linux

mirror of https://github.com/torvalds/linux.git synced 2024-11-17 17:41:44 +00:00

History

Eric Dumazet 55cd9f67f1 net_sched: ematch: reject invalid TCF_EM_SIMPLE It is possible for malicious userspace to set TCF_EM_SIMPLE bit even for matches that should not have this bit set. This can fool two places using tcf_em_is_simple() 1) tcf_em_tree_destroy() -> memory leak of em->data if ops->destroy() is NULL 2) tcf_em_tree_dump() wrongly report/leak 4 low-order bytes of a kernel pointer. BUG: memory leak unreferenced object 0xffff888121850a40 (size 32): comm "syz-executor927", pid 7193, jiffies 4294941655 (age 19.840s) hex dump (first 32 bytes): 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000f67036ea>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<00000000f67036ea>] slab_post_alloc_hook mm/slab.h:586 [inline] [<00000000f67036ea>] slab_alloc mm/slab.c:3320 [inline] [<00000000f67036ea>] __do_kmalloc mm/slab.c:3654 [inline] [<00000000f67036ea>] __kmalloc_track_caller+0x165/0x300 mm/slab.c:3671 [<00000000fab0cc8e>] kmemdup+0x27/0x60 mm/util.c:127 [<00000000d9992e0a>] kmemdup include/linux/string.h:453 [inline] [<00000000d9992e0a>] em_nbyte_change+0x5b/0x90 net/sched/em_nbyte.c:32 [<000000007e04f711>] tcf_em_validate net/sched/ematch.c:241 [inline] [<000000007e04f711>] tcf_em_tree_validate net/sched/ematch.c:359 [inline] [<000000007e04f711>] tcf_em_tree_validate+0x332/0x46f net/sched/ematch.c:300 [<000000007a769204>] basic_set_parms net/sched/cls_basic.c:157 [inline] [<000000007a769204>] basic_change+0x1d7/0x5f0 net/sched/cls_basic.c:219 [<00000000e57a5997>] tc_new_tfilter+0x566/0xf70 net/sched/cls_api.c:2104 [<0000000074b68559>] rtnetlink_rcv_msg+0x3b2/0x4b0 net/core/rtnetlink.c:5415 [<00000000b7fe53fb>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477 [<00000000e83a40d0>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442 [<00000000d62ba933>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] [<00000000d62ba933>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328 [<0000000088070f72>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917 [<00000000f70b15ea>] sock_sendmsg_nosec net/socket.c:639 [inline] [<00000000f70b15ea>] sock_sendmsg+0x54/0x70 net/socket.c:659 [<00000000ef95a9be>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330 [<00000000b650f1ab>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384 [<0000000055bfa74a>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417 [<000000002abac183>] __do_sys_sendmsg net/socket.c:2426 [inline] [<000000002abac183>] __se_sys_sendmsg net/socket.c:2424 [inline] [<000000002abac183>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424 Fixes: `1da177e4c3` ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot+03c4738ed29d5d366ddf@syzkaller.appspotmail.com Cc: Cong Wang <xiyou.wangcong@gmail.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2020-01-27 10:55:26 +01:00
..
6lowpan
9p
802	treewide: Use sizeof_field() macro	2019-12-09 10:36:44 -08:00
8021q	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-01-09 12:13:43 -08:00
appletalk
atm	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-01-26 10:40:21 +01:00
ax25	net: Make sock protocol value checks more specific	2020-01-09 18:41:40 -08:00
batman-adv	Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net	2020-01-19 22:10:04 +01:00
bluetooth	netdev: pass the stuck queue to the timeout handler	2019-12-12 21:38:57 -08:00
bpf	bpf: Allow to change skb mark in test_run	2019-12-18 17:05:58 -08:00
bpfilter
bridge	net: bridge: vlan: add per-vlan state	2020-01-24 12:58:14 +01:00
caif	caif_usb: fix spelling mistake "to" -> "too"	2020-01-24 08:12:06 +01:00
can	can: j1939: j1939_sk_bind(): take priv after lock is held	2019-12-08 11:52:02 +01:00
ceph	libceph, rbd, ceph: convert to use the new mount API	2019-11-27 22:28:37 +01:00
