All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, ChunYu Wang <chunwang@redhat.com>,
	Xin Long <lucien.xin@gmail.com>, Chris Leech <cleech@redhat.com>,
	"Martin K. Petersen" <martin.petersen@oracle.com>
Subject: [PATCH 4.4 08/41] scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesnt parse nlmsg properly
Date: Tue,  3 Oct 2017 14:21:09 +0200	[thread overview]
Message-ID: <20171003114220.425954092@linuxfoundation.org> (raw)
In-Reply-To: <20171003114219.900672076@linuxfoundation.org>

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>

commit c88f0e6b06f4092995688211a631bb436125d77b upstream.

ChunYu found a kernel crash by syzkaller:

[  651.617875] kasan: CONFIG_KASAN_INLINE enabled
[  651.618217] kasan: GPF could be caused by NULL-ptr deref or user memory access
[  651.618731] general protection fault: 0000 [#1] SMP KASAN
[  651.621543] CPU: 1 PID: 9539 Comm: scsi Not tainted 4.11.0.cov #32
[  651.621938] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
[  651.622309] task: ffff880117780000 task.stack: ffff8800a3188000
[  651.622762] RIP: 0010:skb_release_data+0x26c/0x590
[...]
[  651.627260] Call Trace:
[  651.629156]  skb_release_all+0x4f/0x60
[  651.629450]  consume_skb+0x1a5/0x600
[  651.630705]  netlink_unicast+0x505/0x720
[  651.632345]  netlink_sendmsg+0xab2/0xe70
[  651.633704]  sock_sendmsg+0xcf/0x110
[  651.633942]  ___sys_sendmsg+0x833/0x980
[  651.637117]  __sys_sendmsg+0xf3/0x240
[  651.638820]  SyS_sendmsg+0x32/0x50
[  651.639048]  entry_SYSCALL_64_fastpath+0x1f/0xc2

It's caused by skb_shared_info at the end of sk_buff was overwritten by
ISCSI_KEVENT_IF_ERROR when parsing nlmsg info from skb in iscsi_if_rx.

During the loop if skb->len == nlh->nlmsg_len and both are sizeof(*nlh),
ev = nlmsg_data(nlh) will acutally get skb_shinfo(SKB) instead and set a
new value to skb_shinfo(SKB)->nr_frags by ev->type.

This patch is to fix it by checking nlh->nlmsg_len properly there to
avoid over accessing sk_buff.

Reported-by: ChunYu Wang <chunwang@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Chris Leech <cleech@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/scsi_transport_iscsi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -3697,7 +3697,7 @@ iscsi_if_rx(struct sk_buff *skb)
 		uint32_t group;
 
 		nlh = nlmsg_hdr(skb);
-		if (nlh->nlmsg_len < sizeof(*nlh) ||
+		if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
 		    skb->len < nlh->nlmsg_len) {
 			break;
 		}

  parent reply	other threads:[~2017-10-03 12:22 UTC|newest]

Thread overview: 54+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-03 12:21 [PATCH 4.4 00/41] 4.4.90-stable review Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 01/41] cifs: release auth_key.response for reconnect Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 02/41] mac80211: flush hw_roc_start work before cancelling the ROC Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 03/41] KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce() Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 04/41] tracing: Fix trace_pipe behavior for instance traces Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 05/41] tracing: Erase irqsoff trace with empty write Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 06/41] md/raid5: fix a race condition in stripe batch Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 07/41] md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list Greg Kroah-Hartman
2017-10-03 12:21 ` Greg Kroah-Hartman [this message]
2017-10-03 12:21 ` [PATCH 4.4 09/41] crypto: talitos - Dont provide setkey for non hmac hashing algs Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 10/41] crypto: talitos - fix sha224 Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 11/41] KEYS: fix writing past end of user-supplied buffer in keyring_read() Greg Kroah-Hartman
2017-10-16 15:47   ` Ben Hutchings
2017-10-16 18:12     ` Eric Biggers
2017-10-16 18:12       ` Eric Biggers
2017-10-19 15:27     ` David Howells
2017-10-19 17:09       ` Eric Biggers
2017-10-24 23:19       ` Eric Biggers
2017-10-25  9:31         ` Ben Hutchings
2017-11-01 15:24         ` David Howells
2017-10-03 12:21 ` [PATCH 4.4 12/41] KEYS: prevent creating a different users keyrings Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 13/41] KEYS: prevent KEYCTL_READ on negative key Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 14/41] powerpc/pseries: Fix parent_dn reference leak in add_dt_node() Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 15/41] Fix SMB3.1.1 guest authentication to Samba Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 16/41] SMB: Validate negotiate (to protect against downgrade) even if signing off Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 17/41] SMB3: Dont ignore O_SYNC/O_DSYNC and O_DIRECT flags Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 18/41] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 19/41] nl80211: check for the required netlink attributes presence Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 20/41] bsg-lib: dont free job in bsg_prepare_job Greg Kroah-Hartman
2017-10-16 16:32   ` Ben Hutchings
2017-10-03 12:21 ` [PATCH 4.4 21/41] seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter() Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 22/41] arm64: Make sure SPsel is always set Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 23/41] arm64: fault: Route pte translation faults via do_translation_fault Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 25/41] kvm: nVMX: Dont allow L2 to access the hardware CR8 Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 26/41] PCI: Fix race condition with driver_override Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 27/41] btrfs: fix NULL pointer dereference from free_reloc_roots() Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 28/41] btrfs: propagate error to btrfs_cmp_data_prepare caller Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 29/41] btrfs: prevent to set invalid default subvolid Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 30/41] x86/fpu: Dont let userspace set bogus xcomp_bv Greg Kroah-Hartman
2017-10-03 12:21   ` [kernel-hardening] " Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 31/41] gfs2: Fix debugfs glocks dump Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 32/41] timer/sysclt: Restrict timer migration sysctl values to 0 and 1 Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 35/41] cxl: Fix driver use count Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 36/41] dmaengine: mmp-pdma: add number of requestors Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 37/41] ARM: pxa: add the number of DMA requestor lines Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 38/41] ARM: pxa: fix " Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 39/41] KVM: VMX: use cmpxchg64 Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 40/41] video: fbdev: aty: do not leak uninitialized padding in clk to userspace Greg Kroah-Hartman
2017-10-03 12:21 ` [PATCH 4.4 41/41] swiotlb-xen: implement xen_swiotlb_dma_mmap callback Greg Kroah-Hartman
2017-10-03 19:26 ` [PATCH 4.4 00/41] 4.4.90-stable review Shuah Khan
2017-10-03 20:30 ` Tom Gall
2017-10-04  7:55   ` Greg Kroah-Hartman
2017-10-04  8:29     ` Sumit Semwal
2017-10-03 20:41 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20171003114220.425954092@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=chunwang@redhat.com \
    --cc=cleech@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=lucien.xin@gmail.com \
    --cc=martin.petersen@oracle.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.