linux

mirror of https://github.com/torvalds/linux synced 2024-10-15 07:47:34 +00:00

History

Lin Ma b33fb5b801 net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a bigger maxtype which leads to a global out-of-bounds read when parsing the netlink attributes. See bug trace below: ================================================================== BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:386 [inline] BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 Read of size 1 at addr ffffffff92c438d0 by task syz-executor.6/84207 CPU: 0 PID: 84207 Comm: syz-executor.6 Tainted: G N 6.1.0 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x172/0x475 mm/kasan/report.c:395 kasan_report+0xbb/0x1c0 mm/kasan/report.c:495 validate_nla lib/nlattr.c:386 [inline] __nla_validate_parse+0x24af/0x2750 lib/nlattr.c:600 __nla_parse+0x3e/0x50 lib/nlattr.c:697 nla_parse_nested_deprecated include/net/netlink.h:1248 [inline] __rtnl_newlink+0x50a/0x1880 net/core/rtnetlink.c:3485 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3594 rtnetlink_rcv_msg+0x43c/0xd70 net/core/rtnetlink.c:6091 netlink_rcv_skb+0x14f/0x410 net/netlink/af_netlink.c:2540 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x54e/0x800 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x930/0xe50 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg+0x154/0x190 net/socket.c:734 ____sys_sendmsg+0x6df/0x840 net/socket.c:2482 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fdcf2072359 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdcf13e3168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fdcf219ff80 RCX: 00007fdcf2072359 RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003 RBP: 00007fdcf20bd493 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffbb8d7bdf R14: 00007fdcf13e3300 R15: 0000000000022000 </TASK> The buggy address belongs to the variable: rmnet_policy+0x30/0xe0 The buggy address belongs to the physical page: page:0000000065bdeb3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x155243 flags: 0x200000000001000(reserved\|node=0\|zone=2) raw: 0200000000001000 ffffea00055490c8 ffffea00055490c8 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffffffff92c43780: f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9 00 00 00 07 ffffffff92c43800: f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 06 f9 f9 f9 >ffffffff92c43880: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 ^ ffffffff92c43900: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 ffffffff92c43980: 00 00 00 07 f9 f9 f9 f9 00 00 00 05 f9 f9 f9 f9 According to the comment of `nla_parse_nested_deprecated`, the maxtype should be len(destination array) - 1. Hence use `IFLA_RMNET_MAX` here. Fixes: `14452ca3b5` ("net: qualcomm: rmnet: Export mux_id and flags to netlink") Signed-off-by: Lin Ma <linma@zju.edu.cn> Reviewed-by: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com> Reviewed-by: Simon Horman <horms@kernel.org> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Link: https://lore.kernel.org/r/20240110061400.3356108-1-linma@zju.edu.cn Signed-off-by: Jakub Kicinski <kuba@kernel.org>		2024-01-11 16:32:03 -08:00
..
accel	Many singleton patches against the MM code. The patch series which	2024-01-09 11:18:47 -08:00
accessibility
acpi	platform-drivers-x86 for v6.8-1	2024-01-09 17:07:12 -08:00
amba
android	Many singleton patches against the MM code. The patch series which	2024-01-09 11:18:47 -08:00
ata	SCSI fixes on 20231130	2023-12-02 06:27:20 +09:00
atm	net: fill in MODULE_DESCRIPTION()s for ATM	2024-01-05 08:04:23 -08:00
auxdisplay
base	Networking changes for 6.8.	2024-01-11 10:07:29 -08:00
bcma	bcma: Use PCI_HEADER_TYPE_MASK instead of literal	2023-11-30 21:21:28 +02:00
block	Many singleton patches against the MM code. The patch series which	2024-01-09 11:18:47 -08:00
