| From foo@baz Thu 28 May 2020 02:29:37 PM CEST |
| From: Eric Dumazet <edumazet@google.com> |
| Date: Tue, 19 May 2020 18:24:43 -0700 |
| Subject: ax25: fix setsockopt(SO_BINDTODEVICE) |
| |
| From: Eric Dumazet <edumazet@google.com> |
| |
| [ Upstream commit 687775cec056b38a4c8f3291e0dd7a9145f7b667 ] |
| |
| syzbot was able to trigger this trace [1], probably by using |
| a zero optlen. |
| |
| While we are at it, cap optlen to IFNAMSIZ - 1 instead of IFNAMSIZ. |
| |
| [1] |
| BUG: KMSAN: uninit-value in strnlen+0xf9/0x170 lib/string.c:569 |
| CPU: 0 PID: 8807 Comm: syz-executor483 Not tainted 5.7.0-rc4-syzkaller #0 |
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 |
| Call Trace: |
| __dump_stack lib/dump_stack.c:77 [inline] |
| dump_stack+0x1c9/0x220 lib/dump_stack.c:118 |
| kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 |
| __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 |
| strnlen+0xf9/0x170 lib/string.c:569 |
| dev_name_hash net/core/dev.c:207 [inline] |
| netdev_name_node_lookup net/core/dev.c:277 [inline] |
| __dev_get_by_name+0x75/0x2b0 net/core/dev.c:778 |
| ax25_setsockopt+0xfa3/0x1170 net/ax25/af_ax25.c:654 |
| __compat_sys_setsockopt+0x4ed/0x910 net/compat.c:403 |
| __do_compat_sys_setsockopt net/compat.c:413 [inline] |
| __se_compat_sys_setsockopt+0xdd/0x100 net/compat.c:410 |
| __ia32_compat_sys_setsockopt+0x62/0x80 net/compat.c:410 |
| do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] |
| do_fast_syscall_32+0x3bf/0x6d0 arch/x86/entry/common.c:398 |
| entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 |
| RIP: 0023:0xf7f57dd9 |
| Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 |
| RSP: 002b:00000000ffae8c1c EFLAGS: 00000217 ORIG_RAX: 000000000000016e |
| RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000101 |
| RDX: 0000000000000019 RSI: 0000000020000000 RDI: 0000000000000004 |
| RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000 |
| R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 |
| R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 |
| |
| Local variable ----devname@ax25_setsockopt created at: |
| ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536 |
| ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536 |
| |
| Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Reported-by: syzbot <syzkaller@googlegroups.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ax25/af_ax25.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| --- a/net/ax25/af_ax25.c |
| +++ b/net/ax25/af_ax25.c |
| @@ -639,8 +639,10 @@ static int ax25_setsockopt(struct socket |
| break; |
| |
| case SO_BINDTODEVICE: |
| - if (optlen > IFNAMSIZ) |
| - optlen = IFNAMSIZ; |
| + if (optlen > IFNAMSIZ - 1) |
| + optlen = IFNAMSIZ - 1; |
| + |
| + memset(devname, 0, sizeof(devname)); |
| |
| if (copy_from_user(devname, optval, optlen)) { |
| res = -EFAULT; |