Message ID | 20230924060325.3779150-1-syoshida@redhat.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:cae8:0:b0:403:3b70:6f57 with SMTP id r8csp581568vqu; Sun, 24 Sep 2023 02:45:30 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHWezny1F/RAc8zKfuQ4AXxAHAd1CMkQe7K1Sk92FY7nqWrKOb0U+N9K6nDJ2gQVyL962SS X-Received: by 2002:a17:90b:100e:b0:26d:4421:854d with SMTP id gm14-20020a17090b100e00b0026d4421854dmr2118377pjb.37.1695548730283; Sun, 24 Sep 2023 02:45:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695548730; cv=none; d=google.com; s=arc-20160816; b=VZY/iSLqK9s4mDF4GY+JOu3Pe1wfMUcuAZ9v+IfbcYj/ozdSoG6eXKDnpsdV/9qk7L nZJcJ1wM66y11pnY8u54gul0jGcaO4VBwWFFuVFlLIs2q5/vjhMxvvX4E9xQnEeUoQme oBDLeMhN89f0yKixmWVIeTxq2DHpwCYH9Jo18PB5XiZC2y768Bew95PJ7ezQkEjQ4w0L eFWEajVJVLvCkUZ3Q1FZuoO+oJhkj1Ay3kp2YXAd1sh90E9FIMgmtp+8VkOSmB+dk2h4 j1mFOzmf29RWg/+sfAiXeY6iY0f5LFFvCmFtjDISIOh+pBzcEZWMGcKUDjTZvw5LQuHk 2c6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=95dcBVemM5GhqnMGHhoTgUNEDXpSohpfAJrS5+uZkCM=; fh=8TPg7LlqBUZdwDyuYhH/29UVffjyBl+wgyciVANIUpQ=; b=XE4NVCYqI4YpX6mWAbCvVYs1vGTyyyL/TUTXJ6KEIBHjhVao7IXVSj4pg2O9Mv4yRS jJLtzfGArvotuNrSnqku/wAX3z11VCFkh+pTobdxw5Y4FzOXsSy5ysCj21m5zZqo3TzB bZnNHhuhsgrsJPyDDOuWL8JTBjQUQF4aDNjxQsz8HLjQdWdEjCjIo5hiHHvszIunN8SK f8vBweXp3Cr4NcUKwdvPyZa7HYXCpRmc7HsUBNribedTGFAWBTr2rg8KN9ywrP06QWLI SlUVpfGmv8n1fO6vuG39CWPBNy9dJX3YfCxs5170UzDdl1sQm321mryq/PZb7z0nLYUB Ttnw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=J5vj3ikv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from morse.vger.email (morse.vger.email. [23.128.96.31]) by mx.google.com with ESMTPS id u9-20020a17090a410900b00276ac140106si9761814pjf.165.2023.09.24.02.45.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 24 Sep 2023 02:45:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) client-ip=23.128.96.31; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=J5vj3ikv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.31 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by morse.vger.email (Postfix) with ESMTP id D1A70801F9A3; Sat, 23 Sep 2023 23:04:41 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at morse.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229498AbjIXGE2 (ORCPT <rfc822;pusanteemu@gmail.com> + 30 others); Sun, 24 Sep 2023 02:04:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47772 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229437AbjIXGE1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Sun, 24 Sep 2023 02:04:27 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9BFA7101 for <linux-kernel@vger.kernel.org>; Sat, 23 Sep 2023 23:03:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1695535414; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=95dcBVemM5GhqnMGHhoTgUNEDXpSohpfAJrS5+uZkCM=; b=J5vj3ikvPsl2UAIu9xI6iliWr53GZq1e6B5paE4ZJkLxb/mVvA+lmhFG9MKPyaLVkY3FAU 58v6l3KASEJbwjNRIejFCsYyoXdwUGkERfwW8DsmryGkW4cao1XcB7YqUk7JtXcNsC7Wu+ qSGosmkJ0SfwrMNkMZF2NVWPTAYyYRU= Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com [209.85.216.