From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+d4b9a2851cc3ce998741@syzkaller.appspotmail.com,
David Ahern <dsahern@kernel.org>, Thomas Graf <tgraf@suug.ch>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.10 17/43] ipv4: Check attribute length for RTA_GATEWAY in multipath route
Date: Mon, 10 Jan 2022 08:23:14 +0100 [thread overview]
Message-ID: <20220110071817.931116602@linuxfoundation.org> (raw)
In-Reply-To: <20220110071817.337619922@linuxfoundation.org>
From: David Ahern <dsahern@kernel.org>
commit 7a3429bace0e08d94c39245631ea6bc109dafa49 upstream.
syzbot reported uninit-value:
============================================================
BUG: KMSAN: uninit-value in fib_get_nhs+0xac4/0x1f80
net/ipv4/fib_semantics.c:708
fib_get_nhs+0xac4/0x1f80 net/ipv4/fib_semantics.c:708
fib_create_info+0x2411/0x4870 net/ipv4/fib_semantics.c:1453
fib_table_insert+0x45c/0x3a10 net/ipv4/fib_trie.c:1224
inet_rtm_newroute+0x289/0x420 net/ipv4/fib_frontend.c:886
Add helper to validate RTA_GATEWAY length before using the attribute.
Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
Reported-by: syzbot+d4b9a2851cc3ce998741@syzkaller.appspotmail.com
Signed-off-by: David Ahern <dsahern@kernel.org>
Cc: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/fib_semantics.c | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -663,6 +663,19 @@ static int fib_count_nexthops(struct rtn
return nhs;
}
+static int fib_gw_from_attr(__be32 *gw, struct nlattr *nla,
+ struct netlink_ext_ack *extack)
+{
+ if (nla_len(nla) < sizeof(*gw)) {
+ NL_SET_ERR_MSG(extack, "Invalid IPv4 address in RTA_GATEWAY");
+ return -EINVAL;
+ }
+
+ *gw = nla_get_in_addr(nla);
+
+ return 0;
+}
+
/* only called when fib_nh is integrated into fib_info */
static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
int remaining, struct fib_config *cfg,
@@ -705,7 +718,11 @@ static int fib_get_nhs(struct fib_info *
return -EINVAL;
}
if (nla) {
- fib_cfg.fc_gw4 = nla_get_in_addr(nla);
+ ret = fib_gw_from_attr(&fib_cfg.fc_gw4, nla,
+ extack);
+ if (ret)
+ goto errout;
+
if (fib_cfg.fc_gw4)
fib_cfg.fc_gw_family = AF_INET;
} else if (nlav) {
@@ -903,6 +920,7 @@ int fib_nh_match(struct net *net, struct
attrlen = rtnh_attrlen(rtnh);
if (attrlen > 0) {
struct nlattr *nla, *nlav, *attrs = rtnh_attrs(rtnh);
+ int err;
nla = nla_find(attrs, attrlen, RTA_GATEWAY);
nlav = nla_find(attrs, attrlen, RTA_VIA);
@@ -913,12 +931,17 @@ int fib_nh_match(struct net *net, struct
}
if (nla) {
+ __be32 gw;
+
+ err = fib_gw_from_attr(&gw, nla, extack);
+ if (err)
+ return err;
+
if (nh->fib_nh_gw_family != AF_INET ||
- nla_get_in_addr(nla) != nh->fib_nh_gw4)
+ gw != nh->fib_nh_gw4)
return 1;
} else if (nlav) {
struct fib_config cfg2;
- int err;
err = fib_gw_from_via(&cfg2, nlav, extack);
if (err)
next prev parent reply other threads:[~2022-01-10 7:41 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-10 7:22 [PATCH 5.10 00/43] 5.10.91-rc1 review Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.10 01/43] f2fs: quota: fix potential deadlock Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.10 02/43] selftests: x86: fix [-Wstringop-overread] warn in test_process_vm_readv() Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 03/43] tracing: Fix check for trace_percpu_buffer validity in get_trace_buf() Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 04/43] tracing: Tag trace_percpu_buffer as a percpu pointer Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 05/43] ieee802154: atusb: fix uninit value in atusb_set_extended_addr Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 06/43] i40e: Fix to not show opcode msg on unsuccessful VF MAC change Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 07/43] iavf: Fix limit of total number of queues to active queues of VF Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 08/43] RDMA/core: Dont infoleak GRH fields Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 09/43] netrom: fix copying in user data in nr_setsockopt Greg Kroah-Hartman
2022-01-10 10:07 ` Pavel Machek
2022-01-10 10:14 ` Dan Carpenter
2022-01-10 7:23 ` [PATCH 5.10 10/43] RDMA/uverbs: Check for null return of kmalloc_array Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 11/43] mac80211: initialize variable have_higher_than_11mbit Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 12/43] sfc: The RX page_ring is optional Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 13/43] i40e: fix use-after-free in i40e_sync_filters_subtask() Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 14/43] i40e: Fix for displaying message regarding NVM version Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 15/43] i40e: Fix incorrect netdevs real number of RX/TX queues Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 16/43] ftrace/samples: Add missing prototypes direct functions Greg Kroah-Hartman
2022-01-10 7:23 ` Greg Kroah-Hartman [this message]
2022-01-10 7:23 ` [PATCH 5.10 18/43] ipv4: Check attribute length for RTA_FLOW in multipath route Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 19/43] ipv6: Check attribute length for RTA_GATEWAY " Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 20/43] ipv6: Check attribute length for RTA_GATEWAY when deleting " Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 21/43] lwtunnel: Validate RTA_ENCAP_TYPE attribute length Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 22/43] batman-adv: mcast: dont send link-local multicast to mcast routers Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 23/43] sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 24/43] net: ena: Fix undefined state when tx request id is out of bounds Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 25/43] net: ena: Fix error handling when calculating max IO queues number Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 26/43] xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 27/43] power: supply: core: Break capacity loop Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 28/43] power: reset: ltc2952: Fix use of floating point literals Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 29/43] rndis_host: support Hytera digital radios Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 30/43] phonet: refcount leak in pep_sock_accep Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 31/43] power: bq25890: Enable continuous conversion for ADC at charging Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 32/43] ipv6: Continue processing multipath route even if gateway attribute is invalid Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 33/43] ipv6: Do cleanup if attribute validation fails in multipath route Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 34/43] usb: mtu3: fix interval value for intr and isoc Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 35/43] scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown() Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 36/43] ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 37/43] net: udp: fix alignment problem in udp4_seq_show() Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 38/43] atlantic: Fix buff_ring OOB in aq_ring_rx_clean Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 39/43] mISDN: change function names to avoid conflicts Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 40/43] drm/amd/display: Added power down for DCN10 Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 41/43] ipv6: raw: check passed optlen before reading Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 42/43] ARM: dts: gpio-ranges property is now required Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.10 43/43] Input: zinitix - make sure the IRQ is allocated before it gets enabled Greg Kroah-Hartman
2022-01-10 11:49 ` [PATCH 5.10 00/43] 5.10.91-rc1 review Jon Hunter
2022-01-10 19:10 ` Fox Chen
2022-01-10 19:50 ` Florian Fainelli
2022-01-10 22:56 ` Shuah Khan
2022-01-10 23:50 ` Guenter Roeck
2022-01-11 3:34 ` Samuel Zou
2022-01-11 5:26 ` Naresh Kamboju
2022-01-11 12:37 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220110071817.931116602@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+d4b9a2851cc3ce998741@syzkaller.appspotmail.com \
--cc=tgraf@suug.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.