stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+d4b9a2851cc3ce998741@syzkaller.appspotmail.com,
	David Ahern <dsahern@kernel.org>, Thomas Graf <tgraf@suug.ch>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.15 20/72] ipv4: Check attribute length for RTA_GATEWAY in multipath route
Date: Mon, 10 Jan 2022 08:22:57 +0100	[thread overview]
Message-ID: <20220110071822.260222128@linuxfoundation.org> (raw)
In-Reply-To: <20220110071821.500480371@linuxfoundation.org>

From: David Ahern <dsahern@kernel.org>

commit 7a3429bace0e08d94c39245631ea6bc109dafa49 upstream.

syzbot reported uninit-value:
============================================================
  BUG: KMSAN: uninit-value in fib_get_nhs+0xac4/0x1f80
  net/ipv4/fib_semantics.c:708
   fib_get_nhs+0xac4/0x1f80 net/ipv4/fib_semantics.c:708
   fib_create_info+0x2411/0x4870 net/ipv4/fib_semantics.c:1453
   fib_table_insert+0x45c/0x3a10 net/ipv4/fib_trie.c:1224
   inet_rtm_newroute+0x289/0x420 net/ipv4/fib_frontend.c:886

Add helper to validate RTA_GATEWAY length before using the attribute.

Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
Reported-by: syzbot+d4b9a2851cc3ce998741@syzkaller.appspotmail.com
Signed-off-by: David Ahern <dsahern@kernel.org>
Cc: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/fib_semantics.c |   29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -662,6 +662,19 @@ static int fib_count_nexthops(struct rtn
 	return nhs;
 }
 
+static int fib_gw_from_attr(__be32 *gw, struct nlattr *nla,
+			    struct netlink_ext_ack *extack)
+{
+	if (nla_len(nla) < sizeof(*gw)) {
+		NL_SET_ERR_MSG(extack, "Invalid IPv4 address in RTA_GATEWAY");
+		return -EINVAL;
+	}
+
+	*gw = nla_get_in_addr(nla);
+
+	return 0;
+}
+
 /* only called when fib_nh is integrated into fib_info */
 static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
 		       int remaining, struct fib_config *cfg,
@@ -704,7 +717,11 @@ static int fib_get_nhs(struct fib_info *
 				return -EINVAL;
 			}
 			if (nla) {
-				fib_cfg.fc_gw4 = nla_get_in_addr(nla);
+				ret = fib_gw_from_attr(&fib_cfg.fc_gw4, nla,
+						       extack);
+				if (ret)
+					goto errout;
+
 				if (fib_cfg.fc_gw4)
 					fib_cfg.fc_gw_family = AF_INET;
 			} else if (nlav) {
@@ -902,6 +919,7 @@ int fib_nh_match(struct net *net, struct
 		attrlen = rtnh_attrlen(rtnh);
 		if (attrlen > 0) {
 			struct nlattr *nla, *nlav, *attrs = rtnh_attrs(rtnh);
+			int err;
 
 			nla = nla_find(attrs, attrlen, RTA_GATEWAY);
 			nlav = nla_find(attrs, attrlen, RTA_VIA);
@@ -912,12 +930,17 @@ int fib_nh_match(struct net *net, struct
 			}
 
 			if (nla) {
+				__be32 gw;
+
+				err = fib_gw_from_attr(&gw, nla, extack);
+				if (err)
+					return err;
+
 				if (nh->fib_nh_gw_family != AF_INET ||
-				    nla_get_in_addr(nla) != nh->fib_nh_gw4)
+				    gw != nh->fib_nh_gw4)
 					return 1;
 			} else if (nlav) {
 				struct fib_config cfg2;
-				int err;
 
 				err = fib_gw_from_via(&cfg2, nlav, extack);
 				if (err)



  parent reply	other threads:[~2022-01-10  7:34 UTC|newest]

