brain-hackers_pepepper-mirror/linux-brain
1
0
Fork 0
mirror of https://github.com/brain-hackers/linux-brain.git synced 2024-06-09 23:36:23 +09:00
Code Issues Projects Releases Wiki Activity
4.9.x+fslc
linux-brain/net/rds
History
Avinash Repaka 53288d8218 RDS: Check cmsg_len before dereferencing CMSG_DATA 
[ Upstream commit 14e138a86f ]

RDS currently doesn't check if the length of the control message is
large enough to hold the required data, before dereferencing the control
message data. This results in following crash:

BUG: KASAN: stack-out-of-bounds in rds_rdma_bytes net/rds/send.c:1013
[inline]
BUG: KASAN: stack-out-of-bounds in rds_sendmsg+0x1f02/0x1f90
net/rds/send.c:1066
Read of size 8 at addr ffff8801c928fb70 by task syzkaller455006/3157

CPU: 0 PID: 3157 Comm: syzkaller455006 Not tainted 4.15.0-rc3+ #161
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 rds_rdma_bytes net/rds/send.c:1013 [inline]
 rds_sendmsg+0x1f02/0x1f90 net/rds/send.c:1066
 sock_sendmsg_nosec net/socket.c:628 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:638
 ___sys_sendmsg+0x320/0x8b0 net/socket.c:2018
 __sys_sendmmsg+0x1ee/0x620 net/socket.c:2108
 SYSC_sendmmsg net/socket.c:2139 [inline]
 SyS_sendmmsg+0x35/0x60 net/socket.c:2134
 entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x43fe49
RSP: 002b:00007fffbe244ad8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe49
RDX: 0000000000000001 RSI: 000000002020c000 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004017b0
R13: 0000000000401840 R14: 0000000000000000 R15: 0000000000000000

To fix this, we verify that the cmsg_len is large enough to hold the
data to be read, before proceeding further.

Reported-by: syzbot <syzkaller-bugs@googlegroups.com>
Signed-off-by: Avinash Repaka <avinash.repaka@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-02 20:35:11 +01:00
..
af_rds.c RDS: Add support for SO_TIMESTAMP for incoming messages 2016-03-02 14:13:17 -05:00
bind.c RDS: TCP: Enable multipath RDS for TCP 2016-07-15 11:36:58 -07:00
cong.c RDS: split out connection specific state from rds_connection to rds_conn_path 2016-06-14 23:50:41 -07:00
connection.c RDS: TCP: Enable multipath RDS for TCP 2016-07-15 11:36:58 -07:00
ib_cm.c rds: ib: add error handle 2017-10-08 10:26:10 +02:00
ib_fmr.c RDS: IB: move FMR code to its own file 2016-03-02 14:13:18 -05:00
ib_frmr.c RDS: RDMA: fix the ib_map_mr_sg_zbva() argument 2017-11-30 08:39:10 +00:00
ib_mr.h RDS: IB: Support Fastreg MR (FRMR) memory registration mode 2016-03-02 14:13:19 -05:00
ib_rdma.c RDS: split out connection specific state from rds_connection to rds_conn_path 2016-06-14 23:50:41 -07:00
ib_recv.c RDS: TCP: make receive path use the rds_conn_path 2016-07-01 16:45:17 -04:00
ib_ring.c RDS/IW+IB: Set recv ring low water mark to 1/2 full. 2009-04-09 17:21:14 -07:00
ib_send.c RDS: RDMA: Fix the composite message user notification 2017-10-08 10:26:02 +02:00
ib_stats.c RDS: IB: add mr reused stats 2016-03-02 14:13:19 -05:00
ib_sysctl.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
ib.c IB/core: add support to create a unsafe global rkey to ib_create_pd 2016-09-23 13:47:44 -04:00
ib.h RDS: add __printf format attribute to error reporting functions 2016-08-08 16:16:21 -07:00
info.c rds: fix an integer overflow test in rds_info_getsockopt() 2015-08-03 15:20:16 -07:00
info.h RDS: Info and stats 2009-02-26 23:39:25 -08:00
Kconfig RDS: Drop stale iWARP RDMA transport 2016-03-02 14:13:17 -05:00
loop.c RDS: TCP: Hooks to set up a single connection path 2016-07-01 16:45:17 -04:00
loop.h RDS: loopback 2009-02-26 23:39:26 -08:00
Makefile rds: debug messages are enabled by default 2016-10-29 15:55:57 -04:00
message.c RDS: TCP: Enable multipath RDS for TCP 2016-07-15 11:36:58 -07:00
page.c RDS: memory allocated must be align to 8 2016-04-07 16:58:27 -04:00
rdma_transport.c RDS: split out connection specific state from rds_connection to rds_conn_path 2016-06-14 23:50:41 -07:00
rdma_transport.h RDS: Drop stale iWARP RDMA transport 2016-03-02 14:13:17 -05:00
rdma.c rds: Fix NULL pointer dereference in __rds_rdma_map 2017-12-16 16:25:45 +01:00
rds_single_path.h RDS: split out connection specific state from rds_connection to rds_conn_path 2016-06-14 23:50:41 -07:00
rds.h RDS: make message size limit compliant with spec 2017-11-30 08:39:10 +00:00
recv.c RDS: TCP: Enable multipath RDS for TCP 2016-07-15 11:36:58 -07:00
send.c RDS: Check cmsg_len before dereferencing CMSG_DATA 2018-01-02 20:35:11 +01:00
stats.c net/rds: zero last byte for strncpy 2013-03-08 00:35:44 -05:00
sysctl.c net: rds: fix coding style issues 2016-06-18 21:34:09 -07:00
tcp_connect.c RDS: TCP: Enable multipath RDS for TCP 2016-07-15 11:36:58 -07:00
tcp_listen.c rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races 2017-12-14 09:28:20 +01:00
tcp_recv.c RDS: TCP: make receive path use the rds_conn_path 2016-07-01 16:45:17 -04:00
tcp_send.c RDS: TCP: Enable multipath RDS for TCP 2016-07-15 11:36:58 -07:00
tcp_stats.c net: rds: fix const array syntax 2011-07-01 16:16:19 -07:00
tcp.c rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races 2017-12-14 09:28:20 +01:00
tcp.h rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races 2017-12-14 09:28:20 +01:00
threads.c RDS: TCP: Enable multipath RDS for TCP 2016-07-15 11:36:58 -07:00
transport.c net: rds: fix coding style issues 2016-06-18 21:34:09 -07:00