diff mbox series

[net] netlink: do not hard code device address lenth in fdb dumps

Message ID 20230621174720.1845040-1-edumazet@google.com (mailing list archive)
State Accepted
Commit aa5406950726e336c5c9585b09799a734b6e77bf
Delegated to: Netdev Maintainers
Headers show
Series [net] netlink: do not hard code device address lenth in fdb dumps | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 10 this patch: 10
netdev/cc_maintainers fail 1 blamed authors not CCed: john.r.fastabend@intel.com; 5 maintainers not CCed: razor@blackwall.org john.r.fastabend@intel.com idosch@nvidia.com liuhangbin@gmail.com lucien.xin@gmail.com
netdev/build_clang success Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 10 this patch: 10
netdev/checkpatch warning WARNING: 'lenth' may be misspelled - perhaps 'length'?
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline warning Was 1 now: 1

Commit Message

Eric Dumazet June 21, 2023, 5:47 p.m. UTC 
syzbot reports that some netdev devices do not have a six bytes
address [1]

Replace ETH_ALEN by dev->addr_len.

[1] (Case of a device where dev->addr_len = 4)

BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copyout+0xb8/0x100 lib/iov_iter.c:169
_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536
copy_to_iter include/linux/uio.h:206 [inline]
simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513
__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527
skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970
sock_recvmsg_nosec net/socket.c:1019 [inline]
sock_recvmsg net/socket.c:1040 [inline]
____sys_recvmsg+0x283/0x7f0 net/socket.c:2722
___sys_recvmsg+0x223/0x840 net/socket.c:2764
do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
__sys_recvmmsg net/socket.c:2937 [inline]
__do_sys_recvmmsg net/socket.c:2960 [inline]
__se_sys_recvmmsg net/socket.c:2953 [inline]
__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Uninit was stored to memory at:
__nla_put lib/nlattr.c:1009 [inline]
nla_put+0x1c6/0x230 lib/nlattr.c:1067
nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071
nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]
ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456
rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629
netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268
netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995
sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019
____sys_recvmsg+0x664/0x7f0 net/socket.c:2720
___sys_recvmsg+0x223/0x840 net/socket.c:2764
do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
__sys_recvmmsg net/socket.c:2937 [inline]
__do_sys_recvmmsg net/socket.c:2960 [inline]
__se_sys_recvmmsg net/socket.c:2953 [inline]
__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Uninit was created at:
slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716
slab_alloc_node mm/slub.c:3451 [inline]
__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490
kmalloc_trace+0x51/0x200 mm/slab_common.c:1057
kmalloc include/linux/slab.h:559 [inline]
__hw_addr_create net/core/dev_addr_lists.c:60 [inline]
__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118
__dev_mc_add net/core/dev_addr_lists.c:867 [inline]
dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885
igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680
ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754
ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708
addrconf_type_change net/ipv6/addrconf.c:3731 [inline]
addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699
notifier_call_chain kernel/notifier.c:93 [inline]
raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461
call_netdevice_notifiers_info net/core/dev.c:1935 [inline]
call_netdevice_notifiers_extack net/core/dev.c:1973 [inline]
call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987
bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906
do_set_master net/core/rtnetlink.c:2626 [inline]
rtnl_newlink_create net/core/rtnetlink.c:3460 [inline]
__rtnl_newlink net/core/rtnetlink.c:3660 [inline]
rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673
rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395
netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546
rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
____sys_sendmsg+0x999/0xd50 net/socket.c:2503
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557
__sys_sendmsg net/socket.c:2586 [inline]
__do_sys_sendmsg net/socket.c:2595 [inline]
__se_sys_sendmsg net/socket.c:2593 [inline]
__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Bytes 2856-2857 of 3500 are uninitialized
Memory access of size 3500 starts at ffff888018d99104
Data copied to user address 0000000020000480

