[Linux-kernel-mentees] [PATCH net] qrtr: Fix ZERO_SIZE_PTR deref in qrtr_tun_write

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Linux-kernel-mentees] [PATCH net] qrtr: Fix ZERO_SIZE_PTR deref in qrtr_tun_write_iter()
@ 2020-07-12 21:03 ` Peilin Ye
  0 siblings, 0 replies; 6+ messages in thread
From: Peilin Ye @ 2020-07-12 21:03 UTC (permalink / raw)
  To: David S . Miller, Jakub Kicinski
  Cc: Peilin Ye, Navid Emamdoost, Christophe JAILLET,
	Greg Kroah-Hartman, netdev, syzkaller-bugs, linux-kernel-mentees,
	linux-kernel

qrtr_tun_write_iter() is dereferencing `ZERO_SIZE_PTR`s when `from->count`
equals to zero. Fix it by rejecting zero-length kzalloc() requests.

This patch fixes the following syzbot bug:

    https://syzkaller.appspot.com/bug?id=f56bbe6668873ee245986bbd23312b895fa5a50a

Reported-by: syzbot+03e343dbccf82a5242a2@syzkaller.appspotmail.com
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
---
 net/qrtr/tun.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c
index 15ce9b642b25..5465e94ba8e5 100644
--- a/net/qrtr/tun.c
+++ b/net/qrtr/tun.c
@@ -80,6 +80,9 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, struct iov_iter *from)
 	ssize_t ret;
 	void *kbuf;
 
+	if (!len)
+		return -EINVAL;
+
 	kbuf = kzalloc(len, GFP_KERNEL);
 	if (!kbuf)
 		return -ENOMEM;
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* [Linux-kernel-mentees] [PATCH net] qrtr: Fix ZERO_SIZE_PTR deref in qrtr_tun_write_iter()
@ 2020-07-12 21:03 ` Peilin Ye
  0 siblings, 0 replies; 6+ messages in thread
From: Peilin Ye @ 2020-07-12 21:03 UTC (permalink / raw)
  To: David S . Miller, Jakub Kicinski
  Cc: syzkaller-bugs, linux-kernel, Christophe JAILLET, netdev,
	linux-kernel-mentees, Peilin Ye, Navid Emamdoost

qrtr_tun_write_iter() is dereferencing `ZERO_SIZE_PTR`s when `from->count`
equals to zero. Fix it by rejecting zero-length kzalloc() requests.

This patch fixes the following syzbot bug:

    https://syzkaller.appspot.com/bug?id=f56bbe6668873ee245986bbd23312b895fa5a50a

Reported-by: syzbot+03e343dbccf82a5242a2@syzkaller.appspotmail.com
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
---
 net/qrtr/tun.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c
index 15ce9b642b25..5465e94ba8e5 100644
--- a/net/qrtr/tun.c
+++ b/net/qrtr/tun.c
@@ -80,6 +80,9 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, struct iov_iter *from)
 	ssize_t ret;
 	void *kbuf;
 
+	if (!len)
+		return -EINVAL;
+
 	kbuf = kzalloc(len, GFP_KERNEL);
 	if (!kbuf)
 		return -ENOMEM;
-- 
2.25.1

_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [Linux-kernel-mentees] [PATCH net] qrtr: Fix ZERO_SIZE_PTR deref in qrtr_tun_write_iter()
  2020-07-12 21:03 ` Peilin Ye
@ 2020-07-12 21:36   ` Eric Biggers
  -1 siblings, 0 replies; 6+ messages in thread
From: Eric Biggers @ 2020-07-12 21:36 UTC (permalink / raw)
  To: Peilin Ye
  Cc: David S . Miller, Jakub Kicinski, Navid Emamdoost,
	Christophe JAILLET, Greg Kroah-Hartman, Dan Carpenter, netdev,
	syzkaller-bugs, linux-kernel-mentees, linux-kernel

