| From: Eric Dumazet <edumazet@google.com> |
| Date: Thu, 5 Apr 2018 06:39:28 -0700 |
| Subject: ipv6: sit: better validate user provided tunnel names |
| |
| commit b95211e066fc3494b7c115060b2297b4ba21f025 upstream. |
| |
| Use dev_valid_name() to make sure user does not provide illegal |
| device name. |
| |
| syzbot caught the following bug : |
| |
| BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] |
| BUG: KASAN: stack-out-of-bounds in ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254 |
| Write of size 33 at addr ffff8801b64076d8 by task syzkaller932654/4453 |
| |
| CPU: 0 PID: 4453 Comm: syzkaller932654 Not tainted 4.16.0+ #1 |
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 |
| Call Trace: |
| __dump_stack lib/dump_stack.c:17 [inline] |
| dump_stack+0x1b9/0x29f lib/dump_stack.c:53 |
| print_address_description+0x6c/0x20b mm/kasan/report.c:256 |
| kasan_report_error mm/kasan/report.c:354 [inline] |
| kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 |
| check_memory_region_inline mm/kasan/kasan.c:260 [inline] |
| check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 |
| memcpy+0x37/0x50 mm/kasan/kasan.c:303 |
| strlcpy include/linux/string.h:300 [inline] |
| ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254 |
| ipip6_tunnel_ioctl+0xe71/0x241b net/ipv6/sit.c:1221 |
| dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334 |
| dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525 |
| sock_ioctl+0x47e/0x680 net/socket.c:1015 |
| vfs_ioctl fs/ioctl.c:46 [inline] |
| file_ioctl fs/ioctl.c:500 [inline] |
| do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684 |
| ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 |
| SYSC_ioctl fs/ioctl.c:708 [inline] |
| SyS_ioctl+0x24/0x30 fs/ioctl.c:706 |
| do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 |
| entry_SYSCALL_64_after_hwframe+0x42/0xb7 |
| |
| Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Reported-by: syzbot <syzkaller@googlegroups.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| [bwh: Backported to 3.16: adjust context] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/ipv6/sit.c | 8 +++++--- |
| 1 file changed, 5 insertions(+), 3 deletions(-) |
| |
| --- a/net/ipv6/sit.c |
| +++ b/net/ipv6/sit.c |
| @@ -244,11 +244,13 @@ static struct ip_tunnel *ipip6_tunnel_lo |
| if (!create) |
| goto failed; |
| |
| - if (parms->name[0]) |
| + if (parms->name[0]) { |
| + if (!dev_valid_name(parms->name)) |
| + goto failed; |
| strlcpy(name, parms->name, IFNAMSIZ); |
| - else |
| + } else { |
| strcpy(name, "sit%d"); |
| - |
| + } |
| dev = alloc_netdev(sizeof(*t), name, ipip6_tunnel_setup); |
| if (dev == NULL) |
| return NULL; |