Patch "netlink: do not hard code device address lenth in fdb dumps" has been added to the 4.14-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    netlink: do not hard code device address lenth in fdb dumps

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netlink-do-not-hard-code-device-address-lenth-in-fdb.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 4e37680d72b802a57dff693bf164769f21f205e0
Author: Eric Dumazet <edumazet@xxxxxxxxxx>
Date:   Wed Jun 21 17:47:20 2023 +0000

    netlink: do not hard code device address lenth in fdb dumps
    
    [ Upstream commit aa5406950726e336c5c9585b09799a734b6e77bf ]
    
    syzbot reports that some netdev devices do not have a six bytes
    address [1]
    
    Replace ETH_ALEN by dev->addr_len.
    
    [1] (Case of a device where dev->addr_len = 4)
    
    BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
    BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169
    instrument_copy_to_user include/linux/instrumented.h:114 [inline]
    copyout+0xb8/0x100 lib/iov_iter.c:169
    _copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536
    copy_to_iter include/linux/uio.h:206 [inline]
    simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513
    __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
    skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527
    skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
    netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970
    sock_recvmsg_nosec net/socket.c:1019 [inline]
    sock_recvmsg net/socket.c:1040 [inline]
    ____sys_recvmsg+0x283/0x7f0 net/socket.c:2722
    ___sys_recvmsg+0x223/0x840 net/socket.c:2764
    do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
    __sys_recvmmsg net/socket.c:2937 [inline]
    __do_sys_recvmmsg net/socket.c:2960 [inline]
    __se_sys_recvmmsg net/socket.c:2953 [inline]
    __x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
    entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    Uninit was stored to memory at:
    __nla_put lib/nlattr.c:1009 [inline]
    nla_put+0x1c6/0x230 lib/nlattr.c:1067
    nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071
    nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]
    ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456
    rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629
    netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268
    netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995
    sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019
    ____sys_recvmsg+0x664/0x7f0 net/socket.c:2720
    ___sys_recvmsg+0x223/0x840 net/socket.c:2764
    do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
    __sys_recvmmsg net/socket.c:2937 [inline]
    __do_sys_recvmmsg net/socket.c:2960 [inline]
    __se_sys_recvmmsg net/socket.c:2953 [inline]
    __x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
    entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    Uninit was created at:
    slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716
    slab_alloc_node mm/slub.c:3451 [inline]
    __kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490
    kmalloc_trace+0x51/0x200 mm/slab_common.c:1057
    kmalloc include/linux/slab.h:559 [inline]
    __hw_addr_create net/core/dev_addr_lists.c:60 [inline]
    __hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118
    __dev_mc_add net/core/dev_addr_lists.c:867 [inline]
    dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885
    igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680
    ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754
    ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708
    addrconf_type_change net/ipv6/addrconf.c:3731 [inline]
    addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699
    notifier_call_chain kernel/notifier.c:93 [inline]
    raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461
    call_netdevice_notifiers_info net/core/dev.c:1935 [inline]
    call_netdevice_notifiers_extack net/core/dev.c:1973 [inline]
    call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987
    bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906
    do_set_master net/core/rtnetlink.c:2626 [inline]
    rtnl_newlink_create net/core/rtnetlink.c:3460 [inline]
    __rtnl_newlink net/core/rtnetlink.c:3660 [inline]
    rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673
    rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395
    netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546
    rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413
    netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
    netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365
    netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913
    sock_sendmsg_nosec net/socket.c:724 [inline]
    sock_sendmsg net/socket.c:747 [inline]
    ____sys_sendmsg+0x999/0xd50 net/socket.c:2503
    ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557
    __sys_sendmsg net/socket.c:2586 [inline]
    __do_sys_sendmsg net/socket.c:2595 [inline]
    __se_sys_sendmsg net/socket.c:2593 [inline]
    __x64_sys_sendmsg+0x304/0x490 net/socket.c:2593
    do_syscall_x64 arch/x86/entry/common.c:50 [inline]
    do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
    entry_SYSCALL_64_after_hwframe+0x63/0xcd
    
    Bytes 2856-2857 of 3500 are uninitialized
    Memory access of size 3500 starts at ffff888018d99104
    Data copied to user address 0000000020000480
    
    Fixes: d83b06036048 ("net: add fdb generic dump routine")
    Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx>
    Signed-off-by: Eric Dumazet <edumazet@xxxxxxxxxx>
    Reviewed-by: Jiri Pirko <jiri@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20230621174720.1845040-1-edumazet@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 738514e5c8ba2..a76f3024687f0 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2976,7 +2976,7 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb,
 	ndm->ndm_ifindex = dev->ifindex;
 	ndm->ndm_state   = ndm_state;
 
-	if (nla_put(skb, NDA_LLADDR, ETH_ALEN, addr))
+	if (nla_put(skb, NDA_LLADDR, dev->addr_len, addr))
 		goto nla_put_failure;
 	if (vid)
 		if (nla_put(skb, NDA_VLAN, sizeof(u16), &vid))
@@ -2990,10 +2990,10 @@ static int nlmsg_populate_fdb_fill(struct sk_buff *skb,
 	return -EMSGSIZE;
 }
 
-static inline size_t rtnl_fdb_nlmsg_size(void)
+static inline size_t rtnl_fdb_nlmsg_size(const struct net_device *dev)
 {
 	return NLMSG_ALIGN(sizeof(struct ndmsg)) +
-	       nla_total_size(ETH_ALEN) +	/* NDA_LLADDR */
+	       nla_total_size(dev->addr_len) +	/* NDA_LLADDR */
 	       nla_total_size(sizeof(u16)) +	/* NDA_VLAN */
 	       0;
 }
@@ -3005,7 +3005,7 @@ static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type,
 	struct sk_buff *skb;
 	int err = -ENOBUFS;
 
-	skb = nlmsg_new(rtnl_fdb_nlmsg_size(), GFP_ATOMIC);
+	skb = nlmsg_new(rtnl_fdb_nlmsg_size(dev), GFP_ATOMIC);
 	if (!skb)
 		goto errout;
 



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux