lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 9 Jan 2024 18:56:04 -0800
From: Florian Fainelli <f.fainelli@...il.com>
To: Vladimir Oltean <vladimir.oltean@....com>, netdev@...r.kernel.org
Cc: "David S. Miller" <davem@...emloft.net>,
 Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
 Paolo Abeni <pabeni@...hat.com>, Andrew Lunn <andrew@...n.ch>,
 Dan Carpenter <dan.carpenter@...cle.com>,
 syzbot+d81bcd883824180500c8@...kaller.appspotmail.com
Subject: Re: [PATCH net] net: dsa: fix netdev_priv() dereference before check
 on non-DSA netdevice events



On 1/9/2024 4:33 PM, Vladimir Oltean wrote:
> After the blamed commit, we started doing this dereference for every
> NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.
> 
> static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)
> {
> 	struct dsa_user_priv *p = netdev_priv(dev);
> 
> 	return p->dp;
> }
> 
> Which is obviously bogus, because not all net_devices have a netdev_priv()
> of type struct dsa_user_priv. But struct dsa_user_priv is fairly small,
> and p->dp means dereferencing 8 bytes starting with offset 16. Most
> drivers allocate that much private memory anyway, making our access not
> fault, and we discard the bogus data quickly afterwards, so this wasn't
> caught.
> 
> But the dummy interface is somewhat special in that it calls
> alloc_netdev() with a priv size of 0. So every netdev_priv() dereference
> is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event
> with a VLAN as its new upper:
> 
> $ ip link add dummy1 type dummy
> $ ip link add link dummy1 name dummy1.100 type vlan id 100
> [   43.309174] ==================================================================
> [   43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8
> [   43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374
> [   43.330058]
> [   43.342436] Call trace:
> [   43.366542]  dsa_user_prechangeupper+0x30/0xe8
> [   43.371024]  dsa_user_netdevice_event+0xb38/0xee8
> [   43.375768]  notifier_call_chain+0xa4/0x210
> [   43.379985]  raw_notifier_call_chain+0x24/0x38
> [   43.384464]  __netdev_upper_dev_link+0x3ec/0x5d8
> [   43.389120]  netdev_upper_dev_link+0x70/0xa8
> [   43.393424]  register_vlan_dev+0x1bc/0x310
> [   43.397554]  vlan_newlink+0x210/0x248
> [   43.401247]  rtnl_newlink+0x9fc/0xe30
> [   43.404942]  rtnetlink_rcv_msg+0x378/0x580
> 
> Avoid the kernel oops by dereferencing after the type check, as customary.
> 
> Fixes: 4c3f80d22b2e ("net: dsa: walk through all changeupper notifier functions")
> Reported-and-tested-by: syzbot+d81bcd883824180500c8@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/0000000000001d4255060e87545c@google.com/
> Signed-off-by: Vladimir Oltean <vladimir.oltean@....com>

Reviewed-by: Florian Fainelli <florian.fainelli@...adcom.com>
-- 
Florian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