[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Jan 2024 18:56:04 -0800
From: Florian Fainelli <f.fainelli@...il.com>
To: Vladimir Oltean <vladimir.oltean@....com>, netdev@...r.kernel.org
Cc: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, Andrew Lunn <andrew@...n.ch>,
Dan Carpenter <dan.carpenter@...cle.com>,
syzbot+d81bcd883824180500c8@...kaller.appspotmail.com
Subject: Re: [PATCH net] net: dsa: fix netdev_priv() dereference before check
on non-DSA netdevice events
On 1/9/2024 4:33 PM, Vladimir Oltean wrote:
> After the blamed commit, we started doing this dereference for every
> NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.
>
> static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)
> {
> struct dsa_user_priv *p = netdev_priv(dev);
>
> return p->dp;
> }
>
> Which is obviously bogus, because not all net_devices have a netdev_priv()
> of type struct dsa_user_priv. But struct dsa_user_priv is fairly small,
> and p->dp means dereferencing 8 bytes starting with offset 16. Most
> drivers allocate that much private memory anyway, making our access not
> fault, and we discard the bogus data quickly afterwards, so this wasn't
> caught.
>
> But the dummy interface is somewhat special in that it calls
> alloc_netdev() with a priv size of 0. So every netdev_priv() dereference
> is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event
> with a VLAN as its new upper:
>
> $ ip link add dummy1 type dummy
> $ ip link add link dummy1 name dummy1.100 type vlan id 100
> [ 43.309174] ==================================================================
> [ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8
> [ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374
> [ 43.330058]
> [ 43.342436] Call trace:
> [ 43.366542] dsa_user_prechangeupper+0x30/0xe8
> [ 43.371024] dsa_user_netdevice_event+0xb38/0xee8
> [ 43.375768] notifier_call_chain+0xa4/0x210
> [ 43.379985] raw_notifier_call_chain+0x24/0x38
> [ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8
> [ 43.389120] netdev_upper_dev_link+0x70/0xa8
> [ 43.393424] register_vlan_dev+0x1bc/0x310
> [ 43.397554] vlan_newlink+0x210/0x248
> [ 43.401247] rtnl_newlink+0x9fc/0xe30
> [ 43.404942] rtnetlink_rcv_msg+0x378/0x580
>
> Avoid the kernel oops by dereferencing after the type check, as customary.
>
> Fixes: 4c3f80d22b2e ("net: dsa: walk through all changeupper notifier functions")
> Reported-and-tested-by: syzbot+d81bcd883824180500c8@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/0000000000001d4255060e87545c@google.com/
> Signed-off-by: Vladimir Oltean <vladimir.oltean@....com>
Reviewed-by: Florian Fainelli <florian.fainelli@...adcom.com>
--
Florian
Powered by blists - more mailing lists