From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Biggers <ebiggers@google.com>,
"David S. Miller" <davem@davemloft.net>,
syzbot+0849c524d9c634f5ae66@syzkaller.appspotmail.com
Subject: [PATCH 4.14 04/45] isdn/capi: check message length in capi_write()
Date: Wed, 18 Sep 2019 08:18:42 +0200 [thread overview]
Message-ID: <20190918061223.381113191@linuxfoundation.org> (raw)
In-Reply-To: <20190918061222.854132812@linuxfoundation.org>
From: Eric Biggers <ebiggers@google.com>
[ Upstream commit fe163e534e5eecdfd7b5920b0dfd24c458ee85d6 ]
syzbot reported:
BUG: KMSAN: uninit-value in capi_write+0x791/0xa90 drivers/isdn/capi/capi.c:700
CPU: 0 PID: 10025 Comm: syz-executor379 Not tainted 4.20.0-rc7+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
__msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
capi_write+0x791/0xa90 drivers/isdn/capi/capi.c:700
do_loop_readv_writev fs/read_write.c:703 [inline]
do_iter_write+0x83e/0xd80 fs/read_write.c:961
vfs_writev fs/read_write.c:1004 [inline]
do_writev+0x397/0x840 fs/read_write.c:1039
__do_sys_writev fs/read_write.c:1112 [inline]
__se_sys_writev+0x9b/0xb0 fs/read_write.c:1109
__x64_sys_writev+0x4a/0x70 fs/read_write.c:1109
do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
entry_SYSCALL_64_after_hwframe+0x63/0xe7
[...]
The problem is that capi_write() is reading past the end of the message.
Fix it by checking the message's length in the needed places.
Reported-and-tested-by: syzbot+0849c524d9c634f5ae66@syzkaller.appspotmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/isdn/capi/capi.c | 10 +++++++++-
include/uapi/linux/isdn/capicmd.h | 1 +
2 files changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/isdn/capi/capi.c
+++ b/drivers/isdn/capi/capi.c
@@ -687,6 +687,9 @@ capi_write(struct file *file, const char
if (!cdev->ap.applid)
return -ENODEV;
+ if (count < CAPIMSG_BASELEN)
+ return -EINVAL;
+
skb = alloc_skb(count, GFP_USER);
if (!skb)
return -ENOMEM;
@@ -697,7 +700,8 @@ capi_write(struct file *file, const char
}
mlen = CAPIMSG_LEN(skb->data);
if (CAPIMSG_CMD(skb->data) == CAPI_DATA_B3_REQ) {
- if ((size_t)(mlen + CAPIMSG_DATALEN(skb->data)) != count) {
+ if (count < CAPI_DATA_B3_REQ_LEN ||
+ (size_t)(mlen + CAPIMSG_DATALEN(skb->data)) != count) {
kfree_skb(skb);
return -EINVAL;
}
@@ -710,6 +714,10 @@ capi_write(struct file *file, const char
CAPIMSG_SETAPPID(skb->data, cdev->ap.applid);
if (CAPIMSG_CMD(skb->data) == CAPI_DISCONNECT_B3_RESP) {
+ if (count < CAPI_DISCONNECT_B3_RESP_LEN) {
+ kfree_skb(skb);
+ return -EINVAL;
+ }
mutex_lock(&cdev->lock);
capincci_free(cdev, CAPIMSG_NCCI(skb->data));
mutex_unlock(&cdev->lock);
--- a/include/uapi/linux/isdn/capicmd.h
+++ b/include/uapi/linux/isdn/capicmd.h
@@ -16,6 +16,7 @@
#define CAPI_MSG_BASELEN 8
#define CAPI_DATA_B3_REQ_LEN (CAPI_MSG_BASELEN+4+4+2+2+2)
#define CAPI_DATA_B3_RESP_LEN (CAPI_MSG_BASELEN+4+2)
+#define CAPI_DISCONNECT_B3_RESP_LEN (CAPI_MSG_BASELEN+4)
/*----- CAPI commands -----*/
#define CAPI_ALERT 0x01
next prev parent reply other threads:[~2019-09-18 6:21 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-18 6:18 [PATCH 4.14 00/45] 4.14.145-stable review Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 01/45] bridge/mdb: remove wrong use of NLM_F_MULTI Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 02/45] cdc_ether: fix rndis support for Mediatek based smartphones Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 03/45] ipv6: Fix the link time qualifier of ping_v6_proc_exit_net() Greg Kroah-Hartman
2019-09-18 6:18 ` Greg Kroah-Hartman [this message]
2019-09-18 6:18 ` [PATCH 4.14 05/45] net: Fix null de-reference of device refcount Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 06/45] net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 07/45] net: phylink: Fix flow control resolution Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 08/45] sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 09/45] sctp: Fix the link time qualifier of sctp_ctrlsock_exit() Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 10/45] sctp: use transport pf_retrans in sctp_do_8_2_transport_strike Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 