• Sean Tranchetti's avatar
    netlabel: check for IPV4MASK in addrinfo_get · a9ce8f28
    Sean Tranchetti authored
    BugLink: https://bugs.launchpad.net/bugs/1801900
    
    [ Upstream commit f88b4c01 ]
    
    netlbl_unlabel_addrinfo_get() assumes that if it finds the
    NLBL_UNLABEL_A_IPV4ADDR attribute, it must also have the
    NLBL_UNLABEL_A_IPV4MASK attribute as well. However, this is
    not necessarily the case as the current checks in
    netlbl_unlabel_staticadd() and friends are not sufficent to
    enforce this.
    
    If passed a netlink message with NLBL_UNLABEL_A_IPV4ADDR,
    NLBL_UNLABEL_A_IPV6ADDR, and NLBL_UNLABEL_A_IPV6MASK attributes,
    these functions will all call netlbl_unlabel_addrinfo_get() which
    will then attempt dereference NULL when fetching the non-existent
    NLBL_UNLABEL_A_IPV4MASK attribute:
    
    Unable to handle kernel NULL pointer dereference at virtual address 0
    Process unlab (pid: 31762, stack limit = 0xffffff80502d8000)
    Call trace:
    	netlbl_unlabel_addrinfo_get+0x44/0xd8
    	netlbl_unlabel_staticremovedef+0x98/0xe0
    	genl_rcv_msg+0x354/0x388
    	netlink_rcv_skb+0xac/0x118
    	genl_rcv+0x34/0x48
    	netlink_unicast+0x158/0x1f0
    	netlink_sendmsg+0x32c/0x338
    	sock_sendmsg+0x44/0x60
    	___sys_sendmsg+0x1d0/0x2a8
    	__sys_sendmsg+0x64/0xb4
    	SyS_sendmsg+0x34/0x4c
    	el0_svc_naked+0x34/0x38
    Code: 51001149 7100113f 540000a0 f9401508 (79400108)
    ---[ end trace f6438a488e737143 ]---
    Kernel panic - not syncing: Fatal exception
    Signed-off-by: default avatarSean Tranchetti <stranche@codeaurora.org>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
    Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
    a9ce8f28
netlabel_unlabeled.c 41.8 KB