• Eric Dumazet's avatar
    net: metrics: add proper netlink validation · 5300a1c7
    Eric Dumazet authored
    [ Upstream commit 5b5e7a0de2bbf2a1afcd9f49e940010e9fb80d53 ]
    
    Before using nla_get_u32(), better make sure the attribute
    is of the proper size.
    
    Code recently was changed, but bug has been there from beginning
    of git.
    
    BUG: KMSAN: uninit-value in rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
    CPU: 1 PID: 14139 Comm: syz-executor6 Not tainted 4.17.0-rc5+ #103
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x185/0x1d0 lib/dump_stack.c:113
     kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
     __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
     rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
     fib_dump_info+0xc42/0x2190 net/ipv4/fib_semantics.c:1361
     rtmsg_fib+0x65f/0x8c0 net/ipv4/fib_semantics.c:419
     fib_table_insert+0x2314/0x2b50 net/ipv4/fib_trie.c:1287
     inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
     rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
     netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
     rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
     netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
     netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
     netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
     sock_sendmsg_nosec net/socket.c:629 [inline]
     sock_sendmsg net/socket.c:639 [inline]
     ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
     __sys_sendmsg net/socket.c:2155 [inline]
     __do_sys_sendmsg net/socket.c:2164 [inline]
     __se_sys_sendmsg net/socket.c:2162 [inline]
     __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
     do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x455a09
    RSP: 002b:00007faae5fd8c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    RAX: ffffffffffffffda RBX: 00007faae5fd96d4 RCX: 0000000000455a09
    RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000013
    RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
    R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000
    
    Uninit was stored to memory at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
     kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
     kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
     __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:529
     fib_convert_metrics net/ipv4/fib_semantics.c:1056 [inline]
     fib_create_info+0x2d46/0x9dc0 net/ipv4/fib_semantics.c:1150
     fib_table_insert+0x3e4/0x2b50 net/ipv4/fib_trie.c:1146
     inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
     rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
     netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
     rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
     netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
     netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
     netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
     sock_sendmsg_nosec net/socket.c:629 [inline]
     sock_sendmsg net/socket.c:639 [inline]
     ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
     __sys_sendmsg net/socket.c:2155 [inline]
     __do_sys_sendmsg net/socket.c:2164 [inline]
     __se_sys_sendmsg net/socket.c:2162 [inline]
     __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
     do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    Uninit was created at:
     kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
     kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
     kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
     kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
     slab_post_alloc_hook mm/slab.h:446 [inline]
     slab_alloc_node mm/slub.c:2753 [inline]
     __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
     __kmalloc_reserve net/core/skbuff.c:138 [inline]
     __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
     alloc_skb include/linux/skbuff.h:988 [inline]
     netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
     netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
     sock_sendmsg_nosec net/socket.c:629 [inline]
     sock_sendmsg net/socket.c:639 [inline]
     ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
     __sys_sendmsg net/socket.c:2155 [inline]
     __do_sys_sendmsg net/socket.c:2164 [inline]
     __se_sys_sendmsg net/socket.c:2162 [inline]
     __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
     do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Fixes: a919525ad832 ("net: Move fib_convert_metrics to metrics file")
    Fixes: 1da177e4 ("Linux-2.6.12-rc2")
    Signed-off-by: 's avatarEric Dumazet <edumazet@google.com>
    Reported-by: 's avatarsyzbot <syzkaller@googlegroups.com>
    Cc: David Ahern <dsahern@gmail.com>
    Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    5300a1c7
Name
Last commit
Last update
..
6lowpan Loading commit data...
802 Loading commit data...
8021q Loading commit data...
9p Loading commit data...
appletalk Loading commit data...
atm Loading commit data...
ax25 Loading commit data...
batman-adv Loading commit data...
bluetooth Loading commit data...
bridge Loading commit data...
caif Loading commit data...
can Loading commit data...
ceph Loading commit data...
core Loading commit data...
dcb Loading commit data...
dccp Loading commit data...
decnet Loading commit data...
dns_resolver Loading commit data...
dsa Loading commit data...
ethernet Loading commit data...
hsr Loading commit data...
ieee802154 Loading commit data...
ipv4 Loading commit data...
ipv6 Loading commit data...
ipx Loading commit data...
irda Loading commit data...
iucv Loading commit data...
kcm Loading commit data...
key Loading commit data...
l2tp Loading commit data...
l3mdev Loading commit data...
lapb Loading commit data...
llc Loading commit data...
mac80211 Loading commit data...
mac802154 Loading commit data...
mpls Loading commit data...
ncsi Loading commit data...
netfilter Loading commit data...
netlabel Loading commit data...
netlink Loading commit data...
netrom Loading commit data...
nfc Loading commit data...
openvswitch Loading commit data...
packet Loading commit data...
phonet Loading commit data...
qrtr Loading commit data...
rds Loading commit data...
rfkill Loading commit data...
rose Loading commit data...
rxrpc Loading commit data...
sched Loading commit data...
sctp Loading commit data...
strparser Loading commit data...
sunrpc Loading commit data...
switchdev Loading commit data...
tipc Loading commit data...
unix Loading commit data...
vmw_vsock Loading commit data...
wimax Loading commit data...
wireless Loading commit data...
x25 Loading commit data...
xfrm Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
compat.c Loading commit data...
socket.c Loading commit data...
sysctl_net.c Loading commit data...