| Message ID | 20230926125120.152133-1-syoshida@redhat.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:cae8:0:b0:403:3b70:6f57 with SMTP id r8csp1973968vqu;
Tue, 26 Sep 2023 07:52:59 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IGuo+tZ22Q6pfm2lHA3k2J+SHkU9PEjOOwezrnXtKtpILYroGK3vKc8U8ex7OFlbL9ie/Xm
X-Received: by 2002:a05:6a00:1a8d:b0:691:320:b551 with SMTP id
e13-20020a056a001a8d00b006910320b551mr11790698pfv.34.1695739979385;
Tue, 26 Sep 2023 07:52:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695739979; cv=none;
d=google.com; s=arc-20160816;
b=fItTtca5Dq1/JmYJKFrLh+DUm9BwpjGPJ22khvonRzBc/lud544EHwHL6OvEZRvzkc
UR1KlT4vWmn+yWcj8IVGgSzXSzOo/FkYXfbmmPr3Rb/Z2IRwv/YxFt/XumiiC8nWnbys
Kz23V5TCfO3vz5u6c+aQ8VEw6QKamyEkOvdNj7R5oKBagP+i97mVIoDJ357uDgZluQDF
IgypeaE0K2VfQ4v3GSniU1BT3xo4UUS6kgYSa9pbktQEpJ/tmDVWL269SxoL/PB/F7FY
+NcoVwdK4i7vbxt8zv05GlkyLZspqu9u04j3jUplmHv5NVTzo4RNkipyyYs/a+fDqCB5
MJOw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=nbqEqYzMG8OvMQKPGMsJuelnBP8p4ESu+dJKIU0PfUA=;
fh=iXxQvXZoJxtUk7DnNU7GJaOjdtmIl+sp7PeJLrYZtfE=;
b=BIxjToQezFCrApMxz5f7nYNsooaG10z1eG6ym9zfd5le7rtGLqH9EUzc4VMc8b2nme
ATvS/aUsegDBTiX+tu+JDIDI5eWyqobXMiCz2bg7mo8qMBQibEqqt9Uwgc7LWVBCVAbz
kYB01L0VT4UWH9lob5VJ4vB712RHvGrKJDqEvyUDjE89FbGP+iPeXAogjktWVkyGvx0k
o05kRvX8Z3q/JwOeSnuWK63WCsV78fsIngjVIBdHluVyyAPXhZzmWd/i1Bqqvcj5PBZw
eeagHHXrg3Y25F+DAYWTdhTnC+eITr9p1o9m9tuv0mhkeQAR0hlJdsNbaqKMM7N42xMl
tvbw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b="ISui3O8/";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.35 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from groat.vger.email (groat.vger.email. [23.128.96.35])
by mx.google.com with ESMTPS id
h14-20020a056a001a4e00b0069018a768cesi13272654pfv.405.2023.09.26.07.52.58
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 26 Sep 2023 07:52:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35;
Authentication-Results: mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b="ISui3O8/";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 23.128.96.35 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by groat.vger.email (Postfix) with ESMTP id 6BE4D830D109;
Tue, 26 Sep 2023 05:52:40 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S234688AbjIZMw0 (ORCPT <rfc822;pwkd43@gmail.com> + 28 others);
Tue, 26 Sep 2023 08:52:26 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35788 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S233739AbjIZMwY (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 26 Sep 2023 08:52:24 -0400
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.133.124])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 58FDEDD
for <linux-kernel@vger.kernel.org>;
Tue, 26 Sep 2023 05:51:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1695732689;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=nbqEqYzMG8OvMQKPGMsJuelnBP8p4ESu+dJKIU0PfUA=;
b=ISui3O8/onamUYExM/Bb3ANq8VG3vh7en4aIUBh4XAe6yeraByHzjoFrIBKOKa84eNArKm
r0CYGPCxxKGnJgWFR1TwfuhwV+65oa8MOjzxOQs4Y043RoYOov1fdy1epaHdp+q1Ue62Lg
PRPeQN1LCJEttmPA+3uCEaOWC+X9UvM=
Received: from mail-pg1-f198.google.com (mail-pg1-f198.google.com
[209.85.215.198]) by relay.mimecast.com with ESMTP with STARTTLS
(version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
us-mta-524-c4SVL2rwOACtSwJe3iVwhA-1; Tue, 26 Sep 2023 08:51:27 -0400
X-MC-Unique: c4SVL2rwOACtSwJe3iVwhA-1
Received: by mail-pg1-f198.google.com with SMTP id
41be03b00d2f7-577f80e2385so11210031a12.1
for <linux-kernel@vger.kernel.org>;
Tue, 26 Sep 2023 05:51:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1695732687; x=1696337487;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=nbqEqYzMG8OvMQKPGMsJuelnBP8p4ESu+dJKIU0PfUA=;
