)
> -		goto err_bad_put;
> +		goto err_skb;
>  
>  	rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
>  			NLMSG_ERROR, sizeof(*errmsg), flags);
> @@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
>  	return;
>  
>  err_bad_put:
> +	kfree_skb(skb);

Please use nlmsg_free() since we allocated with nlmsg_new().

> +err_skb:
>  	NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
>  	sk_error_report(NETLINK_CB(in_skb).sk);
>  }
  
Tao Chen Nov. 4, 2022, 6:15 a.m. UTC | #3
在 2022/11/3 上午5:39, Jakub Kicinski 写道:
> On Wed,  2 Nov 2022 20:08:20 +0800 Tao Chen wrote:
>> We should clean the skb resource if nlmsg_put/append failed
>> , so fix it.
> 
> The comma should be at the end of the previous line.
> But really the entire ", so fix it." is redundant.
> 
Thank you, i will pay attention next time
>> Fiexs: commit 738136a0e375 ("netlink: split up copies in the
>> ack construction")
> 
> Please look around to see how to correctly format a Fixes tag
> (including not line wrapping it).
> 
> How did you find this bug? An automated tool? Syzbot?
> 
> One more note below on the code itself.
> 
This was found by the coverity tool, i will add it.
>> Signed-off-by: Tao Chen <chentao.kernel@linux.alibaba.com>
>> ---
>>   net/netlink/af_netlink.c | 4 +++-
>>   1 file changed, 3 insertions(+), 1 deletion(-)
>>
>> diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
>> index c6b8207e..9d73dae 100644
>> --- a/net/netlink/af_netlink.c
>> +++ b/net/netlink/af_netlink.c
>> @@ -2500,7 +2500,7 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
>>   
>>   	skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
>>   	if (!skb)
>> -		goto err_bad_put;
>> +		goto err_skb;
>>   
>>   	rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
>>   			NLMSG_ERROR, sizeof(*errmsg), flags);
>> @@ -2528,6 +2528,8 @@ void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
>>   	return;
>>   
>>   err_bad_put:
>> +	kfree_skb(skb);
> 
> Please use nlmsg_free() since we allocated with nlmsg_new().
> 
Ok, i will send it in v2.
>> +err_skb:
>>   	NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
>>   	sk_error_report(NETLINK_CB(in_skb).sk);
>>   }
  

Patch

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index c6b8207e..9d73dae 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -2500,7 +2500,7 @@  void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
 
 	skb = nlmsg_new(payload + tlvlen, GFP_KERNEL);
 	if (!skb)
-		goto err_bad_put;
+		goto err_skb;
 
 	rep = nlmsg_put(skb, NETLINK_CB(in_skb).portid, nlh->nlmsg_seq,
 			NLMSG_ERROR, sizeof(*errmsg), flags);
@@ -2528,6 +2528,8 @@  void netlink_ack(struct sk_buff *in_skb, struct nlmsghdr *nlh, int err,
 	return;
 
 err_bad_put:
+	kfree_skb(skb);
+err_skb:
 	NETLINK_CB(in_skb).sk->sk_err = ENOBUFS;
 	sk_error_report(NETLINK_CB(in_skb).sk);
 }