On Sun, Jul 12, 2020 at 05:03:00PM -0400, Peilin Ye wrote:
> qrtr_tun_write_iter() is dereferencing `ZERO_SIZE_PTR`s when `from->count`
> equals to zero. Fix it by rejecting zero-length kzalloc() requests.
> 
> This patch fixes the following syzbot bug:
> 
>     https://syzkaller.appspot.com/bug?id=f56bbe6668873ee245986bbd23312b895fa5a50a
> 
> Reported-by: syzbot+03e343dbccf82a5242a2@syzkaller.appspotmail.com
> Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
> ---
>  net/qrtr/tun.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c
> index 15ce9b642b25..5465e94ba8e5 100644
> --- a/net/qrtr/tun.c
> +++ b/net/qrtr/tun.c
> @@ -80,6 +80,9 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, struct iov_iter *from)
>  	ssize_t ret;
>  	void *kbuf;
>  
> +	if (!len)
> +		return -EINVAL;
> +
>  	kbuf = kzalloc(len, GFP_KERNEL);
>  	if (!kbuf)
>  		return -ENOMEM;

Wasn't this already fixed by:

    commit 8ff41cc21714704ef0158a546c3c4d07fae2c952
    Author: Dan Carpenter <dan.carpenter@oracle.com>
    Date:   Tue Jun 30 14:46:15 2020 +0300

        net: qrtr: Fix an out of bounds read qrtr_endpoint_post()

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Linux-kernel-mentees] [PATCH net] qrtr: Fix ZERO_SIZE_PTR deref in qrtr_tun_write_iter()
@ 2020-07-12 21:36   ` Eric Biggers
  0 siblings, 0 replies; 6+ messages in thread
From: Eric Biggers @ 2020-07-12 21:36 UTC (permalink / raw)
  To: Peilin Ye
  Cc: syzkaller-bugs, linux-kernel, Christophe JAILLET, netdev,
	Jakub Kicinski, linux-kernel-mentees, David S . Miller,
	Dan Carpenter, Navid Emamdoost

On Sun, Jul 12, 2020 at 05:03:00PM -0400, Peilin Ye wrote:
> qrtr_tun_write_iter() is dereferencing `ZERO_SIZE_PTR`s when `from->count`
> equals to zero. Fix it by rejecting zero-length kzalloc() requests.
> 
> This patch fixes the following syzbot bug:
> 
>     https://syzkaller.appspot.com/bug?id=f56bbe6668873ee245986bbd23312b895fa5a50a
> 
> Reported-by: syzbot+03e343dbccf82a5242a2@syzkaller.appspotmail.com
> Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
> ---
>  net/qrtr/tun.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c
> index 15ce9b642b25..5465e94ba8e5 100644
> --- a/net/qrtr/tun.c
> +++ b/net/qrtr/tun.c
> @@ -80,6 +80,9 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, struct iov_iter *from)
>  	ssize_t ret;
>  	void *kbuf;
>  
> +	if (!len)
> +		return -EINVAL;
> +
>  	kbuf = kzalloc(len, GFP_KERNEL);
>  	if (!kbuf)
>  		return -ENOMEM;

Wasn't this already fixed by:

    commit 8ff41cc21714704ef0158a546c3c4d07fae2c952
    Author: Dan Carpenter <dan.carpenter@oracle.com>
    Date:   Tue Jun 30 14:46:15 2020 +0300

        net: qrtr: Fix an out of bounds read qrtr_endpoint_post()
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Linux-kernel-mentees] [PATCH net] qrtr: Fix ZERO_SIZE_PTR deref in qrtr_tun_write_iter()
  2020-07-12 21:36   ` Eric Biggers
@ 2020-07-13  9:13     ` Dan Carpenter
  -1 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2020-07-13  9:13 UTC (permalink / raw)
  To: Eric Biggers
  Cc: Peilin Ye, David S . Miller, Jakub Kicinski, Navid Emamdoost,
	Christophe JAILLET, Greg Kroah-Hartman, netdev, syzkaller-bugs,
	linux-kernel-mentees, linux-kernel