b=RfXxh3OmJc07DhyftxMygggsQF8exjHqyoZlPY3152XG1cfOT96nq/M75t8EvIVh8M
IruFTF53d8wT4EKrKIq/dowdVDjpVuEqEjGU4YufuKovlBUamhMONWmxWFdSUFKrDfi/
5kn0AiDccsv+VeH42cV05TyhoHCat2vCFTZfbgMWmlzMWZYp8nMMOmqKQ01rbN135Z8X
TZdmfX/MnIyBD63e+m+BKM+tI+77Rwn9coAg3jmzQDhmD0WgXJrlqCOcHWCKhIUzki2j
t9BKm6BHwlk8LHnaBYwyV+sw2XcvUa1c+ymxfcwtch7kaoowdYgPKRq4eyTfVSLHnvXN
qX/Q==
X-Gm-Message-State: AOJu0Ywokb0ZuxlKpOSO7EHN4AtjYqXnFlizu/dFND9OmXtJc1ZPPx0F
NtdgAs5/pwMIXDTu0MBeaP7PVF7BI2puzI4Q3oDdXa8YaipgHdbqRWdSS64+858/WSiCzUnmhKd
JaH5GxWZOG+fdV6L+A/cWqXC+
X-Received: by 2002:a05:6a21:3381:b0:160:d030:ae9 with SMTP id
yy1-20020a056a21338100b00160d0300ae9mr2043360pzb.25.1695732686818;
Tue, 26 Sep 2023 05:51:26 -0700 (PDT)
X-Received: by 2002:a05:6a21:3381:b0:160:d030:ae9 with SMTP id
yy1-20020a056a21338100b00160d0300ae9mr2043347pzb.25.1695732686492;
Tue, 26 Sep 2023 05:51:26 -0700 (PDT)
Received: from kernel-devel.local ([240d:1a:c0d:9f00:245e:16ff:fe87:c960])
by smtp.gmail.com with ESMTPSA id
a5-20020a170902ee8500b001c62d63b817sm1701166pld.179.2023.09.26.05.51.24
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Tue, 26 Sep 2023 05:51:26 -0700 (PDT)
From: Shigeru Yoshida <syoshida@redhat.com>
To: jmaloy@redhat.com, ying.xue@windriver.com
Cc: netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net,
linux-kernel@vger.kernel.org,
Shigeru Yoshida <syoshida@redhat.com>,
syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com
Subject: [PATCH] tipc: Fix uninit-value access in __tipc_nl_bearer_enable()
Date: Tue, 26 Sep 2023 21:51:20 +0900
Message-ID: <20230926125120.152133-1-syoshida@redhat.com>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]);
Tue, 26 Sep 2023 05:52:40 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1778112244979447672
X-GMAIL-MSGID: 1778112244979447672
|
| Series |
tipc: Fix uninit-value access in __tipc_nl_bearer_enable()
|
|
Commit Message
Shigeru Yoshida
Sept. 26, 2023, 12:51 p.m. UTC
syzbot reported the following uninit-value access issue:
=====================================================
BUG: KMSAN: uninit-value in strscpy+0xc4/0x160
strscpy+0xc4/0x160
bearer_name_validate net/tipc/bearer.c:147 [inline]
tipc_enable_bearer net/tipc/bearer.c:259 [inline]
__tipc_nl_bearer_enable+0x634/0x2220 net/tipc/bearer.c:1043
tipc_nl_bearer_enable+0x3c/0x70 net/tipc/bearer.c:1052
genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066
netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545
genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2540
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2594
__sys_sendmsg net/socket.c:2623 [inline]
__do_sys_sendmsg net/socket.c:2632 [inline]
__se_sys_sendmsg net/socket.c:2630 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2630
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559
__alloc_skb+0x318/0x740 net/core/skbuff.c:644
alloc_skb include/linux/skbuff.h:1286 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]
netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2540
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2594
__sys_sendmsg net/socket.c:2623 [inline]
__do_sys_sendmsg net/socket.c:2632 [inline]
__se_sys_sendmsg net/socket.c:2630 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2630
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Bearer names must be null-terminated strings. If a bearer name which is not
null-terminated is passed through netlink, strcpy() and similar functions
can cause buffer overrun. This causes the above issue.
This patch fixes this issue by returning -EINVAL if a non-null-terminated
bearer name is passed.
Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api")
Reported-and-tested-by: syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9425c47dccbcb4c17d51
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
---
net/tipc/bearer.c | 4 ++++
1 file changed, 4 insertions(+)
Comments
On Tue, Sep 26, 2023 at 09:51:20PM +0900, Shigeru Yoshida wrote: > syzbot reported the following uninit-value access issue: > > ===================================================== > BUG: KMSAN: uninit-value in strscpy+0xc4/0x160 > strscpy+0xc4/0x160 > bearer_name_validate net/tipc/bearer.c:147 [inline] > tipc_enable_bearer net/tipc/bearer.c:259 [inline] > __tipc_nl_bearer_enable+0x634/0x2220 net/tipc/bearer.c:1043 > tipc_nl_bearer_enable+0x3c/0x70 net/tipc/bearer.c:1052 > genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] > genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] > genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 > netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 > genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 > netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] > netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 > netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 > sock_sendmsg_nosec net/socket.c:730 [inline] > sock_sendmsg net/socket.c:753 [inline] > ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2540 > ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2594 > __sys_sendmsg net/socket.c:2623 [inline] > __do_sys_sendmsg net/socket.c:2632 [inline] > __se_sys_sendmsg net/socket.c:2630 [inline] > __x64_sys_sendmsg+0x307/0x490 net/socket.c:2630 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Uninit was created at: > slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 > slab_alloc_node mm/slub.c:3478 [inline] > kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 > kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559 > __alloc_skb+0x318/0x740 net/core/skbuff.c:644 > alloc_skb include/linux/skbuff.h:1286 [inline] > netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] > netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 > sock_sendmsg_nosec net/socket.c:730 [inline] > sock_sendmsg net/socket.c:753 [inline] > ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2540 > ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2594 > __sys_sendmsg net/socket.c:2623 [inline] > __do_sys_sendmsg net/socket.c:2632 [inline] > __se_sys_sendmsg net/socket.c:2630 [inline] > __x64_sys_sendmsg+0x307/0x490 net/socket.c:2630 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Bearer names must be null-terminated strings. If a bearer name which is not > null-terminated is passed through netlink, strcpy() and similar functions > can cause buffer overrun. This causes the above issue. > > This patch fixes this issue by returning -EINVAL if a non-null-terminated > bearer name is passed. > > Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api") > Reported-and-tested-by: syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=9425c47dccbcb4c17d51 > Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> Reviewed-by: Simon Horman <horms@kernel.org>
On Tue, 2023-09-26 at 21:51 +0900, Shigeru Yoshida wrote: > syzbot reported the following uninit-value access issue: > > ===================================================== > BUG: KMSAN: uninit-value in strscpy+0xc4/0x160 > strscpy+0xc4/0x160 > bearer_name_validate net/tipc/bearer.c:147 [inline] > tipc_enable_bearer net/tipc/bearer.c:259 [inline] > __tipc_nl_bearer_enable+0x634/0x2220 net/tipc/bearer.c:1043 > tipc_nl_bearer_enable+0x3c/0x70 net/tipc/bearer.c:1052 > genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] > genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] > genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 > netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 > genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 > netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] > netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 > netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 > sock_sendmsg_nosec net/socket.c:730 [inline] > sock_sendmsg net/socket.c:753 [inline] > ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2540 > ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2594 > __sys_sendmsg net/socket.c:2623 [inline] > __do_sys_sendmsg net/socket.c:2632 [inline] > __se_sys_sendmsg net/socket.c:2630 [inline] > __x64_sys_sendmsg+0x307/0x490 net/socket.c:2630 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Uninit was created at: > slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 > slab_alloc_node mm/slub.c:3478 [inline] > kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 > kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559 > __alloc_skb+0x318/0x740 net/core/skbuff.c:644 > alloc_skb include/linux/skbuff.h:1286 [inline] > netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] > netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 > sock_sendmsg_nosec net/socket.c:730 [inline] > sock_sendmsg net/socket.c:753 [inline] > ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2540 > ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2594 > __sys_sendmsg net/socket.c:2623 [inline] > __do_sys_sendmsg net/socket.c:2632 [inline] > __se_sys_sendmsg net/socket.c:2630 [inline] > __x64_sys_sendmsg+0x307/0x490 net/socket.c:2630 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Bearer names must be null-terminated strings. If a bearer name which is not > null-terminated is passed through netlink, strcpy() and similar functions > can cause buffer overrun. This causes the above issue. > > This patch fixes this issue by returning -EINVAL if a non-null-terminated > bearer name is passed. > > Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api") > Reported-and-tested-by: syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=9425c47dccbcb4c17d51 > Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> > --- > net/tipc/bearer.