diff mbox series

phonet/pep: refuse to enable an unbound pipe

Message ID 20211219170339.630659-1-remi@remlab.net (mailing list archive)
State Accepted
Commit 75a2f31520095600f650597c0ac41f48b5ba0068
Delegated to: Netdev Maintainers
Headers show
Series phonet/pep: refuse to enable an unbound pipe | expand

Checks

Context Check Description
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers warning 1 maintainers not CCed: courmisch@gmail.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/tree_selection success Guessing tree name failed - patch did not apply

Commit Message

Rémi Denis-Courmont Dec. 19, 2021, 5:03 p.m. UTC 
From: Rémi Denis-Courmont <remi@remlab.net>

This ioctl() implicitly assumed that the socket was already bound to
a valid local socket name, i.e. Phonet object. If the socket was not
bound, two separate problems would occur:

1) We'd send an pipe enablement request with an invalid source object.
2) Later socket calls could BUG on the socket unexpectedly being
   connected yet not bound to a valid object.

Reported-by: syzbot+2dc91e7fc3dea88b1e8a@syzkaller.appspotmail.com
Signed-off-by: Rémi Denis-Courmont <remi@remlab.net>
---
 net/phonet/pep.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

patchwork-bot+netdevbpf@kernel.org Dec. 20, 2021, noon UTC | #1 
Hello:

This patch was applied to netdev/net.git (master)
by David S. Miller <davem@davemloft.net>:

On Sun, 19 Dec 2021 19:03:39 +0200 you wrote:
> From: Rémi Denis-Courmont <remi@remlab.net>
> 
> This ioctl() implicitly assumed that the socket was already bound to
> a valid local socket name, i.e. Phonet object. If the socket was not
> bound, two separate problems would occur:
> 
> 1) We'd send an pipe enablement request with an invalid source object.
> 2) Later socket calls could BUG on the socket unexpectedly being
>    connected yet not bound to a valid object.
> 
> [...]

Here is the summary with links:
  - phonet/pep: refuse to enable an unbound pipe
    https://git.kernel.org/netdev/net/c/75a2f3152009

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index b4f90afb0638..65d463ad8770 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -947,6 +947,8 @@  static int pep_ioctl(struct sock *sk, int cmd, unsigned long arg)
 			ret =  -EBUSY;
 		else if (sk->sk_state == TCP_ESTABLISHED)
 			ret = -EISCONN;
+		else if (!pn->pn_sk.sobject)
+			ret = -EADDRNOTAVAIL;
 		else
 			ret = pep_sock_enable(sk, NULL, 0);
 		release_sock(sk);