diff mbox series

[net] netdevsim: prevent bad user input in nsim_dev_health_break_write()

Message ID 20241213172518.2415666-1-edumazet@google.com (mailing list archive)
State Accepted
Commit ee76746387f6233bdfa93d7406990f923641568f
Delegated to: Netdev Maintainers
Headers show
Series [net] netdevsim: prevent bad user input in nsim_dev_health_break_write() | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 1 maintainers not CCed: andrew+netdev@lunn.ch
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-12-15--09-00 (tests: 795)

Commit Message

Eric Dumazet Dec. 13, 2024, 5:25 p.m. UTC 
If either a zero count or a large one is provided, kernel can crash.

Fixes: 82c93a87bf8b ("netdevsim: implement couple of testing devlink health reporters")
Reported-by: syzbot+ea40e4294e58b0292f74@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/675c6862.050a0220.37aaf.00b1.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jiri Pirko <jiri@nvidia.com>
---
 drivers/net/netdevsim/health.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Joe Damato Dec. 13, 2024, 5:49 p.m. UTC | #1 
On Fri, Dec 13, 2024 at 05:25:18PM +0000, Eric Dumazet wrote:
> If either a zero count or a large one is provided, kernel can crash.
> 
> Fixes: 82c93a87bf8b ("netdevsim: implement couple of testing devlink health reporters")
> Reported-by: syzbot+ea40e4294e58b0292f74@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/675c6862.050a0220.37aaf.00b1.GAE@google.com/T/#u
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Jiri Pirko <jiri@nvidia.com>
> ---
>  drivers/net/netdevsim/health.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/net/netdevsim/health.c b/drivers/net/netdevsim/health.c
> index 70e8bdf34be900f744e821fb237641a27bb71a7b..688f05316b5e109fc84222476023f3f1f078cf28 100644
> --- a/drivers/net/netdevsim/health.c
> +++ b/drivers/net/netdevsim/health.c
> @@ -149,6 +149,8 @@ static ssize_t nsim_dev_health_break_write(struct file *file,
>  	char *break_msg;
>  	int err;
>  
> +	if (count == 0 || count > PAGE_SIZE)
> +		return -EINVAL;
>  	break_msg = memdup_user_nul(data, count);
>  	if (IS_ERR(break_msg))
>  		return PTR_ERR(break_msg);
> -- 

Reviewed-by: Joe Damato <jdamato@fastly.com>
patchwork-bot+netdevbpf@kernel.org Dec. 15, 2024, 9:30 p.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Fri, 13 Dec 2024 17:25:18 +0000 you wrote:
> If either a zero count or a large one is provided, kernel can crash.
> 
> Fixes: 82c93a87bf8b ("netdevsim: implement couple of testing devlink health reporters")
> Reported-by: syzbot+ea40e4294e58b0292f74@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/675c6862.050a0220.37aaf.00b1.GAE@google.com/T/#u
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Jiri Pirko <jiri@nvidia.com>
> 
> [...]

Here is the summary with links:
  - [net] netdevsim: prevent bad user input in nsim_dev_health_break_write()
    https://git.kernel.org/netdev/net/c/ee76746387f6

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/net/netdevsim/health.c b/drivers/net/netdevsim/health.c
index 70e8bdf34be900f744e821fb237641a27bb71a7b..688f05316b5e109fc84222476023f3f1f078cf28 100644
--- a/drivers/net/netdevsim/health.c
+++ b/drivers/net/netdevsim/health.c
@@ -149,6 +149,8 @@  static ssize_t nsim_dev_health_break_write(struct file *file,
 	char *break_msg;
 	int err;
 
+	if (count == 0 || count > PAGE_SIZE)
+		return -EINVAL;
 	break_msg = memdup_user_nul(data, count);
 	if (IS_ERR(break_msg))
 		return PTR_ERR(break_msg);