system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-15 07:47:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/net
History
Vladimir Oltean 844f104790 net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events 
After the blamed commit, we started doing this dereference for every
NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.

static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)
{
	struct dsa_user_priv *p = netdev_priv(dev);

	return p->dp;
}

Which is obviously bogus, because not all net_devices have a netdev_priv()
of type struct dsa_user_priv. But struct dsa_user_priv is fairly small,
and p->dp means dereferencing 8 bytes starting with offset 16. Most
drivers allocate that much private memory anyway, making our access not
fault, and we discard the bogus data quickly afterwards, so this wasn't
caught.

But the dummy interface is somewhat special in that it calls
alloc_netdev() with a priv size of 0. So every netdev_priv() dereference
is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event
with a VLAN as its new upper:

$ ip link add dummy1 type dummy
$ ip link add link dummy1 name dummy1.100 type vlan id 100
[   43.309174] ==================================================================
[   43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8
[   43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374
[   43.330058]
[   43.342436] Call trace:
[   43.366542]  dsa_user_prechangeupper+0x30/0xe8
[   43.371024]  dsa_user_netdevice_event+0xb38/0xee8
[   43.375768]  notifier_call_chain+0xa4/0x210
[   43.379985]  raw_notifier_call_chain+0x24/0x38
[   43.384464]  __netdev_upper_dev_link+0x3ec/0x5d8
[   43.389120]  netdev_upper_dev_link+0x70/0xa8
[   43.393424]  register_vlan_dev+0x1bc/0x310
[   43.397554]  vlan_newlink+0x210/0x248
[   43.401247]  rtnl_newlink+0x9fc/0xe30
[   43.404942]  rtnetlink_rcv_msg+0x378/0x580

Avoid the kernel oops by dereferencing after the type check, as customary.