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c > index 2cde375477e3..62047d20e14d 100644 > --- a/net/tipc/bearer.c > +++ b/net/tipc/bearer.c > @@ -1025,6 +1025,10 @@ int __tipc_nl_bearer_enable(struct sk_buff *skb, struct genl_info *info) > > bearer = nla_data(attrs[TIPC_NLA_BEARER_NAME]); > > + if (bearer[strnlen(bearer, > + nla_len(attrs[TIPC_NLA_BEARER_NAME]))] != '\0') if 'bearer' is not NULL terminated, the above will access the first byte after the TIPC_NLA_BEARER_NAME attribute. I think it would cleaner and safer using nla_strscpy() instead. Quickly skimming over the tpic code, most TIPC_NLA_BEARER_NAME access looks unsafe, and possibly a similar fix should be applied in more places. Thanks, Paolo
On Tue, 03 Oct 2023 10:52:50 +0200, Paolo Abeni wrote: > On Tue, 2023-09-26 at 21:51 +0900, Shigeru Yoshida wrote: >> syzbot reported the following uninit-value access issue: >> >> ===================================================== >> BUG: KMSAN: uninit-value in strscpy+0xc4/0x160 >> strscpy+0xc4/0x160 >> bearer_name_validate net/tipc/bearer.c:147 [inline] >> tipc_enable_bearer net/tipc/bearer.c:259 [inline] >> __tipc_nl_bearer_enable+0x634/0x2220 net/tipc/bearer.c:1043 >> tipc_nl_bearer_enable+0x3c/0x70 net/tipc/bearer.c:1052 >> genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] >> genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] >> genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 >> netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 >> genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 >> netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] >> netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 >> netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 >> sock_sendmsg_nosec net/socket.c:730 [inline] >> sock_sendmsg net/socket.c:753 [inline] >> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2540 >> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2594 >> __sys_sendmsg net/socket.c:2623 [inline] >> __do_sys_sendmsg net/socket.c:2632 [inline] >> __se_sys_sendmsg net/socket.c:2630 [inline] >> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2630 >> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> >> Uninit was created at: >> slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 >> slab_alloc_node mm/slub.c:3478 [inline] >> kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 >> kmalloc_reserve+0x148/0x470 net/core/skbuff.c:559 >> __alloc_skb+0x318/0x740 net/core/skbuff.c:644 >> alloc_skb include/linux/skbuff.h:1286 [inline] >> netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] >> netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 >> sock_sendmsg_nosec net/socket.c:730 [inline] >> sock_sendmsg net/socket.c:753 [inline] >> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2540 >> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2594 >> __sys_sendmsg net/socket.c:2623 [inline] >> __do_sys_sendmsg net/socket.c:2632 [inline] >> __se_sys_sendmsg net/socket.c:2630 [inline] >> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2630 >> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> >> Bearer names must be null-terminated strings. If a bearer name which is not >> null-terminated is passed through netlink, strcpy() and similar functions >> can cause buffer overrun. This causes the above issue. >> >> This patch fixes this issue by returning -EINVAL if a non-null-terminated >> bearer name is passed. >> >> Fixes: 0655f6a8635b ("tipc: add bearer disable/enable to new netlink api") >> Reported-and-tested-by: syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=9425c47dccbcb4c17d51 >> Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> >> --- >> net/tipc/bearer.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c >> index 2cde375477e3..62047d20e14d 100644 >> --- a/net/tipc/bearer.c >> +++ b/net/tipc/bearer.c >> @@ -1025,6 +1025,10 @@ int __tipc_nl_bearer_enable(struct sk_buff *skb, struct genl_info *info) >> >> bearer = nla_data(attrs[TIPC_NLA_BEARER_NAME]); >> >> + if (bearer[strnlen(bearer, >> + nla_len(attrs[TIPC_NLA_BEARER_NAME]))] != '\0') > > if 'bearer' is not NULL terminated, the above will access the first > byte after the TIPC_NLA_BEARER_NAME attribute. > > I think it would cleaner and safer using nla_strscpy() instead. Thank you so much for your comment. I didn't notice the existence of nla_strscpy(). > Quickly skimming over the tpic code, most TIPC_NLA_BEARER_NAME access > looks unsafe, and possibly a similar fix should be applied in more > places. I've checked the usage of TIPC_NLA_BEARER_NAME accesses. These might cause the same issue, so the same fix should be needed, as you say. I'll send a v2 patch. Thanks, Shigeru > > Thanks, > > Paolo >
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c index 2cde375477e3..62047d20e14d 100644 --- a/net/tipc/bearer.c +++ b/net/tipc/bearer.c @@ -1025,6 +1025,10 @@ int __tipc_nl_bearer_enable(struct sk_buff *skb, struct genl_info *info) bearer = nla_data(attrs[TIPC_NLA_BEARER_NAME]); + if (bearer[strnlen(bearer, + nla_len(attrs[TIPC_NLA_BEARER_NAME]))] != '\0') + return -EINVAL; + if (attrs[TIPC_NLA_BEARER_DOMAIN]) domain = nla_get_u32(attrs[TIPC_NLA_BEARER_DOMAIN]);