11/45] tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 12/45] tipc: add NULL pointer check before calling kfree_rcu Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 13/45] tun: fix use-after-free when register netdev failed Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 14/45] btrfs: compression: add helper for type to string conversion Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 15/45] btrfs: correctly validate compression type Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 16/45] Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur" Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 17/45] gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 18/45] gpio: fix line flag validation in linehandle_create Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 19/45] gpio: fix line flag validation in lineevent_create Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 20/45] Btrfs: fix assertion failure during fsync and use of stale transaction Greg Kroah-Hartman
2019-09-18 6:18 ` [PATCH 4.14 21/45] genirq: Prevent NULL pointer dereference in resend_irqs() Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 22/45] KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 23/45] KVM: x86: work around leak of uninitialized stack contents Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 24/45] KVM: nVMX: handle page fault in vmread Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 25/45] MIPS: VDSO: Prevent use of smp_processor_id() Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 26/45] MIPS: VDSO: Use same -m%-float cflag as the kernel proper Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 27/45] powerpc: Add barrier_nospec to raw_copy_in_user() Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 28/45] drm/meson: Add support for XBGR8888 & ABGR8888 formats Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 29/45] clk: rockchip: Dont yell about bad mmc phases when getting Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 30/45] mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 31/45] PCI: Always allow probing with driver_override Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 32/45] ubifs: Correctly use tnc_next() in search_dh_cookie() Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 33/45] driver core: Fix use-after-free and double free on glue directory Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 34/45] crypto: talitos - check AES key size Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 35/45] crypto: talitos - fix CTR alg blocksize Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 36/45] crypto: talitos - check data blocksize in ablkcipher Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 37/45] crypto: talitos - fix ECB algs ivsize Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 38/45] crypto: talitos - Do not modify req->cryptlen on decryption Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 39/45] crypto: talitos - HMAC SNOOP NO AFEU mode requires SW icv checking Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 40/45] firmware: ti_sci: Always request response from firmware Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 41/45] drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 42/45] Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature" Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 43/45] platform/x86: pmc_atom: Add CB4063 Beckhoff Automation board to critclk_systems DMI table Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 44/45] nvmem: Use the same permissions for eeprom as for nvmem Greg Kroah-Hartman
2019-09-18 6:19 ` [PATCH 4.14 45/45] x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning Greg Kroah-Hartman
2019-09-18 13:19 ` [PATCH 4.14 00/45] 4.14.145-stable review kernelci.org bot
2019-09-18 13:55 ` Naresh Kamboju
2019-09-18 16:28 ` Jon Hunter
2019-09-18 16:28 ` Jon Hunter
2019-09-18 19:37 ` Guenter Roeck
2019-09-19 1:26 ` shuah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190918061223.381113191@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=ebiggers@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+0849c524d9c634f5ae66@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.