Fixes: 4c3f80d22b ("net: dsa: walk through all changeupper notifier functions")
Reported-and-tested-by: syzbot+d81bcd883824180500c8@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/0000000000001d4255060e87545c@google.com/
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240110003354.2796778-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2024-01-11 16:33:52 -08:00
..
6lowpan
9p net: 9p: avoid freeing uninit memory in p9pdu_vreadf 2023-12-13 05:44:30 +09:00
802 net: fill in MODULE_DESCRIPTION()s under net/802* 2023-10-28 11:29:28 +01:00
8021q Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-12-21 22:17:23 +01:00
appletalk net: remove SOCK_DEBUG leftovers 2023-12-26 20:31:01 +00:00
atm net: fill in MODULE_DESCRIPTION()s for ATM 2024-01-05 08:04:23 -08:00
ax25 net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
batman-adv batman-adv: Switch to linux/array_size.h 2023-11-14 08:16:34 +01:00
bluetooth Bluetooth: Fix atomicity violation in {min,max}_key_size_set 2023-12-22 13:00:36 -05:00
bpf bpf: Fix dtor CFI 2023-12-15 16:25:55 -08:00
bridge bridge: cfm: fix enum typo in br_cc_ccm_tx_parse 2023-12-26 22:38:13 +00:00
caif net: fill in MODULE_DESCRIPTION()s for CAIF 2024-01-05 08:06:35 -08:00
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-12 17:07:34 -07:00
ceph This update includes the following changes: 2023-11-02 16:15:30 -10:00
core Networking changes for 6.8. 2024-01-11 10:07:29 -08:00
dcb
dccp net: remove SOCK_DEBUG leftovers 2023-12-26 20:31:01 +00:00
devlink devlink: extend multicast filtering by port index 2023-12-19 15:31:40 +01:00
dns_resolver Networking changes for 6.8. 2024-01-11 10:07:29 -08:00
dsa net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events 2024-01-11 16:33:52 -08:00
ethernet
ethtool net: ethtool: reject unsupported RSS input xfrm values 2024-01-05 19:23:15 -08:00
handshake Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-10-26 13:46:28 -07:00
hsr net: fill in MODULE_DESCRIPTION()s for HSR 2024-01-11 16:16:08 -08:00
ieee802154 mac802154: Avoid new associations while disassociating 2023-12-15 11:14:57 +01:00
ife net: sched: ife: fix potential use-after-free 2023-12-15 10:50:18 +00:00
ipv4 Networking changes for 6.8. 2024-01-11 10:07:29 -08:00
ipv6 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-01-09 16:23:26 +01:00
iucv iucv: make iucv_bus const 2023-12-29 07:46:38 +00:00
kcm net: kcm: fix direct access to bv_len 2024-01-03 18:37:22 -08:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-08-18 12:44:56 -07:00
l2tp ipv6: annotate data-races around np->ucast_oif 2023-12-11 10:59:17 +00:00
l3mdev
lapb
llc llc: verify mac len before reading mac header 2023-11-01 22:21:32 -07:00
mac80211 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-01-04 18:06:46 -08:00
mac802154 mac802154: Avoid new associations while disassociating 2023-12-15 11:14:57 +01:00
mctp mctp: perform route lookups under a RCU read-side lock 2023-10-10 19:43:22 -07:00
mpls networking: Update to register_net_sysctl_sz 2023-08-15 15:26:18 -07:00
mptcp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-01-04 18:06:46 -08:00
ncsi net/ncsi: Add NC-SI 1.2 Get MC MAC Address command 2023-11-18 15:00:51 +00:00
netfilter Networking changes for 6.8. 2024-01-11 10:07:29 -08:00
netlabel calipso: fix memory leak in netlbl_calipso_add_pass() 2023-12-07 14:23:12 -05:00
netlink genetlink: Use internal flags for multicast groups 2023-12-29 08:43:59 +00:00
netrom net: implement lockless SO_PRIORITY 2023-10-01 19:09:54 +01:00
nfc net: fill in MODULE_DESCRIPTION()s for NFC 2024-01-11 16:16:08 -08:00
nsh
openvswitch net/sched: act_ct: Always fill offloading tuple iifidx 2023-11-08 17:47:08 -08:00
packet net: fill in MODULE_DESCRIPTION() for AF_PACKET 2024-01-05 08:06:35 -08:00
phonet
psample genetlink: Use internal flags for multicast groups 2023-12-29 08:43:59 +00:00
qrtr net: qrtr: ns: Return 0 if server port is not present 2024-01-01 18:41:29 +00:00
rds ipv6: annotate data-races around np->mcast_oif 2023-12-11 10:59:17 +00:00
rfkill Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2023-12-21 22:17:23 +01:00
rose net/rose: fix races in rose_kill_by_device() 2023-12-15 11:59:53 +00:00
rxrpc Networking changes for 6.8. 2024-01-11 10:07:29 -08:00
sched Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-01-09 16:23:26 +01:00
sctp sctp: fix busy polling 2024-01-04 10:29:18 +00:00
smc Networking changes for 6.8. 2024-01-11 10:07:29 -08:00
strparser
sunrpc net: fill in MODULE_DESCRIPTION()s for Sun RPC 2024-01-11 16:16:08 -08:00
switchdev
tipc tipc: Remove some excess struct member documentation 2023-12-22 23:14:43 +00:00
tls net: tls, update curr on splice as well 2023-12-07 09:52:28 -08:00
unix bpf: sockmap, fix proto update hook to avoid dup calls 2024-01-03 16:50:06 -08:00
vmw_vsock vsock/virtio: use skb_frag_*() helpers 2024-01-03 18:37:16 -08:00
wireless Just a couple of more things over the holidays: 2024-01-04 17:00:08 -08:00
x25 net: remove SOCK_DEBUG leftovers 2023-12-26 20:31:01 +00:00
xdp netdev 2023-12-18 16:46:08 -08:00
xfrm bpf: xfrm: Add bpf_xdp_get_xfrm_state() kfunc 2023-12-14 17:12:49 -08:00
compat.c file: stop exposing receive_fd_user() 2023-12-12 14:24:14 +01:00
devres.c
Kconfig bpfilter: remove bpfilter 2024-01-04 10:23:10 -08:00
Kconfig.debug
Makefile bpfilter: remove bpfilter 2024-01-04 10:23:10 -08:00
socket.c vfs-6.8.iov_iter 2024-01-08 11:43:04 -08:00
sysctl_net.c sysctl: Add size to register_net_sysctl function 2023-08-15 15:26:17 -07:00