From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DB8F1C4360F for ; Tue, 2 Apr 2019 20:23:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id AEEF92070D for ; Tue, 2 Apr 2019 20:23:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726154AbfDBUXI (ORCPT ); Tue, 2 Apr 2019 16:23:08 -0400 Received: from shards.monkeyblade.net ([23.128.96.9]:32902 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725825AbfDBUXI (ORCPT ); Tue, 2 Apr 2019 16:23:08 -0400 Received: from localhost (unknown [IPv6:2601:601:9f80:35cd::d71]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 916B6133FCD41; Tue, 2 Apr 2019 13:23:07 -0700 (PDT) Date: Tue, 02 Apr 2019 13:23:06 -0700 (PDT) Message-Id: <20190402.132306.2280596762532017665.davem@davemloft.net> To: penguin-kernel@I-love.SAKURA.ne.jp Cc: netdev@vger.kernel.org, syzbot+0049bebbf3042dbd2e8f@syzkaller.appspotmail.com, syzbot+915c9f99f3dbc4bd6cd1@syzkaller.appspotmail.com Subject: Re: [PATCH] net: socket: Always initialize family field at move_addr_to_kernel(). From: David Miller In-Reply-To: <1554128362-12274-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> References: <1554128362-12274-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp> X-Mailer: Mew version 6.8 on Emacs 26.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Tue, 02 Apr 2019 13:23:07 -0700 (PDT) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Tetsuo Handa Date: Mon, 1 Apr 2019 23:19:22 +0900 > syzbot is reporting uninitialized value at rds_connect [1] and > rds_bind [2]. This is because syzbot is passing ulen == 0 whereas > these functions expects that it is safe to access sockaddr->family field > in order to determine minimal ulen size for validation. I noticed that > the same problem also exists in tomoyo_check_inet_address() function. > > Although the right fix might be to scatter around > > if (ulen < sizeof(__kernel_sa_family_t)) > return 0; > > if the function wants to become no-op when the address is too short or > > if (ulen < sizeof(__kernel_sa_family_t)) > return -EINVAL; > > if the function wants to reject when the address is too short, we can > avoid duplication (at e.g. LSM layer and protocol layer) if we make sure > that sockaddr->family field is always accessible. > > [1] https://syzkaller.appspot.com/bug?id=f4e61c010416c1e6f0fa3ffe247561b60a50ad71 > [2] https://syzkaller.appspot.com/bug?id=a4bf9e41b7e055c3823fdcd83e8c58ca7270e38f > > Reported-by: syzbot > Reported-by: syzbot > Signed-off-by: Tetsuo Handa I do not think at all that it is wise to be OK with the socket address interpreation code ignoring the length. Please fix RDS and other protocols to examine the length properly instead. Thank you.