| From foo@baz Fri Nov 2 09:44:43 CET 2018 |
| From: Ido Schimmel <idosch@mellanox.com> |
| Date: Mon, 29 Oct 2018 20:36:43 +0000 |
| Subject: rtnetlink: Disallow FDB configuration for non-Ethernet device |
| |
| From: Ido Schimmel <idosch@mellanox.com> |
| |
| [ Upstream commit da71577545a52be3e0e9225a946e5fd79cfab015 ] |
| |
| When an FDB entry is configured, the address is validated to have the |
| length of an Ethernet address, but the device for which the address is |
| configured can be of any type. |
| |
| The above can result in the use of uninitialized memory when the address |
| is later compared against existing addresses since 'dev->addr_len' is |
| used and it may be greater than ETH_ALEN, as with ip6tnl devices. |
| |
| Fix this by making sure that FDB entries are only configured for |
| Ethernet devices. |
| |
| BUG: KMSAN: uninit-value in memcmp+0x11d/0x180 lib/string.c:863 |
| CPU: 1 PID: 4318 Comm: syz-executor998 Not tainted 4.19.0-rc3+ #49 |
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS |
| Google 01/01/2011 |
| Call Trace: |
| __dump_stack lib/dump_stack.c:77 [inline] |
| dump_stack+0x14b/0x190 lib/dump_stack.c:113 |
| kmsan_report+0x183/0x2b0 mm/kmsan/kmsan.c:956 |
| __msan_warning+0x70/0xc0 mm/kmsan/kmsan_instr.c:645 |
| memcmp+0x11d/0x180 lib/string.c:863 |
| dev_uc_add_excl+0x165/0x7b0 net/core/dev_addr_lists.c:464 |
| ndo_dflt_fdb_add net/core/rtnetlink.c:3463 [inline] |
| rtnl_fdb_add+0x1081/0x1270 net/core/rtnetlink.c:3558 |
| rtnetlink_rcv_msg+0xa0b/0x1530 net/core/rtnetlink.c:4715 |
| netlink_rcv_skb+0x36e/0x5f0 net/netlink/af_netlink.c:2454 |
| rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4733 |
| netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] |
| netlink_unicast+0x1638/0x1720 net/netlink/af_netlink.c:1343 |
| netlink_sendmsg+0x1205/0x1290 net/netlink/af_netlink.c:1908 |
| sock_sendmsg_nosec net/socket.c:621 [inline] |
| sock_sendmsg net/socket.c:631 [inline] |
| ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114 |
| __sys_sendmsg net/socket.c:2152 [inline] |
| __do_sys_sendmsg net/socket.c:2161 [inline] |
| __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159 |
| __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159 |
| do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291 |
| entry_SYSCALL_64_after_hwframe+0x63/0xe7 |
| RIP: 0033:0x440ee9 |
| Code: e8 cc ab 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 |
| 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff |
| ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 |
| RSP: 002b:00007fff6a93b518 EFLAGS: 00000213 ORIG_RAX: 000000000000002e |
| RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440ee9 |
| RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000003 |
| RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8 |
| R10: 00000000004002c8 R11: 0000000000000213 R12: 000000000000b4b0 |
| R13: 0000000000401ec0 R14: 0000000000000000 R15: 0000000000000000 |
| |
| Uninit was created at: |
| kmsan_save_stack_with_flags mm/kmsan/kmsan.c:256 [inline] |
| kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:181 |
| kmsan_kmalloc+0x98/0x100 mm/kmsan/kmsan_hooks.c:91 |
| kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:100 |
| slab_post_alloc_hook mm/slab.h:446 [inline] |
| slab_alloc_node mm/slub.c:2718 [inline] |
| __kmalloc_node_track_caller+0x9e7/0x1160 mm/slub.c:4351 |
| __kmalloc_reserve net/core/skbuff.c:138 [inline] |
| __alloc_skb+0x2f5/0x9e0 net/core/skbuff.c:206 |
| alloc_skb include/linux/skbuff.h:996 [inline] |
| netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline] |
| netlink_sendmsg+0xb49/0x1290 net/netlink/af_netlink.c:1883 |
| sock_sendmsg_nosec net/socket.c:621 [inline] |
| sock_sendmsg net/socket.c:631 [inline] |
| ___sys_sendmsg+0xe70/0x1290 net/socket.c:2114 |
| __sys_sendmsg net/socket.c:2152 [inline] |
| __do_sys_sendmsg net/socket.c:2161 [inline] |
| __se_sys_sendmsg+0x2a3/0x3d0 net/socket.c:2159 |
| __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2159 |
| do_syscall_64+0xb8/0x100 arch/x86/entry/common.c:291 |
| entry_SYSCALL_64_after_hwframe+0x63/0xe7 |
| |
| v2: |
| * Make error message more specific (David) |
| |
| Fixes: 090096bf3db1 ("net: generic fdb support for drivers without ndo_fdb_<op>") |
| Signed-off-by: Ido Schimmel <idosch@mellanox.com> |
| Reported-and-tested-by: syzbot+3a288d5f5530b901310e@syzkaller.appspotmail.com |
| Reported-and-tested-by: syzbot+d53ab4e92a1db04110ff@syzkaller.appspotmail.com |
| Cc: Vlad Yasevich <vyasevich@gmail.com> |
| Cc: David Ahern <dsahern@gmail.com> |
| Reviewed-by: David Ahern <dsahern@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/core/rtnetlink.c | 10 ++++++++++ |
| 1 file changed, 10 insertions(+) |
| |
| --- a/net/core/rtnetlink.c |
| +++ b/net/core/rtnetlink.c |
| @@ -2987,6 +2987,11 @@ static int rtnl_fdb_add(struct sk_buff * |
| return -EINVAL; |
| } |
| |
| + if (dev->type != ARPHRD_ETHER) { |
| + pr_info("PF_BRIDGE: FDB add only supported for Ethernet devices"); |
| + return -EINVAL; |
| + } |
| + |
| addr = nla_data(tb[NDA_LLADDR]); |
| |
| err = fdb_vid_parse(tb[NDA_VLAN], &vid); |
| @@ -3090,6 +3095,11 @@ static int rtnl_fdb_del(struct sk_buff * |
| return -EINVAL; |
| } |
| |
| + if (dev->type != ARPHRD_ETHER) { |
| + pr_info("PF_BRIDGE: FDB delete only supported for Ethernet devices"); |
| + return -EINVAL; |
| + } |
| + |
| addr = nla_data(tb[NDA_LLADDR]); |
| |
| err = fdb_vid_parse(tb[NDA_VLAN], &vid); |