bluetooth	Bluetooth: Add device 13d3:3572 IMC Networks Bluetooth Radio	2023-12-22 13:00:11 -05:00
bus	bus: ti-sysc: Flush posted write only after srst_udelay	2023-11-28 12:57:16 +02:00
cache
cdrom
cdx	Char/Misc and other driver changes for 6.7-rc1	2023-11-03 14:51:08 -10:00
char	This update includes the following changes:	2024-01-10 12:23:43 -08:00
clk	Fixes for a wrong clockname, a wrong clock-parent, a wrong clock-gate	2023-12-13 15:26:24 -08:00
clocksource	RISC-V Patches for the 6.7 Merge Window, Part 2	2023-11-10 09:23:17 -08:00
comedi
connector	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2024-01-04 18:06:46 -08:00
counter
cpufreq	Power management updates for 6.8-rc1	2024-01-09 16:32:11 -08:00
cpuidle	cpuidle: haltpoll: Do not enable interrupts when entering idle	2023-12-29 18:08:18 +01:00
crypto	This update includes the following changes:	2024-01-10 12:23:43 -08:00
cxl	cxl/pmu: Ensure put_device on pmu devices	2023-12-14 21:54:45 -08:00
dax	New code for 6.8:	2024-01-10 08:45:22 -08:00
dca
devfreq	PM / devfreq: Synchronize devfreq_monitor_[start/stop]	2023-12-19 07:58:27 +09:00
dio
dma	This update includes the following changes:	2024-01-10 12:23:43 -08:00
dma-buf	dma-buf: fix check in dma_resv_add_fence	2023-11-27 20:00:47 +01:00
dpll	dpll: expose fractional frequency offset value to user	2024-01-05 07:58:19 -08:00
edac	- Convert the hw error storm handling into a finer-grained, per-bank	2024-01-08 16:03:00 -08:00
eisa
extcon
firewire	firewire: ohci: suppress unexpected system reboot in AMD Ryzen machines and ASM108x/VT630x PCIe cards	2024-01-05 21:28:08 +09:00
firmware	EFI updates for v6.8	2024-01-09 17:11:27 -08:00
fpga	eventfd: simplify eventfd_signal()	2023-11-28 14:08:38 +01:00
fsi
gnss
gpio	gpio: dwapb: mask/unmask IRQ when disable/enale it	2023-12-21 11:19:01 +01:00
gpu	header cleanups for 6.8	2024-01-10 16:43:55 -08:00
greybus	Revert "greybus: gb-beagleplay: Ensure le for values in transport"	2023-12-05 09:10:01 +09:00
hid	hardening updates for v6.8-rc1	2024-01-10 11:03:52 -08:00
hsi
hte	hte: Changes for v6.7-rc1	2023-10-31 18:32:51 -10:00
hv	TTY/Serial changes for 6.7-rc1	2023-11-03 15:44:25 -10:00
hwmon	hwmon: (corsair-psu) Fix probe when built-in	2023-12-08 10:36:02 -08:00
hwspinlock
hwtracing	coresight: ultrasoc-smb: Fix uninitialized before use buf_hw_base	2023-11-16 10:00:14 +00:00
i2c	i2c: core: Fix atomic xfer check for non-preempt config	2024-01-06 14:10:10 +01:00
i3c	I3C for 6.7	2023-11-04 16:25:36 -10:00
idle	Power management updates for 6.8-rc1	2024-01-09 16:32:11 -08:00
iio	Revert "iio: hid-sensor-als: Add light color temperature support"	2023-12-19 08:08:20 +01:00
infiniband	arm64 updates for 6.8	2024-01-08 16:32:09 -08:00
input	spi: Updates for v6.8	2024-01-09 15:02:12 -08:00
interconnect	interconnect: qcom: icc-rpm: Fix peak rate calculation	2023-12-06 17:00:42 +02:00
iommu	Many singleton patches against the MM code. The patch series which	2024-01-09 11:18:47 -08:00
ipack
irqchip	header cleanups for 6.8	2024-01-10 16:43:55 -08:00
isdn	hardening updates for v6.7-rc1	2023-10-30 19:09:55 -10:00
leds	leds: trigger: netdev: fix RTNL handling to prevent potential deadlock	2023-12-06 07:36:55 -08:00
macintosh	powerpc updates for 6.7	2023-11-03 10:07:39 -10:00
mailbox	Moving repo	2023-11-05 18:45:32 -08:00
mcb
md	Many singleton patches against the MM code. The patch series which	2024-01-09 11:18:47 -08:00
media	Revert BPF token-related functionality	2023-12-19 08:23:03 -08:00
memory	IOMMU Updates for Linux v6.7	2023-11-09 13:37:28 -08:00
memstick
message
mfd	spi: Updates for v6.8	2024-01-09 15:02:12 -08:00
misc	hardening updates for v6.8-rc1	2024-01-10 11:03:52 -08:00
mmc	spi: Updates for v6.8	2024-01-09 15:02:12 -08:00
most