Fixes: d83b06036048 ("net: add fdb generic dump routine")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
---
 net/core/rtnetlink.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Jiri Pirko June 22, 2023, 7:53 a.m. UTC | #1 
Wed, Jun 21, 2023 at 07:47:20PM CEST, edumazet@google.com wrote:
>syzbot reports that some netdev devices do not have a six bytes
>address [1]
>
>Replace ETH_ALEN by dev->addr_len.
>
>[1] (Case of a device where dev->addr_len = 4)
>
>BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
>BUG: KMSAN: kernel-infoleak in copyout+0xb8/0x100 lib/iov_iter.c:169
>instrument_copy_to_user include/linux/instrumented.h:114 [inline]
>copyout+0xb8/0x100 lib/iov_iter.c:169
>_copy_to_iter+0x6d8/0x1d00 lib/iov_iter.c:536
>copy_to_iter include/linux/uio.h:206 [inline]
>simple_copy_to_iter+0x68/0xa0 net/core/datagram.c:513
>__skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419
>skb_copy_datagram_iter+0x5c/0x200 net/core/datagram.c:527
>skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
>netlink_recvmsg+0x4ae/0x15a0 net/netlink/af_netlink.c:1970
>sock_recvmsg_nosec net/socket.c:1019 [inline]
>sock_recvmsg net/socket.c:1040 [inline]
>____sys_recvmsg+0x283/0x7f0 net/socket.c:2722
>___sys_recvmsg+0x223/0x840 net/socket.c:2764
>do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
>__sys_recvmmsg net/socket.c:2937 [inline]
>__do_sys_recvmmsg net/socket.c:2960 [inline]
>__se_sys_recvmmsg net/socket.c:2953 [inline]
>__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
>do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
>Uninit was stored to memory at:
>__nla_put lib/nlattr.c:1009 [inline]
>nla_put+0x1c6/0x230 lib/nlattr.c:1067
>nlmsg_populate_fdb_fill+0x2b8/0x600 net/core/rtnetlink.c:4071
>nlmsg_populate_fdb net/core/rtnetlink.c:4418 [inline]
>ndo_dflt_fdb_dump+0x616/0x840 net/core/rtnetlink.c:4456
>rtnl_fdb_dump+0x14ff/0x1fc0 net/core/rtnetlink.c:4629
>netlink_dump+0x9d1/0x1310 net/netlink/af_netlink.c:2268
>netlink_recvmsg+0xc5c/0x15a0 net/netlink/af_netlink.c:1995
>sock_recvmsg_nosec+0x7a/0x120 net/socket.c:1019
>____sys_recvmsg+0x664/0x7f0 net/socket.c:2720
>___sys_recvmsg+0x223/0x840 net/socket.c:2764
>do_recvmmsg+0x4f9/0xfd0 net/socket.c:2858
>__sys_recvmmsg net/socket.c:2937 [inline]
>__do_sys_recvmmsg net/socket.c:2960 [inline]
>__se_sys_recvmmsg net/socket.c:2953 [inline]
>__x64_sys_recvmmsg+0x397/0x490 net/socket.c:2953
>do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
>Uninit was created at:
>slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:716
>slab_alloc_node mm/slub.c:3451 [inline]
>__kmem_cache_alloc_node+0x4ff/0x8b0 mm/slub.c:3490
>kmalloc_trace+0x51/0x200 mm/slab_common.c:1057
>kmalloc include/linux/slab.h:559 [inline]
>__hw_addr_create net/core/dev_addr_lists.c:60 [inline]
>__hw_addr_add_ex+0x2e5/0x9e0 net/core/dev_addr_lists.c:118
>__dev_mc_add net/core/dev_addr_lists.c:867 [inline]
>dev_mc_add+0x9a/0x130 net/core/dev_addr_lists.c:885
>igmp6_group_added+0x267/0xbc0 net/ipv6/mcast.c:680
>ipv6_mc_up+0x296/0x3b0 net/ipv6/mcast.c:2754
>ipv6_mc_remap+0x1e/0x30 net/ipv6/mcast.c:2708
>addrconf_type_change net/ipv6/addrconf.c:3731 [inline]
>addrconf_notify+0x4d3/0x1d90 net/ipv6/addrconf.c:3699
>notifier_call_chain kernel/notifier.c:93 [inline]
>raw_notifier_call_chain+0xe4/0x430 kernel/notifier.c:461
>call_netdevice_notifiers_info net/core/dev.c:1935 [inline]
>call_netdevice_notifiers_extack net/core/dev.c:1973 [inline]
>call_netdevice_notifiers+0x1ee/0x2d0 net/core/dev.c:1987
>bond_enslave+0xccd/0x53f0 drivers/net/bonding/bond_main.c:1906
>do_set_master net/core/rtnetlink.c:2626 [inline]
>rtnl_newlink_create net/core/rtnetlink.c:3460 [inline]
>__rtnl_newlink net/core/rtnetlink.c:3660 [inline]
>rtnl_newlink+0x378c/0x40e0 net/core/rtnetlink.c:3673
>rtnetlink_rcv_msg+0x16a6/0x1840 net/core/rtnetlink.c:6395
>netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2546
>rtnetlink_rcv+0x34/0x40 net/core/rtnetlink.c:6413
>netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
>netlink_unicast+0xf28/0x1230 net/netlink/af_netlink.c:1365
>netlink_sendmsg+0x122f/0x13d0 net/netlink/af_netlink.c:1913
>sock_sendmsg_nosec net/socket.c:724 [inline]
>sock_sendmsg net/socket.c:747 [inline]
>____sys_sendmsg+0x999/0xd50 net/socket.c:2503
>___sys_sendmsg+0x28d/0x3c0 net/socket.c:2557
>__sys_sendmsg net/socket.c:2586 [inline]
>__do_sys_sendmsg net/socket.c:2595 [inline]
>__se_sys_sendmsg net/socket.c:2593 [inline]
>__x64_sys_sendmsg+0x304/0x490 net/socket.c:2593
>do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
>entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
>Bytes 2856-2857 of 3500 are uninitialized
>Memory access of size 3500 starts at ffff888018d99104
>Data copied to user address 0000000020000480
>
>Fixes: d83b06036048 ("net: add fdb generic dump routine")
>Reported-by: syzbot <syzkaller@googlegroups.com>
>Signed-off-by: Eric Dumazet <edumazet@google.com>

