forked from luck/tmp_suning_uos_patched
d49baa7e12
It's possible to crash the kernel in several different ways by sending
messages to the SMC_PNETID generic netlink family that are missing the
expected attributes:
- Missing SMC_PNETID_NAME => null pointer dereference when comparing
names.
- Missing SMC_PNETID_ETHNAME => null pointer dereference accessing
smc_pnetentry::ndev.
- Missing SMC_PNETID_IBNAME => null pointer dereference accessing
smc_pnetentry::smcibdev.
- Missing SMC_PNETID_IBPORT => out of bounds array access to
smc_ib_device::pattr[-1].
Fix it by validating that all expected attributes are present and that
SMC_PNETID_IBPORT is nonzero.
Reported-by: syzbot+5cd61039dc9b8bfa6e47@syzkaller.appspotmail.com
Fixes:
|
||
|---|---|---|
| .. | ||
| af_smc.c | ||
| Kconfig | ||
| Makefile | ||
| smc_cdc.c | ||
| smc_cdc.h | ||
| smc_clc.c | ||
| smc_clc.h | ||
| smc_close.c | ||
| smc_close.h | ||
| smc_core.c | ||
| smc_core.h | ||
| smc_diag.c | ||
| smc_ib.c | ||
| smc_ib.h | ||
| smc_llc.c | ||
| smc_llc.h | ||
| smc_pnet.c | ||
| smc_pnet.h | ||
| smc_rx.c | ||
| smc_rx.h | ||
| smc_tx.c | ||
| smc_tx.h | ||
| smc_wr.c | ||
| smc_wr.h | ||
| smc.h | ||