mtd	* MTD	2024-01-09 15:40:59 -08:00
mux
net	net: qualcomm: rmnet: fix global oob in rmnet_policy	2024-01-11 16:32:03 -08:00
nfc	nfc: virtual_ncidev: Add variable to check if ndev is running	2023-11-22 10:55:48 +00:00
ntb
nubus	nubus: Make nubus_bus_type static and constant	2024-01-03 13:33:59 +01:00
nvdimm	nvdimm/btt: replace deprecated strncpy with strscpy	2023-12-01 09:51:43 -08:00
nvme	hardening updates for v6.8-rc1	2024-01-10 11:03:52 -08:00
nvmem	nvmem: brcm_nvram: store a copy of NVRAM content	2023-12-15 13:15:02 +01:00
of	Devicetree fixes for v6.7, take 1:	2023-12-07 12:22:36 -08:00
opp	OPP: Rename 'rate_clk_single'	2024-01-05 15:55:41 +05:30
parisc	parisc/power: Fix power soft-off when running on qemu	2023-11-18 18:59:30 +01:00
parport	parport: Add support for Brainboxes IX/UC/PX parallel cards	2023-12-07 11:10:44 +09:00
pci	Networking changes for 6.8.	2024-01-11 10:07:29 -08:00
pcmcia	PCMCIA odd cleanups and fixes for v6.7-rc1	2023-11-07 16:40:42 -08:00
peci
perf	ACPI updates for 6.8-rc1	2024-01-09 16:12:44 -08:00
phy	phy fixes for 6.7	2023-12-17 09:19:27 -08:00
pinctrl	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2024-01-04 18:06:46 -08:00
platform	platform-drivers-x86 for v6.8-1	2024-01-09 17:07:12 -08:00
pmdomain	Power management fixes for 6.7-rc4	2023-12-02 09:01:00 +09:00
pnp	ACPI updates for 6.8-rc1	2024-01-09 16:12:44 -08:00
power	USB/Thunderbolt changes for 6.7-rc1	2023-11-03 16:00:42 -10:00
powercap	powercap: DTPM: Fix missing cpufreq_cpu_put() calls	2023-12-05 20:51:24 +01:00
pps
ps3
ptp	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2024-01-04 18:06:46 -08:00
pwm	pwm: bcm2835: Fix NPD in suspend/resume	2023-11-21 11:09:32 +01:00
rapidio	rapidio/tsi721: fix kernel-doc warnings	2023-12-20 15:02:57 -08:00
ras
regulator	regulator: event: Ensure atomicity for sequence number	2024-01-04 20:02:06 +00:00
remoteproc
reset	reset: Fix crash when freeing non-existent optional resets	2023-11-30 15:02:21 +01:00
rpmsg
rtc	RTC for 6.7	2023-11-05 18:49:40 -08:00
s390	Networking changes for 6.8.	2024-01-11 10:07:29 -08:00
sbus
scsi	scsi: core: Always send batch on reset or error handling command	2023-12-18 21:09:41 -05:00
sh
siox
slimbus
soc	powerpc updates for 6.7	2023-11-03 10:07:39 -10:00
soundwire	soundwire: intel_ace2x: fix AC timing setting for ACE2.x	2023-11-28 15:27:27 +05:30
spi	spi: Updates for v6.8	2024-01-09 15:02:12 -08:00
spmi	spmi: rename spmi device lookup helper	2023-11-01 10:02:18 +00:00
ssb
staging	pwm: Changes for v6.7-rc1	2023-11-09 13:47:52 -08:00
target	pid: Split out pid_types.h	2023-12-20 19:26:31 -05:00
tc
tee	OP-TEE fix for supplicant based device enumeration	2023-12-06 16:15:26 +01:00
thermal	Thermal control updates for 6.8-rc1	2024-01-09 16:20:17 -08:00
thunderbolt	thunderbolt: Fix minimum allocated USB 3.x and PCIe bandwidth	2023-12-08 09:03:49 +02:00
tty	serial: 8250_dw: Add ACPI ID for Granite Rapids-D UART	2023-12-07 10:48:56 +09:00
ufs	scsi: ufs: core: Let the sq_lock protect sq_tail_slot access	2023-12-18 21:09:54 -05:00
uio
usb	spi: Updates for v6.8	2024-01-09 15:02:12 -08:00
vdpa	vfs-6.8.misc	2024-01-08 10:26:08 -08:00
vfio	vfs-6.8.misc	2024-01-08 10:26:08 -08:00
vhost	Networking changes for 6.8.	2024-01-11 10:07:29 -08:00
video	mm, treewide: rename MAX_ORDER to MAX_PAGE_ORDER	2024-01-08 15:27:15 -08:00
virt	- Convert the sev-guest plaform ->remove callback to return void	2024-01-08 15:42:52 -08:00
virtio	Many singleton patches against the MM code. The patch series which	2024-01-09 11:18:47 -08:00
w1
watchdog	- removed AR7 platform support	2023-11-10 09:19:46 -08:00
xen	vfs-6.8.misc	2024-01-08 10:26:08 -08:00
zorro
Kconfig	- removed AR7 platform support	2023-11-10 09:19:46 -08:00
Makefile	- removed AR7 platform support	2023-11-10 09:19:46 -08:00