AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
6f07e5f06c
kernel_optimize_test/net/tipc
History
Xin Long 6f07e5f06c tipc: check bearer name with right length in tipc_nl_compat_bearer_enable 
Syzbot reported the following crash:

BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:961
  memchr+0xce/0x110 lib/string.c:961
  string_is_valid net/tipc/netlink_compat.c:176 [inline]
  tipc_nl_compat_bearer_enable+0x2c4/0x910 net/tipc/netlink_compat.c:401
  __tipc_nl_compat_doit net/tipc/netlink_compat.c:321 [inline]
  tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:354
  tipc_nl_compat_handle net/tipc/netlink_compat.c:1162 [inline]
  tipc_nl_compat_recv+0x1ae7/0x2750 net/tipc/netlink_compat.c:1265
  genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
  genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
  netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
  genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
  netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
  netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
  netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
  sock_sendmsg_nosec net/socket.c:622 [inline]
  sock_sendmsg net/socket.c:632 [inline]

Uninit was created at:
  __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
  alloc_skb include/linux/skbuff.h:1012 [inline]
  netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
  netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
  sock_sendmsg_nosec net/socket.c:622 [inline]
  sock_sendmsg net/socket.c:632 [inline]

It was triggered when the bearer name size < TIPC_MAX_BEARER_NAME,
it would check with a wrong len/TLV_GET_DATA_LEN(msg->req), which
also includes priority and disc_domain length.

This patch is to fix it by checking it with a right length:
'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_bearer_config, name)'.

Reported-by: syzbot+8b707430713eb46e1e45@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-31 16:45:57 -07:00
..
addr.c
addr.h
bcast.c tipc: correct spelling errors for struct tipc_bc_base's comment 2018-09-03 22:03:07 -07:00
bcast.h
bearer.c tipc: fix a double free in tipc_enable_bearer() 2018-12-27 16:16:17 -08:00
bearer.h tipc: enable tracepoints in tipc 2018-12-19 11:49:24 -08:00
core.c
core.h
diag.c tipc: switch to rhashtable iterator 2018-08-29 18:04:54 -07:00
discover.c tipc: fix lockdep warning when reinitilaizing sockets 2018-11-17 22:01:31 -08:00
discover.h
eth_media.c
group.c net: tipc: fix a missing check of nla_nest_start 2019-03-16 12:09:05 -07:00
group.h tipc: extend sock diag for group communication 2018-06-30 21:05:42 +09:00
ib_media.c
Kconfig
link.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-02-15 12:38:38 -08:00
link.h tipc: add trace_events for tipc link 2018-12-19 11:49:24 -08:00
Makefile tipc: enable tracepoints in tipc 2018-12-19 11:49:24 -08:00
monitor.c tipc: make some functions static 2018-07-21 16:23:22 -07:00
monitor.h
msg.c tipc: buffer overflow handling in listener socket 2018-09-29 11:24:22 -07:00
msg.h tipc: fix link session and re-establish issues 2019-02-11 21:26:20 -08:00
name_distr.c tipc: eliminate message disordering during binding table update 2018-10-22 19:29:12 -07:00
name_distr.h tipc: permit overlapping service ranges in name table 2018-03-31 22:19:52 -04:00
name_table.c tipc: eliminate message disordering during binding table update 2018-10-22 19:29:12 -07:00
name_table.h tipc: eliminate message disordering during binding table update 2018-10-22 19:29:12 -07:00
net.c tipc: change to check tipc_own_id to return in tipc_net_stop 2019-03-26 11:21:20 -07:00
net.h tipc: fix lockdep warning when reinitilaizing sockets 2018-11-17 22:01:31 -08:00
netlink_compat.c tipc: check bearer name with right length in tipc_nl_compat_bearer_enable 2019-03-31 16:45:57 -07:00
netlink.c tipc: switch to rhashtable iterator 2018-08-29 18:04:54 -07:00
netlink.h
node.c tipc: tipc clang warning 2019-03-23 21:45:59 -04:00
node.h tipc: enable tracepoints in tipc 2018-12-19 11:49:24 -08:00
socket.c tipc: allow service ranges to be connect()'ed on RDM/DGRAM 2019-03-17 21:32:11 -07:00
socket.h tipc: add trace_events for tipc socket 2018-12-19 11:49:24 -08:00
subscr.c tipc: fix unbalanced reference counter 2018-04-12 21:46:10 -04:00
subscr.h
sysctl.c tipc: add trace_events for tipc socket 2018-12-19 11:49:24 -08:00
topsrv.c tipc: fix cancellation of topology subscriptions 2019-03-21 09:09:04 -07:00
topsrv.h
trace.c tipc: remove unneeded semicolon in trace.c 2019-01-17 22:04:43 -08:00
trace.h tipc: add trace_events for tipc bearer 2018-12-19 11:49:25 -08:00
udp_media.c tipc: compare remote and local protocols in tipc_udp_enable() 2018-12-14 13:28:03 -08:00
udp_media.h tipc: implement configuration of UDP media MTU 2018-04-20 11:04:05 -04:00