| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 24 May 2017 12:29:10 -0700
From: Greg Rose <gvrose8192@...il.com>
To: Alexander Potapenko <glider@...gle.com>
Cc: dvyukov@...gle.com, kcc@...gle.com, edumazet@...gle.com,
davem@...emloft.net, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org
Subject: Re: [PATCH] net: rtnetlink: bail out from rtnl_fdb_dump() on parse
error
On Tue, 2017-05-23 at 13:20 +0200, Alexander Potapenko wrote:
> rtnl_fdb_dump() failed to check the result of nlmsg_parse(), which led
> to contents of |ifm| being uninitialized because nlh->nlmsglen was too
> small to accommodate |ifm|. The uninitialized data may affect some
> branches and result in unwanted effects, although kernel data doesn't
> seem to leak to the userspace directly.
>
> The bug has been detected with KMSAN and syzkaller.
>
> Signed-off-by: Alexander Potapenko <glider@...gle.com>
> ---
> For the record, here is the KMSAN report:
>
> ==================================================================
> BUG: KMSAN: use of unitialized memory in rtnl_fdb_dump+0x5dc/0x1000
> CPU: 0 PID: 1039 Comm: probe Not tainted 4.11.0-rc5+ #2727
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:16
> dump_stack+0x143/0x1b0 lib/dump_stack.c:52
> kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007
> __kmsan_warning_32+0x66/0xb0 mm/kmsan/kmsan_instr.c:491
> rtnl_fdb_dump+0x5dc/0x1000 net/core/rtnetlink.c:3230
> netlink_dump+0x84f/0x1190 net/netlink/af_netlink.c:2168
> __netlink_dump_start+0xc97/0xe50 net/netlink/af_netlink.c:2258
> netlink_dump_start ./include/linux/netlink.h:165
> rtnetlink_rcv_msg+0xae9/0xb40 net/core/rtnetlink.c:4094
> netlink_rcv_skb+0x339/0x5a0 net/netlink/af_netlink.c:2339
> rtnetlink_rcv+0x83/0xa0 net/core/rtnetlink.c:4110
> netlink_unicast_kernel net/netlink/af_netlink.c:1272
> netlink_unicast+0x13b7/0x1480 net/netlink/af_netlink.c:1298
> netlink_sendmsg+0x10b8/0x10f0 net/netlink/af_netlink.c:1844
> sock_sendmsg_nosec net/socket.c:633
> sock_sendmsg net/socket.c:643
> ___sys_sendmsg+0xd4b/0x10f0 net/socket.c:1997
> __sys_sendmsg net/socket.c:2031
> SYSC_sendmsg+0x2c6/0x3f0 net/socket.c:2042
> SyS_sendmsg+0x87/0xb0 net/socket.c:2038
> do_syscall_64+0x102/0x150 arch/x86/entry/common.c:285
> entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246
> RIP: 0033:0x401300
> RSP: 002b:00007ffc3b0e6d58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000401300
> RDX: 0000000000000000 RSI: 00007ffc3b0e6d80 RDI: 0000000000000003
> RBP: 00007ffc3b0e6e00 R08: 000000000000000b R09: 0000000000000004
> R10: 000000000000000d R11: 0000000000000246 R12: 0000000000000000
> R13: 00000000004065a0 R14: 0000000000406630 R15: 0000000000000000
> origin: 000000008fe00056
> save_stack_trace+0x59/0x60 arch/x86/kernel/stacktrace.c:59
> kmsan_save_stack_with_flags mm/kmsan/kmsan.c:352
> kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:247
> kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:260
> slab_alloc_node mm/slub.c:2743
> __kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4349
> __kmalloc_reserve net/core/skbuff.c:138
> __alloc_skb+0x2cd/0x740 net/core/skbuff.c:231
> alloc_skb ./include/linux/skbuff.h:933
> netlink_alloc_large_skb net/netlink/af_netlink.c:1144
> netlink_sendmsg+0x934/0x10f0 net/netlink/af_netlink.c:1819
> sock_sendmsg_nosec net/socket.c:633
> sock_sendmsg net/socket.c:643
> ___sys_sendmsg+0xd4b/0x10f0 net/socket.c:1997
> __sys_sendmsg net/socket.c:2031
> SYSC_sendmsg+0x2c6/0x3f0 net/socket.c:2042
> SyS_sendmsg+0x87/0xb0 net/socket.c:2038
> do_syscall_64+0x102/0x150 arch/x86/entry/common.c:285
> return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246
> ==================================================================
>
> and the reproducer:
>
> ==================================================================
> #include <sys/socket.h>
> #include <net/if_arp.h>
> #include <linux/netlink.h>
> #include <stdint.h>
>
> int main()
> {
> int sock = socket(PF_NETLINK, SOCK_DGRAM | SOCK_NONBLOCK, 0);
> struct msghdr msg;
> memset(&msg, 0, sizeof(msg));
> char nlmsg_buf[32];
> memset(nlmsg_buf, 0, sizeof(nlmsg_buf));
> struct nlmsghdr *nlmsg = nlmsg_buf;
> nlmsg->nlmsg_len = 0x11;
> nlmsg->nlmsg_type = 0x1e; // RTM_NEWROUTE = RTM_BASE + 0x0e
> // type = 0x0e = 1110b
> // kind = 2
> nlmsg->nlmsg_flags = 0x101; // NLM_F_ROOT | NLM_F_REQUEST
> nlmsg->nlmsg_seq = 0;
> nlmsg->nlmsg_pid = 0;
> nlmsg_buf[16] = (char)7;
> struct iovec iov;
> iov.iov_base = nlmsg_buf;
> iov.iov_len = 17;
> msg.msg_iov = &iov;
> msg.msg_iovlen = 1;
> sendmsg(sock, &msg, 0);
> return 0;
> }
> ==================================================================
> ---
> net/core/rtnetlink.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index 49a279a7cc15..9e2c0a7cb325 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -3231,8 +3231,11 @@ static int rtnl_fdb_dump(struct sk_buff *skb, struct netlink_callback *cb)
> int err = 0;
> int fidx = 0;
>
> - if (nlmsg_parse(cb->nlh, sizeof(struct ifinfomsg), tb,
> - IFLA_MAX, ifla_policy, NULL) == 0) {
> + err = nlmsg_parse(cb->nlh, sizeof(struct ifinfomsg), tb,
> + IFLA_MAX, ifla_policy, NULL);
> + if (err < 0) {
> + return -EINVAL;
> + } else if (err == 0) {
> if (tb[IFLA_MASTER])
> br_idx = nla_get_u32(tb[IFLA_MASTER]);
> }
Fix looks right to me.
Reviewed-by: Greg Rose <gvrose8192@...il.com>
Powered by blists - more mailing lists