Reviewed-by: Jiri Pirko <jiri@nvidia.com>
patchwork-bot+netdevbpf@kernel.org June 23, 2023, 2:40 a.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 21 Jun 2023 17:47:20 +0000 you wrote:
> syzbot reports that some netdev devices do not have a six bytes
> address [1]
> 
> Replace ETH_ALEN by dev->addr_len.
> 
> [1] (Case of a device where dev->addr_len = 4)
> 
> [...]

Here is the summary with links:
  - [net] netlink: do not hard code device address lenth in fdb dumps
    https://git.kernel.org/netdev/net/c/aa5406950726

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 41de3a2f29e15a1db04c9fd7f0b723c501fa0256..7776611a14ae4367fe8af1bde0f55b20c5e3507d 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -4090,7 +4090,7 @@  static int nlmsg_populate_fdb_fill(struct sk_buff *skb,
 	ndm->ndm_ifindex = dev->ifindex;
 	ndm->ndm_state   = ndm_state;
 
-	if (nla_put(skb, NDA_LLADDR, ETH_ALEN, addr))
+	if (nla_put(skb, NDA_LLADDR, dev->addr_len, addr))
 		goto nla_put_failure;
 	if (vid)
 		if (nla_put(skb, NDA_VLAN, sizeof(u16), &vid))
@@ -4104,10 +4104,10 @@  static int nlmsg_populate_fdb_fill(struct sk_buff *skb,
 	return -EMSGSIZE;
 }
 
-static inline size_t rtnl_fdb_nlmsg_size(void)
+static inline size_t rtnl_fdb_nlmsg_size(const struct net_device *dev)
 {
 	return NLMSG_ALIGN(sizeof(struct ndmsg)) +
-	       nla_total_size(ETH_ALEN) +	/* NDA_LLADDR */
+	       nla_total_size(dev->addr_len) +	/* NDA_LLADDR */
 	       nla_total_size(sizeof(u16)) +	/* NDA_VLAN */
 	       0;
 }
@@ -4119,7 +4119,7 @@  static void rtnl_fdb_notify(struct net_device *dev, u8 *addr, u16 vid, int type,
 	struct sk_buff *skb;
 	int err = -ENOBUFS;
 
-	skb = nlmsg_new(rtnl_fdb_nlmsg_size(), GFP_ATOMIC);
+	skb = nlmsg_new(rtnl_fdb_nlmsg_size(dev), GFP_ATOMIC);
 	if (!skb)
 		goto errout;