From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, William Zhao <wizhao@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.9 18/21] ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate
Date: Mon, 10 Jan 2022 08:23:05 +0100 [thread overview]
Message-ID: <20220110071813.420061235@linuxfoundation.org> (raw)
In-Reply-To: <20220110071812.806606886@linuxfoundation.org>
From: William Zhao <wizhao@redhat.com>
[ Upstream commit c1833c3964d5bd8c163bd4e01736a38bc473cb8a ]
The "__ip6_tnl_parm" struct was left uninitialized causing an invalid
load of random data when the "__ip6_tnl_parm" struct was used elsewhere.
As an example, in the function "ip6_tnl_xmit_ctl()", it tries to access
the "collect_md" member. With "__ip6_tnl_parm" being uninitialized and
containing random data, the UBSAN detected that "collect_md" held a
non-boolean value.
The UBSAN issue is as follows:
===============================================================
UBSAN: invalid-load in net/ipv6/ip6_tunnel.c:1025:14
load of value 30 is not a valid value for type '_Bool'
CPU: 1 PID: 228 Comm: kworker/1:3 Not tainted 5.16.0-rc4+ #8
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
<TASK>
dump_stack_lvl+0x44/0x57
ubsan_epilogue+0x5/0x40
__ubsan_handle_load_invalid_value+0x66/0x70
? __cpuhp_setup_state+0x1d3/0x210
ip6_tnl_xmit_ctl.cold.52+0x2c/0x6f [ip6_tunnel]
vti6_tnl_xmit+0x79c/0x1e96 [ip6_vti]
? lock_is_held_type+0xd9/0x130
? vti6_rcv+0x100/0x100 [ip6_vti]
? lock_is_held_type+0xd9/0x130
? rcu_read_lock_bh_held+0xc0/0xc0
? lock_acquired+0x262/0xb10
dev_hard_start_xmit+0x1e6/0x820
__dev_queue_xmit+0x2079/0x3340
? mark_lock.part.52+0xf7/0x1050
? netdev_core_pick_tx+0x290/0x290
? kvm_clock_read+0x14/0x30
? kvm_sched_clock_read+0x5/0x10
? sched_clock_cpu+0x15/0x200
? find_held_lock+0x3a/0x1c0
? lock_release+0x42f/0xc90
? lock_downgrade+0x6b0/0x6b0
? mark_held_locks+0xb7/0x120
? neigh_connected_output+0x31f/0x470
? lockdep_hardirqs_on+0x79/0x100
? neigh_connected_output+0x31f/0x470
? ip6_finish_output2+0x9b0/0x1d90
? rcu_read_lock_bh_held+0x62/0xc0
? ip6_finish_output2+0x9b0/0x1d90
ip6_finish_output2+0x9b0/0x1d90
? ip6_append_data+0x330/0x330
? ip6_mtu+0x166/0x370
? __ip6_finish_output+0x1ad/0xfb0
? nf_hook_slow+0xa6/0x170
ip6_output+0x1fb/0x710
? nf_hook.constprop.32+0x317/0x430
? ip6_finish_output+0x180/0x180
? __ip6_finish_output+0xfb0/0xfb0
? lock_is_held_type+0xd9/0x130
ndisc_send_skb+0xb33/0x1590
? __sk_mem_raise_allocated+0x11cf/0x1560
? dst_output+0x4a0/0x4a0
? ndisc_send_rs+0x432/0x610
addrconf_dad_completed+0x30c/0xbb0
? addrconf_rs_timer+0x650/0x650
? addrconf_dad_work+0x73c/0x10e0
addrconf_dad_work+0x73c/0x10e0
? addrconf_dad_completed+0xbb0/0xbb0
? rcu_read_lock_sched_held+0xaf/0xe0
? rcu_read_lock_bh_held+0xc0/0xc0
process_one_work+0x97b/0x1740
? pwq_dec_nr_in_flight+0x270/0x270
worker_thread+0x87/0xbf0
? process_one_work+0x1740/0x1740
kthread+0x3ac/0x490
? set_kthread_struct+0x100/0x100
ret_from_fork+0x22/0x30
</TASK>
===============================================================
The solution is to initialize "__ip6_tnl_parm" struct to zeros in the
"vti6_siocdevprivate()" function.
Signed-off-by: William Zhao <wizhao@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_vti.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index f58d69216b616..ce5b55491942d 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -773,6 +773,8 @@ vti6_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
struct net *net = dev_net(dev);
struct vti6_net *ip6n = net_generic(net, vti6_net_id);
+ memset(&p1, 0, sizeof(p1));
+
switch (cmd) {
case SIOCGETTUNNEL:
if (dev == ip6n->fb_tnl_dev) {
--
2.34.1
next prev parent reply other threads:[~2022-01-10 7:26 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-10 7:22 [PATCH 4.9 00/21] 4.9.297-rc1 review Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 4.9 01/21] Bluetooth: btusb: Apply QCA Rome patches for some ATH3012 models Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 4.9 02/21] tracing: Fix check for trace_percpu_buffer validity in get_trace_buf() Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 4.9 03/21] tracing: Tag trace_percpu_buffer as a percpu pointer Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 4.9 04/21] virtio_pci: Support surprise removal of virtio pci device Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 4.9 05/21] ieee802154: atusb: fix uninit value in atusb_set_extended_addr Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 4.9 06/21] mac80211: initialize variable have_higher_than_11mbit Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 4.9 07/21] i40e: Fix incorrect netdevs real number of RX/TX queues Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 4.9 08/21] sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 4.9 09/21] xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 4.9 10/21] rndis_host: support Hytera digital radios Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 4.9 11/21] bug: split BUILD_BUG stuff out into <linux/build_bug.h> Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 4.9 12/21] arm64: Remove a redundancy in sysreg.h Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 4.9 13/21] arm64: reduce el2_setup branching Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 4.9 14/21] arm64: move !VHE work to end of el2_setup Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 4.9 15/21] arm64: sysreg: Move to use definitions for all the SCTLR bits Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 4.9 16/21] phonet: refcount leak in pep_sock_accep Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 4.9 17/21] scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown() Greg Kroah-Hartman
2022-01-10 7:23 ` Greg Kroah-Hartman [this message]
2022-01-10 7:23 ` [PATCH 4.9 19/21] net: udp: fix alignment problem in udp4_seq_show() Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 4.9 20/21] mISDN: change function names to avoid conflicts Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 4.9 21/21] power: reset: ltc2952: Fix use of floating point literals Greg Kroah-Hartman
2022-01-10 11:49 ` [PATCH 4.9 00/21] 4.9.297-rc1 review Jon Hunter
2022-01-10 18:58 ` Florian Fainelli
2022-01-10 23:01 ` Shuah Khan
2022-01-10 23:48 ` Guenter Roeck
2022-01-11 8:39 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220110071813.420061235@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=wizhao@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).