core	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-01-26 10:40:21 +01:00
dcb
dccp	treewide: Use sizeof_field() macro	2019-12-09 10:36:44 -08:00
decnet	net: Make sock protocol value checks more specific	2020-01-09 18:41:40 -08:00
dns_resolver
dsa	Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net	2020-01-19 22:10:04 +01:00
ethernet	net: add annotations on hh->hh_len lockless accesses	2019-11-07 20:07:30 -08:00
ethtool	ethtool: potential NULL dereference in strset_prepare_data()	2020-01-08 16:03:35 -08:00
hsr	net/hsr: remove seq_nr_after_or_eq	2020-01-21 12:03:21 +01:00
ieee802154	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2019-11-02 13:54:56 -07:00
ife
ipv4	net: include struct nhmsg size in nh nlmsg size	2020-01-27 10:54:08 +01:00
ipv6	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-01-26 10:40:21 +01:00
iucv	treewide: Use sizeof_field() macro	2019-12-09 10:36:44 -08:00
kcm
key
l2tp	l2tp: Remove redundant BUG_ON() check in l2tp_pernet	2020-01-03 12:26:07 -08:00
l3mdev
lapb
llc	llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c)	2019-12-20 21:19:36 -08:00
mac80211	Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net	2020-01-19 22:10:04 +01:00
mac802154
mpls	net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup	2019-12-04 12:27:13 -08:00
mptcp	mptcp: Fix code formatting	2020-01-25 08:14:39 +01:00
ncsi	net/ncsi: Support for multi host mellanox card	2020-01-09 18:36:22 -08:00
netfilter	nf_tables: Add set type for arbitrary concatenation of ranges	2020-01-27 08:54:30 +01:00
netlabel
netlink	treewide: Use sizeof_field() macro	2019-12-09 10:36:44 -08:00
netrom
nfc	net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive()	2019-12-18 11:57:33 -08:00
nsh
openvswitch	net: openvswitch: use skb_list_walk_safe helper for gso segments	2020-01-14 11:48:41 -08:00
packet	af_packet: refactoring code for prb_calc_retire_blk_tmo	2019-12-26 15:19:59 -08:00
phonet	net: Remove redundant BUG_ON() check in phonet_pernet	2020-01-03 12:25:50 -08:00
psample	net: psample: fix skb_over_panic	2019-11-26 14:40:13 -08:00
qrtr	net: qrtr: Remove receive worker	2020-01-14 18:36:42 -08:00
rds	net/rds: Use prefetch for On-Demand-Paging MR	2020-01-18 11:48:19 +02:00
rfkill	rfkill: Fix incorrect check to avoid NULL pointer dereference	2019-12-16 10:15:49 +01:00
rose	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-01-26 10:40:21 +01:00
rxrpc	RxRPC fixes	2019-12-24 16:12:47 -08:00
sched	net_sched: ematch: reject invalid TCF_EM_SIMPLE	2020-01-27 10:55:26 +01:00
sctp	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-01-09 12:13:43 -08:00
smc	net/smc: allow unprivileged users to read pnet table	2020-01-21 11:39:56 +01:00
strparser
sunrpc	xprtrdma: Fix oops in Receive handler after device removal	2020-01-14 13:30:24 -05:00
switchdev
tipc	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-01-09 12:13:43 -08:00
tls	Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net	2020-01-19 22:10:04 +01:00
unix	Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next	2020-01-21 12:18:20 +01:00
vmw_vsock	Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net	2020-01-19 22:10:04 +01:00
wimax
wireless	Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net	2020-01-19 22:10:04 +01:00
x25	net/x25: fix nonblocking connect	2020-01-09 18:39:33 -08:00
xdp	xsk, net: Make sock_def_readable() have external linkage	2020-01-22 00:08:52 +01:00
xfrm	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2020-01-26 10:40:21 +01:00
compat.c	y2038: socket: use __kernel_old_timespec instead of timespec	2019-11-15 14:38:29 +01:00
Kconfig	mptcp: Add MPTCP socket stubs	2020-01-24 13:44:07 +01:00
Makefile	mptcp: Add MPTCP socket stubs	2020-01-24 13:44:07 +01:00
socket.c	socket: fix unused-function warning	2020-01-08 15:02:21 -08:00
sysctl_net.c