Thread overview: 83+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-10  7:22 [PATCH 5.15 00/72] 5.15.14-rc1 review Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 01/72] fscache_cookie_enabled: check cookie is valid before accessing it Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 02/72] selftests: x86: fix [-Wstringop-overread] warn in test_process_vm_readv() Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 03/72] tracing: Fix check for trace_percpu_buffer validity in get_trace_buf() Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 04/72] tracing: Tag trace_percpu_buffer as a percpu pointer Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 05/72] Revert "RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow" Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 06/72] ieee802154: atusb: fix uninit value in atusb_set_extended_addr Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 07/72] i40e: Fix to not show opcode msg on unsuccessful VF MAC change Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 08/72] iavf: Fix limit of total number of queues to active queues of VF Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 09/72] RDMA/core: Dont infoleak GRH fields Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 10/72] Revert "net: usb: r8152: Add MAC passthrough support for more Lenovo Docks" Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 11/72] netrom: fix copying in user data in nr_setsockopt Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 12/72] RDMA/uverbs: Check for null return of kmalloc_array Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 13/72] mac80211: initialize variable have_higher_than_11mbit Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 14/72] mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 15/72] sfc: The RX page_ring is optional Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 16/72] i40e: fix use-after-free in i40e_sync_filters_subtask() Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 17/72] i40e: Fix for displaying message regarding NVM version Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 18/72] i40e: Fix incorrect netdevs real number of RX/TX queues Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 19/72] ftrace/samples: Add missing prototypes direct functions Greg Kroah-Hartman
2022-01-10  7:22 ` Greg Kroah-Hartman [this message]
2022-01-10  7:22 ` [PATCH 5.15 21/72] ipv4: Check attribute length for RTA_FLOW in multipath route Greg Kroah-Hartman
2022-01-10  7:22 ` [PATCH 5.15 22/72] ipv6: Check attribute length for RTA_GATEWAY " Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 23/72] ipv6: Check attribute length for RTA_GATEWAY when deleting " Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 24/72] lwtunnel: Validate RTA_ENCAP_TYPE attribute length Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 25/72] selftests: net: udpgro_fwd.sh: explicitly checking the available ping feature Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 26/72] sctp: hold endpoint before calling cb in sctp_transport_lookup_process Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 27/72] batman-adv: mcast: dont send link-local multicast to mcast routers Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 28/72] sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 29/72] net: ena: Fix undefined state when tx request id is out of bounds Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 30/72] net: ena: Fix wrong rx request id by resetting device Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 31/72] net: ena: Fix error handling when calculating max IO queues number Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 32/72] md/raid1: fix missing bitmap update w/o WriteMostly devices Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 33/72] EDAC/i10nm: Release mdev/mbase when failing to detect HBM Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 34/72] KVM: x86: Check for rmaps allocation Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 35/72] cgroup: Use open-time credentials for process migraton perm checks Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 36/72] cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 37/72] cgroup: Use open-time cgroup namespace for process migration perm checks Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 38/72] Revert "i2c: core: support bus regulator controlling in adapter" Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 39/72] i2c: mpc: Avoid out of bounds memory access Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 40/72] xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 41/72] power: supply: core: Break capacity loop Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 42/72] power: reset: ltc2952: Fix use of floating point literals Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 43/72] reset: renesas: Fix Runtime PM usage Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 44/72] rndis_host: support Hytera digital radios Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 45/72] gpio: gpio-aspeed-sgpio: Fix wrong hwirq base in irq handler Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 46/72] net ticp:fix a kernel-infoleak in __tipc_sendmsg() Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 47/72] phonet: refcount leak in pep_sock_accep Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 48/72] fbdev: fbmem: add a helper to determine if an aperture is used by a fw fb Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 49/72] drm/amdgpu: disable runpm if we are the primary adapter Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 50/72] power: bq25890: Enable continuous conversion for ADC at charging Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 51/72] ipv6: Continue processing multipath route even if gateway attribute is invalid Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 52/72] ipv6: Do cleanup if attribute validation fails in multipath route Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 53/72] auxdisplay: charlcd: checking for pointer reference before dereferencing Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 54/72] drm/amdgpu: fix dropped backing store handling in amdgpu_dma_buf_move_notify Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 55/72] drm/amd/pm: Fix xgmi link control on aldebaran Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 56/72] usb: mtu3: fix interval value for intr and isoc Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 57/72] scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown() Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 58/72] ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 59/72] net: udp: fix alignment problem in udp4_seq_show() Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 60/72] atlantic: Fix buff_ring OOB in aq_ring_rx_clean Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 61/72] drm/amd/pm: skip setting gfx cgpg in the s0ix suspend-resume Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 62/72] drm/amdgpu: always reset the asic in suspend (v2) Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 63/72] drm/amdgpu: put SMU into proper state on runpm suspending for BOCO capable platform Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 64/72] mISDN: change function names to avoid conflicts Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 65/72] drm/amd/display: fix B0 TMDS deepcolor no dislay issue Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 66/72] drm/amd/display: Added power down for DCN10 Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 67/72] ipv6: raw: check passed optlen before reading Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 68/72] userfaultfd/selftests: fix hugetlb area allocations Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 69/72] ARM: dts: gpio-ranges property is now required Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 70/72] Input: zinitix - make sure the IRQ is allocated before it gets enabled Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 71/72] Revert "drm/amdgpu: stop scheduler when calling hw_fini (v2)" Greg Kroah-Hartman
2022-01-10  7:23 ` [PATCH 5.15 72/72] drm/amd/pm: keep the BACO feature enabled for suspend Greg Kroah-Hartman
2022-01-10 11:49 ` [PATCH 5.15 00/72] 5.15.14-rc1 review Jon Hunter
2022-01-10 14:30 ` Jeffrin Jose T
2022-01-10 20:16 ` Florian Fainelli
2022-01-10 21:17 ` Fox Chen
2022-01-10 22:55 ` Shuah Khan
2022-01-10 23:50 ` Guenter Roeck
2022-01-11  3:48 ` Zan Aziz
2022-01-11  5:14 ` Naresh Kamboju
2022-01-11  7:35 ` Rudi Heitbaum
2022-01-11 12:41 ` Sudip Mukherjee

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220110071822.260222128@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+d4b9a2851cc3ce998741@syzkaller.appspotmail.com \
    --cc=tgraf@suug.ch \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).