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-374-p1iOCMF4NkuKa7cn5fJ8iw-1; Sun, 24 Sep 2023 02:03:32 -0400 X-MC-Unique: p1iOCMF4NkuKa7cn5fJ8iw-1 Received: by mail-pj1-f70.google.com with SMTP id 98e67ed59e1d1-2773b534dd2so617897a91.2 for <linux-kernel@vger.kernel.org>; Sat, 23 Sep 2023 23:03:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695535411; x=1696140211; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=95dcBVemM5GhqnMGHhoTgUNEDXpSohpfAJrS5+uZkCM=; b=vazVyL+15vU+XLN/kB6Frvw420ZReA/nh/2SgrE9caJOEs8Zbe9SpsB8ok2LXBCaPx nf/A7gjVh+y9+lNjPoRS7VH1GMQa68i5U880Qb4b1gECqydniL6I3MBjW/9HN3FxOwUC F5JsEVoz1Q7C5cjMwB/XEQjewh+0J1i1l0jAAWx4ME8VunW1D6EfnGeSpxORaOiTEZIM CyH6+RmXmmLOfAWkIg4ppXeGeeot4bjIgDfD743Y8ksbHpFjy/pGBhULTJRNi0oM7oBb OTzUhMY7RaG1givwovPCYqfJzjaJuGGDwf2Fn+3xlFu2kxA8Edlm8ObqYT5BT3TbjakZ DbKQ== X-Gm-Message-State: AOJu0YymH7LhCZy+k4dsnrLKA1eebhwSFErXSW0tHQmSb5t0seA/nOhM qxWRhQb33S7Q7CXsUaFcbC3rqVlSCKfi/FmD+XeqOG3VgWw2SkrjbCX7zY3SfY5mRqUfhRY8vkl CP/5Ip2wS3u9AB3OPyYtO4ikN X-Received: by 2002:a17:90b:4c92:b0:25d:eca9:1621 with SMTP id my18-20020a17090b4c9200b0025deca91621mr2156640pjb.6.1695535411323; Sat, 23 Sep 2023 23:03:31 -0700 (PDT) X-Received: by 2002:a17:90b:4c92:b0:25d:eca9:1621 with SMTP id my18-20020a17090b4c9200b0025deca91621mr2156633pjb.6.1695535410990; Sat, 23 Sep 2023 23:03:30 -0700 (PDT) Received: from kernel-devel.local ([240d:1a:c0d:9f00:245e:16ff:fe87:c960]) by smtp.gmail.com with ESMTPSA id ki19-20020a17090ae91300b0026b41363887sm7516644pjb.27.2023.09.23.23.03.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 23 Sep 2023 23:03:30 -0700 (PDT) From: Shigeru Yoshida <syoshida@redhat.com> To: jmaloy@redhat.com, ying.xue@windriver.com Cc: netdev@vger.kernel.org, tipc-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, Shigeru Yoshida <syoshida@redhat.com>, syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com Subject: [PATCH] tipc: Fix uninit-value access in tipc_nl_node_reset_link_stats() Date: Sun, 24 Sep 2023 15:03:25 +0900 Message-ID: <20230924060325.3779150-1-syoshida@redhat.com> X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on morse.vger.email Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (morse.vger.email [0.0.0.0]); Sat, 23 Sep 2023 23:04:41 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1777911705375955462 X-GMAIL-MSGID: 1777911705375955462 |
Series |
tipc: Fix uninit-value access in tipc_nl_node_reset_link_stats()
|
|
Commit Message
Shigeru Yoshida
Sept. 24, 2023, 6:03 a.m. UTC
syzbot reported the following uninit-value access issue:
=====================================================
BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]
BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756
strlen lib/string.c:418 [inline]
strstr+0xb8/0x2f0 lib/string.c:756
tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595
genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066
netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545
genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595
__sys_sendmsg net/socket.c:2624 [inline]
__do_sys_sendmsg net/socket.c:2633 [inline]
__se_sys_sendmsg net/socket.c:2631 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2631
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559
__alloc_skb+0x318/0x740 net/core/skbuff.c:650
alloc_skb include/linux/skbuff.h:1286 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]
netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595
__sys_sendmsg net/socket.c:2624 [inline]
__do_sys_sendmsg net/socket.c:2633 [inline]
__se_sys_sendmsg net/socket.c:2631 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2631
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Link names must be null-terminated strings. If a link name which is not
null-terminated is passed through netlink, strstr() and similar functions
can cause buffer overrun. This causes the above issue.
