From patchwork Wed Mar 22 02:22:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 741837 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vntwh67VCz9s0Z for ; Wed, 22 Mar 2017 13:31:32 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="o7C9hJzQ"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1758464AbdCVCbZ (ORCPT ); Tue, 21 Mar 2017 22:31:25 -0400 Received: from mail-pf0-f193.google.com ([209.85.192.193]:33683 "EHLO mail-pf0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756654AbdCVCbX (ORCPT ); Tue, 21 Mar 2017 22:31:23 -0400 Received: by mail-pf0-f193.google.com with SMTP id p189so19033126pfp.0 for ; Tue, 21 Mar 2017 19:30:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=io/GxBaamPpegfADflMrO3/BZJdJVDUSBEywmkvtRPs=; b=o7C9hJzQyAeamTtPvHkM++mtH7Kk/FbqtVf+5dMBpts6B4W25I5/aHZyO/JsRF7TWr RL/FrYj4FjSd5+JvySxlGOWEefIQcZxjjkfggP0w/6RuKSCU6JnF9hiXBio9bpTcOxvV csvXFdjmGZUndThAhudTKWwChEhMqmy2hk1RZbx2wr6mxe2X2kOqiVDs/fZOkB0zF5Z6 UmNSffOlupdu3orqzywegC3lsOMaC4PPC0kkxbHWQqGxUzXUxaMlBWe0WLYB4WM7MXQF CGwr614ejLe8TYeneFwrhzPM+EbGXaVeJfrfelZjrrEiDwspJiShVE8SvahzFCvxRQSV MW6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=io/GxBaamPpegfADflMrO3/BZJdJVDUSBEywmkvtRPs=; b=pDrLGs1MirlbarNvh11QN9Pwx5IqutNTPeTsT7zQOxZI5Pa3vBfAXDOEEPA/4C9DQZ 3BWW4h4Hi3B+HSMn67PZu9Sv1Ymv9FgZEcPi0T48yrNWBttfioa1RXMSUmmLra4DFSj7 Y8KQ4nNJgyjd6Ry2uBj/e6otHsy3EdO2KEnWE4HHxNgznChT6OVIuYASq6GYfbgJoJ5g A8rZYOktEuj1WOrDSRfiDSBQQlryU5FnyzMO0mTtKIL62gUi8nG7pf35wKR36PNZmV6S kDk3mWrlBJy+f4JDODIklsvqpTnttLp2hOxcHldRTcpBz3l6OWYtXMQOXeyd3WDUl6gG p0dg== X-Gm-Message-State: AFeK/H2nin/0Pg86z6R7/7DFcqwxRHh5B5rN5jU01CEPvT1G1GQRWpFpVFNTVu68BgmeNA== X-Received: by 10.99.109.198 with SMTP id i189mr10526680pgc.117.1490149350271; Tue, 21 Mar 2017 19:22:30 -0700 (PDT) Received: from [192.168.86.171] (c-73-231-122-98.hsd1.ca.comcast.net. [73.231.122.98]) by smtp.googlemail.com with ESMTPSA id c16sm41688670pfl.7.2017.03.21.19.22.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Mar 2017 19:22:29 -0700 (PDT) Message-ID: <1490149348.16816.135.camel@edumazet-glaptop3.roam.corp.google.com> Subject: [PATCH net] ipv4: provide stronger user input validation in nl_fib_input() From: Eric Dumazet To: David Miller Cc: netdev , Alexander Potapenko Date: Tue, 21 Mar 2017 19:22:28 -0700 X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet Alexander reported a KMSAN splat caused by reads of uninitialized field (tb_id_in) from user provided struct fib_result_nl It turns out nl_fib_input() sanity tests on user input is a bit wrong : User can pretend nlh->nlmsg_len is big enough, but provide at sendmsg() time a too small buffer. Reported-by: Alexander Potapenko Signed-off-by: Eric Dumazet --- net/ipv4/fib_frontend.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c index 42bfd08109dd78ab509493e8d2205d72845bb3eb..8f2133ffc2ff1b94871408a5f934cb938d3462b5 100644 --- a/net/ipv4/fib_frontend.c +++ b/net/ipv4/fib_frontend.c @@ -1083,7 +1083,8 @@ static void nl_fib_input(struct sk_buff *skb) net = sock_net(skb->sk); nlh = nlmsg_hdr(skb); - if (skb->len < NLMSG_HDRLEN || skb->len < nlh->nlmsg_len || + if (skb->len < nlmsg_total_size(sizeof(*frn)) || + skb->len < nlh->nlmsg_len || nlmsg_len(nlh) < sizeof(*frn)) return;