Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Steffen Klassert <steffen.klassert@secunet.com>
To: YueHaibing <yuehaibing@huawei.com>
Cc: <herbert@gondor.apana.org.au>, <davem@davemloft.net>,
	<kuba@kernel.org>, <0x7f454c46@gmail.com>,
	<netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
	<dima@arista.com>
Subject: Re: [PATCH] xfrm/compat: Fix general protection fault in xfrm_user_rcv_msg_compat()
Date: Fri, 16 Jul 2021 10:01:19 +0200	[thread overview]
Message-ID: <20210716080119.GC3684238@gauss3.secunet.de> (raw)
In-Reply-To: <20210712134002.34048-1-yuehaibing@huawei.com>

On Mon, Jul 12, 2021 at 09:40:02PM +0800, YueHaibing wrote:
> In xfrm_user_rcv_msg_compat() if maxtype is not zero and less than
> XFRMA_MAX, nlmsg_parse_deprecated() do not initialize attrs array fully.
> xfrm_xlate32() will access uninit 'attrs[i]' while iterating all attrs
> array.
> 
> KASAN: probably user-memory-access in range [0x0000000041b58ab0-0x0000000041b58ab7]
> CPU: 0 PID: 15799 Comm: syz-executor.2 Tainted: G        W         5.14.0-rc1-syzkaller #0
> RIP: 0010:nla_type include/net/netlink.h:1130 [inline]
> RIP: 0010:xfrm_xlate32_attr net/xfrm/xfrm_compat.c:410 [inline]
> RIP: 0010:xfrm_xlate32 net/xfrm/xfrm_compat.c:532 [inline]
> RIP: 0010:xfrm_user_rcv_msg_compat+0x5e5/0x1070 net/xfrm/xfrm_compat.c:577
> [...]
> Call Trace:
>  xfrm_user_rcv_msg+0x556/0x8b0 net/xfrm/xfrm_user.c:2774
>  netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504
>  xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2824
>  netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
>  netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1340
>  netlink_sendmsg+0x86d/0xdb0 net/netlink/af_netlink.c:1929
>  sock_sendmsg_nosec net/socket.c:702 [inline]
> 
> Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator")
> Signed-off-by: YueHaibing <yuehaibing@huawei.com>
> ---
>  net/xfrm/xfrm_compat.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c
> index a20aec9d7393..4738660cadea 100644
> --- a/net/xfrm/xfrm_compat.c
> +++ b/net/xfrm/xfrm_compat.c
> @@ -559,8 +559,8 @@ static struct nlmsghdr *xfrm_user_rcv_msg_compat(const struct nlmsghdr *h32,
>  	    (h32->nlmsg_flags & NLM_F_DUMP))
>  		return NULL;
>  
> -	err = nlmsg_parse_deprecated(h32, compat_msg_min[type], attrs,
> -			maxtype ? : XFRMA_MAX, policy ? : compat_policy, extack);
> +	err = nlmsg_parse_deprecated(h32, compat_msg_min[type], attrs, XFRMA_MAX,
> +				     policy ? : compat_policy, extack);

This removes the only usage of maxtype in that function. If we don't
need it, we should remove maxtype from the function parameters.

But looking closer at this, it seems that xfrm_xlate32() should
only iterate up to maxtype if set. Dimitry, any opinion on that?

  reply	other threads:[~2021-07-16  8:01 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-12 13:40 YueHaibing
2021-07-16  8:01 ` Steffen Klassert [this message]
2021-07-16 14:36   ` Dmitry Safonov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210716080119.GC3684238@gauss3.secunet.de \
    --to=steffen.klassert@secunet.com \
    --cc=0x7f454c46@gmail.com \
    --cc=davem@davemloft.net \
    --cc=dima@arista.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=yuehaibing@huawei.com \
    --subject='Re: [PATCH] xfrm/compat: Fix general protection fault in xfrm_user_rcv_msg_compat()' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).