This patch fixes this issue by returning -EINVAL if a non-null-terminated
link name is passed.
Fixes: ae36342b50a9 ("tipc: add link stat reset to new netlink api")
Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
---
net/tipc/node.c | 4 ++++
1 file changed, 4 insertions(+)
Comments
On 2023-09-24 02:03, Shigeru Yoshida wrote: > syzbot reported the following uninit-value access issue: > > ===================================================== > BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] > BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 > strlen lib/string.c:418 [inline] > strstr+0xb8/0x2f0 lib/string.c:756 > tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 > genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] > genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] > genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 > netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 > genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 > netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] > netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 > netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 > sock_sendmsg_nosec net/socket.c:730 [inline] > sock_sendmsg net/socket.c:753 [inline] > ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 > ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 > __sys_sendmsg net/socket.c:2624 [inline] > __do_sys_sendmsg net/socket.c:2633 [inline] > __se_sys_sendmsg net/socket.c:2631 [inline] > __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Uninit was created at: > slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 > slab_alloc_node mm/slub.c:3478 [inline] > kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 > kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 > __alloc_skb+0x318/0x740 net/core/skbuff.c:650 > alloc_skb include/linux/skbuff.h:1286 [inline] > netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] > netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 > sock_sendmsg_nosec net/socket.c:730 [inline] > sock_sendmsg net/socket.c:753 [inline] > ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 > ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 > __sys_sendmsg net/socket.c:2624 [inline] > __do_sys_sendmsg net/socket.c:2633 [inline] > __se_sys_sendmsg net/socket.c:2631 [inline] > __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Link names must be null-terminated strings. If a link name which is not > null-terminated is passed through netlink, strstr() and similar functions > can cause buffer overrun. This causes the above issue. > > This patch fixes this issue by returning -EINVAL if a non-null-terminated > link name is passed. > > Fixes: ae36342b50a9 ("tipc: add link stat reset to new netlink api") > Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574 > Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> > --- > net/tipc/node.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/tipc/node.c b/net/tipc/node.c > index 3105abe97bb9..f167bdafc034 100644 > --- a/net/tipc/node.c > +++ b/net/tipc/node.c > @@ -2586,6 +2586,10 @@ int tipc_nl_node_reset_link_stats(struct sk_buff *skb, struct genl_info *info) > > link_name = nla_data(attrs[TIPC_NLA_LINK_NAME]); > > + if (link_name[strnlen(link_name, > + nla_len(attrs[TIPC_NLA_LINK_NAME]))] != '\0') > + return -EINVAL; > + > err = -EINVAL; > if (!strcmp(link_name, tipc_bclink_name)) { > err = tipc_bclink_reset_stats(net, tipc_bc_sndlink(net)); Acked-by: Jon Maloy <jmaloy@redhat.com>
On 9/26/23 20:19, Jon Maloy wrote: > > > On 2023-09-24 02:03, Shigeru Yoshida wrote: >> syzbot reported the following uninit-value access issue: >> >> ===================================================== >> BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] >> BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 >> strlen lib/string.c:418 [inline] >> strstr+0xb8/0x2f0 lib/string.c:756 >> tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 >> genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] >> genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] >> genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 >> netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 >> genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 >> netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] >> netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 >> netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 >> sock_sendmsg_nosec net/socket.c:730 [inline] >> sock_sendmsg net/socket.c:753 [inline] >> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 >> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 >> __sys_sendmsg net/socket.c:2624 [inline] >> __do_sys_sendmsg net/socket.c:2633 [inline] >> __se_sys_sendmsg net/socket.c:2631 [inline] >> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 >> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> >> Uninit was created at: >> slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 >> slab_alloc_node mm/slub.c:3478 [inline] >> kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 >> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 >> __alloc_skb+0x318/0x740 net/core/skbuff.c:650 >> alloc_skb include/linux/skbuff.h:1286 [inline] >> netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] >> netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 >> sock_sendmsg_nosec net/socket.c:730 [inline] >> sock_sendmsg net/socket.c:753 [inline] >> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 >> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 >> __sys_sendmsg net/socket.c:2624 [inline] >> __do_sys_sendmsg net/socket.c:2633 [inline] >> __se_sys_sendmsg net/socket.c:2631 [inline] >> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 >> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> >> Link names must be null-terminated strings. If a link name which is not >> null-terminated is passed through netlink, strstr() and similar functions >> can cause buffer overrun. This causes the above issue. >> >> This patch fixes this issue by returning -EINVAL if a non-null-terminated >> link name is passed. >> >> Fixes: ae36342b50a9 ("tipc: add link stat reset to new netlink api") >> Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574 >> Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> >> --- >> net/tipc/node.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/net/tipc/node.c b/net/tipc/node.c >> index 3105abe97bb9..f167bdafc034 100644 >> --- a/net/tipc/node.c >> +++ b/net/tipc/node.c >> @@ -2586,6 +2586,10 @@ int tipc_nl_node_reset_link_stats(struct sk_buff *skb, struct genl_info *info) >> link_name = nla_data(attrs[TIPC_NLA_LINK_NAME]); >> + if (link_name[strnlen(link_name, >> + nla_len(attrs[TIPC_NLA_LINK_NAME]))] != '\0') >> + return -EINVAL; >> + >> err = -EINVAL; >> if (!strcmp(link_name, tipc_bclink_name)) { >> err = tipc_bclink_reset_stats(net, tipc_bc_sndlink(net)); > Acked-by: Jon Maloy <jmaloy@redhat.com> Thanks! syzbot reported very similar issue regarding bearer name too. I've sent a patch for that issue. Thanks, Shigeru
On Sun, 2023-09-24 at 15:03 +0900, Shigeru Yoshida wrote: > syzbot reported the following uninit-value access issue: > > ===================================================== > BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] > BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 > strlen lib/string.c:418 [inline] > strstr+0xb8/0x2f0 lib/string.c:756 > tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 > genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] > genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] > genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 > netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 > genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 > netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] > netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 > netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 > sock_sendmsg_nosec net/socket.c:730 [inline] > sock_sendmsg net/socket.c:753 [inline] > ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 > ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 > __sys_sendmsg net/socket.c:2624 [inline] > __do_sys_sendmsg net/socket.c:2633 [inline] > __se_sys_sendmsg net/socket.c:2631 [inline] > __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Uninit was created at: > slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 > slab_alloc_node mm/slub.c:3478 [inline] > kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 > kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 > __alloc_skb+0x318/0x740 net/core/skbuff.c:650 > alloc_skb include/linux/skbuff.h:1286 [inline] > netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] > netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 > sock_sendmsg_nosec net/socket.c:730 [inline] > sock_sendmsg net/socket.c:753 [inline] > ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 > ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 > __sys_sendmsg net/socket.c:2624 [inline] > __do_sys_sendmsg net/socket.c:2633 [inline] > __se_sys_sendmsg net/socket.c:2631 [inline] > __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd > > Link names must be null-terminated strings. If a link name which is not > null-terminated is passed through netlink, strstr() and similar functions > can cause buffer overrun. This causes the above issue. > > This patch fixes this issue by returning -EINVAL if a non-null-terminated > link name is passed. > > Fixes: ae36342b50a9 ("tipc: add link stat reset to new netlink api") > Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574 > Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> > --- > net/tipc/node.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/tipc/node.c b/net/tipc/node.c > index 3105abe97bb9..f167bdafc034 100644 > --- a/net/tipc/node.c > +++ b/net/tipc/node.c > @@ -2586,6 +2586,10 @@ int tipc_nl_node_reset_link_stats(struct sk_buff *skb, struct genl_info *info) > > link_name = nla_data(attrs[TIPC_NLA_LINK_NAME]); > > + if (link_name[strnlen(link_name, > + nla_len(attrs[TIPC_NLA_LINK_NAME]))] != '\0') > + return -EINVAL; I have the same comment as for the other tipc patch, please use nla_strscpy instead, thanks! Paolo
On Tue, 03 Oct 2023 10:58:54 +0200, Paolo Abeni wrote: > On Sun, 2023-09-24 at 15:03 +0900, Shigeru Yoshida wrote: >> syzbot reported the following uninit-value access issue: >> >> ===================================================== >> BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] >> BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 >> strlen lib/string.c:418 [inline] >> strstr+0xb8/0x2f0 lib/string.c:756 >> tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 >> genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] >> genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] >> genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 >> netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 >> genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 >> netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] >> netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 >> netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 >> sock_sendmsg_nosec net/socket.c:730 [inline] >> sock_sendmsg net/socket.c:753 [inline] >> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 >> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 >> __sys_sendmsg net/socket.c:2624 [inline] >> __do_sys_sendmsg net/socket.c:2633 [inline] >> __se_sys_sendmsg net/socket.c:2631 [inline] >> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 >> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> >> Uninit was created at: >> slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 >> slab_alloc_node mm/slub.c:3478 [inline] >> kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 >> kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 >> __alloc_skb+0x318/0x740 net/core/skbuff.c:650 >> alloc_skb include/linux/skbuff.h:1286 [inline] >> netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] >> netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 >> sock_sendmsg_nosec net/socket.c:730 [inline] >> sock_sendmsg net/socket.c:753 [inline] >> ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 >> ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 >> __sys_sendmsg net/socket.c:2624 [inline] >> __do_sys_sendmsg net/socket.c:2633 [inline] >> __se_sys_sendmsg net/socket.c:2631 [inline] >> __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 >> do_syscall_x64 arch/x86/entry/common.c:50 [inline] >> do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 >> entry_SYSCALL_64_after_hwframe+0x63/0xcd >> >> Link names must be null-terminated strings. If a link name which is not >> null-terminated is passed through netlink, strstr() and similar functions >> can cause buffer overrun. This causes the above issue. >> >> This patch fixes this issue by returning -EINVAL if a non-null-terminated >> link name is passed. >> >> Fixes: ae36342b50a9 ("tipc: add link stat reset to new netlink api") >> Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com >> Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574 >> Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> >> --- >> net/tipc/node.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/net/tipc/node.c b/net/tipc/node.c >> index 3105abe97bb9..f167bdafc034 100644 >> --- a/net/tipc/node.c >> +++ b/net/tipc/node.c >> @@ -2586,6 +2586,10 @@ int tipc_nl_node_reset_link_stats(struct sk_buff *skb, struct genl_info *info) >> >> link_name = nla_data(attrs[TIPC_NLA_LINK_NAME]); >> >> + if (link_name[strnlen(link_name, >> + nla_len(attrs[TIPC_NLA_LINK_NAME]))] != '\0') >> + return -EINVAL; > > I have the same comment as for the other tipc patch, please use > nla_strscpy instead, thanks! Thank you for your comment. I'll send a v2 patch using nla_strscpy() and check if other usage of TIPC_NLA_LINK_NAME have the same issue. Thanks, Shigeru > > Paolo >
diff --git a/net/tipc/node.c b/net/tipc/node.c index 3105abe97bb9..f167bdafc034 100644 --- a/net/tipc/node.c +++ b/net/tipc/node.c @@ -2586,6 +2586,10 @@ int tipc_nl_node_reset_link_stats(struct sk_buff *skb, struct genl_info *info) link_name = nla_data(attrs[TIPC_NLA_LINK_NAME]); + if (link_name[strnlen(link_name, + nla_len(attrs[TIPC_NLA_LINK_NAME]))] != '\0') + return -EINVAL; + err = -EINVAL; if (!strcmp(link_name, tipc_bclink_name)) { err = tipc_bclink_reset_stats(net, tipc_bc_sndlink(net));