• Xin Long's avatar
    tipc: check msg->req data len in tipc_nl_compat_bearer_disable · e853f8e8
    Xin Long authored
    BugLink: https://bugs.launchpad.net/bugs/1836668
    
    [ Upstream commit 4f07b80c ]
    
    This patch is to fix an uninit-value issue, reported by syzbot:
    
      BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:981
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x191/0x1f0 lib/dump_stack.c:113
        kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
        __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
        memchr+0xce/0x110 lib/string.c:981
        string_is_valid net/tipc/netlink_compat.c:176 [inline]
        tipc_nl_compat_bearer_disable+0x2a1/0x480 net/tipc/netlink_compat.c:449
        __tipc_nl_compat_doit net/tipc/netlink_compat.c:327 [inline]
        tipc_nl_compat_doit+0x3ac/0xb00 net/tipc/netlink_compat.c:360
        tipc_nl_compat_handle net/tipc/netlink_compat.c:1178 [inline]
        tipc_nl_compat_recv+0x1b1b/0x27b0 net/tipc/netlink_compat.c:1281
    
    TLV_GET_DATA_LEN() may return a negtive int value, which will be
    used as size_t (becoming a big unsigned long) passed into memchr,
    cause this issue.
    
    Similar to what it does in tipc_nl_compat_bearer_enable(), this
    fix is to return -EINVAL when TLV_GET_DATA_LEN() is negtive in
    tipc_nl_compat_bearer_disable(), as well as in
    tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats().
    
    v1->v2:
      - add the missing Fixes tags per Eric's request.
    
    Fixes: 0762216c ("tipc: fix uninit-value in tipc_nl_compat_bearer_enable")
    Fixes: 8b66fee7 ("tipc: fix uninit-value in tipc_nl_compat_link_reset_stats")
    Reported-by: syzbot+30eaa8bf392f7fafffaf@syzkaller.appspotmail.com
    Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
    Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
    e853f8e8
netlink_compat.c 32.2 KB