On Sun, Jul 12, 2020 at 02:36:31PM -0700, Eric Biggers wrote:
> On Sun, Jul 12, 2020 at 05:03:00PM -0400, Peilin Ye wrote:
> > qrtr_tun_write_iter() is dereferencing `ZERO_SIZE_PTR`s when `from->count`
> > equals to zero. Fix it by rejecting zero-length kzalloc() requests.
> > 
> > This patch fixes the following syzbot bug:
> > 
> >     https://syzkaller.appspot.com/bug?id=f56bbe6668873ee245986bbd23312b895fa5a50a
> > 
> > Reported-by: syzbot+03e343dbccf82a5242a2@syzkaller.appspotmail.com
> > Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
> > ---
> >  net/qrtr/tun.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c
> > index 15ce9b642b25..5465e94ba8e5 100644
> > --- a/net/qrtr/tun.c
> > +++ b/net/qrtr/tun.c
> > @@ -80,6 +80,9 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, struct iov_iter *from)
> >  	ssize_t ret;
> >  	void *kbuf;
> >  
> > +	if (!len)
> > +		return -EINVAL;
> > +
> >  	kbuf = kzalloc(len, GFP_KERNEL);
> >  	if (!kbuf)
> >  		return -ENOMEM;
> 
> Wasn't this already fixed by:
> 
>     commit 8ff41cc21714704ef0158a546c3c4d07fae2c952
>     Author: Dan Carpenter <dan.carpenter@oracle.com>
>     Date:   Tue Jun 30 14:46:15 2020 +0300
> 
>         net: qrtr: Fix an out of bounds read qrtr_endpoint_post()


Yep.  If you're using kmalloc() you can allocate a zero byte buffer but
you just can't access the array.  for (i = 0; i < 0; i++) works.

It's interesting because at the time, I wrote the patch I thought "len"
probably couldn't be zero but I just checked it for completeness and
readability.

regards,
dan carpenter

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [Linux-kernel-mentees] [PATCH net] qrtr: Fix ZERO_SIZE_PTR deref in qrtr_tun_write_iter()
@ 2020-07-13  9:13     ` Dan Carpenter
  0 siblings, 0 replies; 6+ messages in thread
From: Dan Carpenter @ 2020-07-13  9:13 UTC (permalink / raw)
  To: Eric Biggers
  Cc: syzkaller-bugs, linux-kernel, David S . Miller,
	Christophe JAILLET, netdev, Jakub Kicinski, linux-kernel-mentees,
	Peilin Ye, Navid Emamdoost

On Sun, Jul 12, 2020 at 02:36:31PM -0700, Eric Biggers wrote:
> On Sun, Jul 12, 2020 at 05:03:00PM -0400, Peilin Ye wrote:
> > qrtr_tun_write_iter() is dereferencing `ZERO_SIZE_PTR`s when `from->count`
> > equals to zero. Fix it by rejecting zero-length kzalloc() requests.
> > 
> > This patch fixes the following syzbot bug:
> > 
> >     https://syzkaller.appspot.com/bug?id=f56bbe6668873ee245986bbd23312b895fa5a50a
> > 
> > Reported-by: syzbot+03e343dbccf82a5242a2@syzkaller.appspotmail.com
> > Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
> > ---
> >  net/qrtr/tun.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c
> > index 15ce9b642b25..5465e94ba8e5 100644
> > --- a/net/qrtr/tun.c
> > +++ b/net/qrtr/tun.c
> > @@ -80,6 +80,9 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, struct iov_iter *from)
> >  	ssize_t ret;
> >  	void *kbuf;
> >  
> > +	if (!len)
> > +		return -EINVAL;
> > +
> >  	kbuf = kzalloc(len, GFP_KERNEL);
> >  	if (!kbuf)
> >  		return -ENOMEM;
> 
> Wasn't this already fixed by:
> 
>     commit 8ff41cc21714704ef0158a546c3c4d07fae2c952
>     Author: Dan Carpenter <dan.carpenter@oracle.com>
>     Date:   Tue Jun 30 14:46:15 2020 +0300
> 
>         net: qrtr: Fix an out of bounds read qrtr_endpoint_post()


Yep.  If you're using kmalloc() you can allocate a zero byte buffer but
you just can't access the array.  for (i = 0; i < 0; i++) works.

It's interesting because at the time, I wrote the patch I thought "len"
probably couldn't be zero but I just checked it for completeness and
readability.

regards,
dan carpenter
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-07-13  9:13 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-12 21:03 [Linux-kernel-mentees] [PATCH net] qrtr: Fix ZERO_SIZE_PTR deref in qrtr_tun_write_iter() Peilin Ye
2020-07-12 21:03 ` Peilin Ye
2020-07-12 21:36 ` Eric Biggers
2020-07-12 21:36   ` Eric Biggers
2020-07-13  9:13   ` Dan Carpenter
2020-07-13  9:13     ` Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.