From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+30eaa8bf392f7fafffaf@syzkaller.appspotmail.com,
Xin Long <lucien.xin@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 34/43] tipc: check msg->req data len in tipc_nl_compat_bearer_disable
Date: Tue, 2 Jul 2019 10:02:14 +0200 [thread overview]
Message-ID: <20190702080125.678554102@linuxfoundation.org> (raw)
In-Reply-To: <20190702080123.904399496@linuxfoundation.org>
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 4f07b80c973348a99b5d2a32476a2e7877e94a05 ]
This patch is to fix an uninit-value issue, reported by syzbot:
BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:981
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x191/0x1f0 lib/dump_stack.c:113
kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
__msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
memchr+0xce/0x110 lib/string.c:981
string_is_valid net/tipc/netlink_compat.c:176 [inline]
tipc_nl_compat_bearer_disable+0x2a1/0x480 net/tipc/netlink_compat.c:449
__tipc_nl_compat_doit net/tipc/netlink_compat.c:327 [inline]
tipc_nl_compat_doit+0x3ac/0xb00 net/tipc/netlink_compat.c:360
tipc_nl_compat_handle net/tipc/netlink_compat.c:1178 [inline]
tipc_nl_compat_recv+0x1b1b/0x27b0 net/tipc/netlink_compat.c:1281
TLV_GET_DATA_LEN() may return a negtive int value, which will be
used as size_t (becoming a big unsigned long) passed into memchr,
cause this issue.
Similar to what it does in tipc_nl_compat_bearer_enable(), this
fix is to return -EINVAL when TLV_GET_DATA_LEN() is negtive in
tipc_nl_compat_bearer_disable(), as well as in
tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats().
v1->v2:
- add the missing Fixes tags per Eric's request.
Fixes: 0762216c0ad2 ("tipc: fix uninit-value in tipc_nl_compat_bearer_enable")
Fixes: 8b66fee7f8ee ("tipc: fix uninit-value in tipc_nl_compat_link_reset_stats")
Reported-by: syzbot+30eaa8bf392f7fafffaf@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/netlink_compat.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -436,7 +436,11 @@ static int tipc_nl_compat_bearer_disable
if (!bearer)
return -EMSGSIZE;
- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);
+ len = TLV_GET_DATA_LEN(msg->req);
+ if (len <= 0)
+ return -EINVAL;
+
+ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
if (!string_is_valid(name, len))
return -EINVAL;
@@ -528,7 +532,11 @@ static int tipc_nl_compat_link_stat_dump
name = (char *)TLV_DATA(msg->req);
- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
+ len = TLV_GET_DATA_LEN(msg->req);
+ if (len <= 0)
+ return -EINVAL;
+
+ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
if (!string_is_valid(name, len))
return -EINVAL;
@@ -806,7 +814,11 @@ static int tipc_nl_compat_link_reset_sta
if (!link)
return -EMSGSIZE;
- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
+ len = TLV_GET_DATA_LEN(msg->req);
+ if (len <= 0)
+ return -EINVAL;
+
+ len = min_t(int, len, TIPC_MAX_BEARER_NAME);
if (!string_is_valid(name, len))
return -EINVAL;
next prev parent reply other threads:[~2019-07-02 8:10 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-02 8:01 [PATCH 4.14 00/43] 4.14.132-stable review Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 01/43] perf ui helpline: Use strlcpy() as a shorter form of strncpy() + explicit set nul Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 02/43] perf help: Remove needless use of strncpy() Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 03/43] perf header: Fix unchecked usage " Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 04/43] Revert "x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP" Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 05/43] IB/hfi1: Close PSM sdma_progress sleep window Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 06/43] block: add a lower-level bio_add_page interface Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 07/43] block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 08/43] 9p/xen: fix check for xenbus_read error in front_probe Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 09/43] 9p/rdma: do not disconnect on down_interruptible EAGAIN Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 10/43] 9p: acl: fix uninitialized iattr access Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 11/43] 9p/rdma: remove useless check in cm_event_handler Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 12/43] 9p: p9dirent_read: check network-provided name length Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 13/43] net/9p: include trans_common.h to fix missing prototype warning Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 14/43] qmi_wwan: Fix out-of-bounds read Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 15/43] Revert "compiler.h: update definition of unreachable()" Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 16/43] fs/proc/array.c: allow reporting eip/esp for all coredumping threads Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 17/43] mm/mempolicy.c: fix an incorrect rebind node in mpol_rebind_nodemask Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 18/43] fs/binfmt_flat.c: make load_flat_shared_library() work Greg Kroah-Hartman
2019-07-02 8:01 ` [PATCH 4.14 19/43] mm/page_idle.c: fix oops because end_pfn is larger than max_pfn Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 20/43] dm log writes: make sure super sector log updates are written in order Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 21/43] scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 22/43] x86/speculation: Allow guests to use SSBD even if host does not Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 23/43] x86/microcode: Fix the microcode load on CPU hotplug for real Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 24/43] NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 25/43] cpu/speculation: Warn on unsupported mitigations= parameter Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 26/43] eeprom: at24: fix unexpected timeout under high load Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 27/43] af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 28/43] ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 29/43] net/packet: fix memory leak in packet_set_ring() Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 30/43] net: remove duplicate fetch in sock_getsockopt Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 31/43] net: stmmac: fixed new system time seconds value calculation Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 32/43] sctp: change to hold sk after auth shkey is created successfully Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 33/43] tipc: change to use register_pernet_device Greg Kroah-Hartman
2019-07-02 8:02 ` Greg Kroah-Hartman [this message]
2019-07-02 8:02 ` [PATCH 4.14 35/43] tun: wake up waitqueues after IFF_UP is set Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 36/43] team: Always enable vlan tx offload Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 37/43] bonding: " Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 38/43] bpf: udp: Avoid calling reuseports bpf_prog from udp_gro Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 39/43] bpf: udp: ipv6: Avoid running reuseports bpf_prog from __udp6_lib_err Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 40/43] arm64: futex: Avoid copying out uninitialised stack in failed cmpxchg() Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 41/43] bpf, arm64: use more scalable stadd over ldxr / stxr loop in xadd Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 42/43] futex: Update comments and docs about return values of arch futex code Greg Kroah-Hartman
2019-07-02 8:02 ` [PATCH 4.14 43/43] tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb Greg Kroah-Hartman
2019-08-01 10:17 ` Rantala, Tommi T. (Nokia - FI/Espoo)
2019-08-02 7:28 ` gregkh
2019-08-02 11:03 ` Rantala, Tommi T. (Nokia - FI/Espoo)
2019-08-02 11:34 ` gregkh
2019-08-03 0:45 ` Xin Long
2019-08-03 7:11 ` gregkh
2019-07-02 12:12 ` [PATCH 4.14 00/43] 4.14.132-stable review kernelci.org bot
2019-07-02 15:43 ` Naresh Kamboju
2019-07-02 20:22 ` Guenter Roeck
2019-07-02 21:10 ` Kelsey Skunberg
2019-07-02 22:51 ` shuah
2019-07-03 10:20 ` Jon Hunter
2019-07-03 10:20 ` Jon Hunter
2019-07-04 5:26 ` Bharath Vedartham
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190702080125.678554102@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+30eaa8bf392f7fafffaf@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.