• Vegard Nossum's avatar
    net/irda: handle iriap_register_lsap() allocation failure · c0a60625
    Vegard Nossum authored
    [ Upstream commit 5ba092ef ]
    
    If iriap_register_lsap() fails to allocate memory, self->lsap is
    set to NULL. However, none of the callers handle the failure and
    irlmp_connect_request() will happily dereference it:
    
        iriap_register_lsap: Unable to allocated LSAP!
        ================================================================================
        UBSAN: Undefined behaviour in net/irda/irlmp.c:378:2
        member access within null pointer of type 'struct lsap_cb'
        CPU: 1 PID: 15403 Comm: trinity-c0 Not tainted 4.8.0-rc1+ #81
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org
        04/01/2014
         0000000000000000 ffff88010c7e78a8 ffffffff82344f40 0000000041b58ab3
         ffffffff84f98000 ffffffff82344e94 ffff88010c7e78d0 ffff88010c7e7880
         ffff88010630ad00 ffffffff84a5fae0 ffffffff84d3f5c0 000000000000017a
        Call Trace:
         [<ffffffff82344f40>] dump_stack+0xac/0xfc
         [<ffffffff8242f5a8>] ubsan_epilogue+0xd/0x8a
         [<ffffffff824302bf>] __ubsan_handle_type_mismatch+0x157/0x411
         [<ffffffff83b7bdbc>] irlmp_connect_request+0x7ac/0x970
         [<ffffffff83b77cc0>] iriap_connect_request+0xa0/0x160
         [<ffffffff83b77f48>] state_s_disconnect+0x88/0xd0
         [<ffffffff83b78904>] iriap_do_client_event+0x94/0x120
         [<ffffffff83b77710>] iriap_getvaluebyclass_request+0x3e0/0x6d0
         [<ffffffff83ba6ebb>] irda_find_lsap_sel+0x1eb/0x630
         [<ffffffff83ba90c8>] irda_connect+0x828/0x12d0
         [<ffffffff833c0dfb>] SYSC_connect+0x22b/0x340
         [<ffffffff833c7e09>] SyS_connect+0x9/0x10
         [<ffffffff81007bd3>] do_syscall_64+0x1b3/0x4b0
         [<ffffffff845f946a>] entry_SYSCALL64_slow_path+0x25/0x25
        ================================================================================
    
    The bug seems to have been around since forever.
    
    There's more problems with missing error checks in iriap_init() (and
    indeed all of irda_init()), but that's a bigger problem that needs
    very careful review and testing. This patch will fix the most serious
    bug (as it's easily reached from unprivileged userspace).
    
    I have tested my patch with a reproducer.
    Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
    c0a60625
iriap.c 26.5 KB