[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZJP+F9cX8KP3M6Eh@nanopsycho>
Date: Thu, 22 Jun 2023 09:53:59 +0200
From: Jiri Pirko <jiri@...nulli.us>
To: Eric Dumazet <edumazet@...gle.com>
Cc: "David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
netdev@...r.kernel.org, eric.dumazet@...il.com,
syzbot <syzkaller@...glegroups.com>
Subject: Re: [PATCH net] netlink: do not hard code device address lenth in
fdb dumps
Wed, Jun 21, 2023 at 07:47:20PM CEST, edumazet@...gle.com wrote:
>syzbot reports that some netdev devices do not have a six bytes
>address [1]
>
>Replace ETH_ALEN by dev->addr_len.
>
>[1] (Case of a device where dev->addr_len = 4)
>
>BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
>BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169
>instrument_copy_to_user include/linux/instrumented.h:114 [inline]
>copyout+0xb8/0x100 lib/iov_iter.c:169
>_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536
>copy_to_iter include/linux/uio.h:206 [inline]
>simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513
>__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
>skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527
>skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
>netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970
>sock_recvmsg_nosec net/socket.c:1019 [inline]
>sock_recvmsg net/socket.c:1040 [inline]
>____sys_recvmsg+0x283/0x7f0 net/socket.c:2722
>___sys_recvmsg+0x223/0x840 net/socket.c:2764
>do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
>__sys_recvmmsg net/socket.c:2937 [inline]
>__do_sys_recvmmsg net/socket.c:2960 [inline]
>__se_sys_recvmmsg net/socket.c:2953 [inline]
>__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
>do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
>Uninit was stored to memory at:
>__nla_put lib/nlattr.c:1009 [inline]
>nla_put+0x1c6/0x230 lib/nlattr.c:1067
>nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071
>nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]
>ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456
>rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629
>netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268
>netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995
>sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019
>____sys_recvmsg+0x664/0x7f0 net/socket.c:2720
>___sys_recvmsg+0x223/0x840 net/socket.c:2764
>do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
>__sys_recvmmsg net/socket.c:2937 [inline]
>__do_sys_recvmmsg net/socket.c:2960 [inline]
>__se_sys_recvmmsg net/socket.c:2953 [inline]
>__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
>do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
>Uninit was created at:
>slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716
>slab_alloc_node mm/slub.c:3451 [inline]
>__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490
>kmalloc_trace+0x51/0x200 mm/slab_common.c:1057
>kmalloc include/linux/slab.h:559 [inline]
>__hw_addr_create net/core/dev_addr_lists.c:60 [inline]
>__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118
>__dev_mc_add net/core/dev_addr_lists.c:867 [inline]
>dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885
>igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680
>ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754
>ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708
>addrconf_type_change net/ipv6/addrconf.c:3731 [inline]
>addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699
>notifier_call_chain kernel/notifier.c:93 [inline]
>raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461
>call_netdevice_notifiers_info net/core/dev.c:1935 [inline]
>call_netdevice_notifiers_extack net/core/dev.c:1973 [inline]
>call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987
>bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906
>do_set_master net/core/rtnetlink.c:2626 [inline]
>rtnl_newlink_create net/core/rtnetlink.c:3460 [inline]
>__rtnl_newlink net/core/rtnetlink.c:3660 [inline]
>rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673
>rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395
>netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546
>rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413
>netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
>netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365
>netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913
>sock_sendmsg_nosec net/socket.c:724 [inline]
>sock_sendmsg net/socket.c:747 [inline]
>____sys_sendmsg+0x999/0xd50 net/socket.c:2503
>___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557
>__sys_sendmsg net/socket.c:2586 [inline]
>__do_sys_sendmsg net/socket.c:2595 [inline]
>__se_sys_sendmsg net/socket.c:2593 [inline]
>__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593
>do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
>Bytes 2856-2857 of 3500 are uninitialized
>Memory access of size 3500 starts at ffff888018d99104
>Data copied to user address 0000000020000480
>
>Fixes: d83b06036048 ("net: add fdb generic dump routine")
>Reported-by: syzbot <syzkaller@...glegroups.com>
>Signed-off-by: Eric Dumazet <edumazet@...gle.com>
Reviewed-by: Jiri Pirko <jiri@...dia.com>
Powered by blists - more mailing lists