e3f9bed9be
syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2 (0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7f0000000040)={@val={0x0, 0x11}, @val, @mpls={[], @llc={@snap={0xaa, 0x1, ')', "90e5dd"}}}}, 0x16) llc_conn_handler() initialises local variables {saddr,daddr}.mac based on skb in llc_pdu_decode_sa()/llc_pdu_decode_da() and passes them to __llc_lookup(). However, the initialisation is done only when skb->protocol is htons(ETH_P_802_2), otherwise, __llc_lookup_established() and __llc_lookup_listener() will read garbage. The missing initialisation existed prior to commit 211ed865108e ("net: delete all instances of special processing for token ring"). It removed the part to kick out the token ring stuff but forgot to close the door allowing ETH_P_TR_802_2 packets to sneak into llc_rcv(). Let's remove llc_tr_packet_type and complete the deprecation. [0]: BUG: KMSAN: uninit-value in __llc_lookup_established+0xe9d/0xf90 __llc_lookup_established+0xe9d/0xf90 __llc_lookup net/llc/llc_conn.c:611 [inline] llc_conn_handler+0x4bd/0x1360 net/llc/llc_conn.c:791 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 __netif_receive_skb_one_core net/core/dev.c:5527 [inline] __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5641 netif_receive_skb_internal net/core/dev.c:5727 [inline] netif_receive_skb+0x58/0x660 net/core/dev.c:5786 tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555 tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002 tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048 call_write_iter include/linux/fs.h:2020 [inline] new_sync_write fs/read_write.c:491 [inline] vfs_write+0x8ef/0x1490 fs/read_write.c:584 ksys_write+0x20f/0x4c0 fs/read_write.c:637 __do_sys_write fs/read_write.c:649 [inline] __se_sys_write fs/read_write.c:646 [inline] __x64_sys_write+0x93/0xd0 fs/read_write.c:646 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b Local variable daddr created at: llc_conn_handler+0x53/0x1360 net/llc/llc_conn.c:783 llc_rcv+0xfbb/0x14a0 net/llc/llc_input.c:206 CPU: 1 PID: 5004 Comm: syz-executor994 Not tainted 6.6.0-syzkaller-14500-g1c41041124bd #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/09/2023 Fixes: 211ed865108e ("net: delete all instances of special processing for token ring") Reported-by: syzbot+b5ad66046b913bc04c6f@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=b5ad66046b913bc04c6f Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20240119015515.61898-1-kuniyu@amazon.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>
160 lines
3.9 KiB
C
160 lines
3.9 KiB
C
/*
|
|
* llc_core.c - Minimum needed routines for sap handling and module init/exit
|
|
*
|
|
* Copyright (c) 1997 by Procom Technology, Inc.
|
|
* 2001-2003 by Arnaldo Carvalho de Melo <acme@conectiva.com.br>
|
|
*
|
|
* This program can be redistributed or modified under the terms of the
|
|
* GNU General Public License as published by the Free Software Foundation.
|
|
* This program is distributed without any warranty or implied warranty
|
|
* of merchantability or fitness for a particular purpose.
|
|
*
|
|
* See the GNU General Public License for more details.
|
|
*/
|
|
|
|
#include <linux/module.h>
|
|
#include <linux/interrupt.h>
|
|
#include <linux/if_ether.h>
|
|
#include <linux/netdevice.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/string.h>
|
|
#include <linux/init.h>
|
|
#include <net/net_namespace.h>
|
|
#include <net/llc.h>
|
|
|
|
LIST_HEAD(llc_sap_list);
|
|
static DEFINE_SPINLOCK(llc_sap_list_lock);
|
|
|
|
/**
|
|
* llc_sap_alloc - allocates and initializes sap.
|
|
*
|
|
* Allocates and initializes sap.
|
|
*/
|
|
static struct llc_sap *llc_sap_alloc(void)
|
|
{
|
|
struct llc_sap *sap = kzalloc(sizeof(*sap), GFP_ATOMIC);
|
|
int i;
|
|
|
|
if (sap) {
|
|
/* sap->laddr.mac - leave as a null, it's filled by bind */
|
|
sap->state = LLC_SAP_STATE_ACTIVE;
|
|
spin_lock_init(&sap->sk_lock);
|
|
for (i = 0; i < LLC_SK_LADDR_HASH_ENTRIES; i++)
|
|
INIT_HLIST_NULLS_HEAD(&sap->sk_laddr_hash[i], i);
|
|
refcount_set(&sap->refcnt, 1);
|
|
}
|
|
return sap;
|
|
}
|
|
|
|
static struct llc_sap *__llc_sap_find(unsigned char sap_value)
|
|
{
|
|
struct llc_sap *sap;
|
|
|
|
list_for_each_entry(sap, &llc_sap_list, node)
|
|
if (sap->laddr.lsap == sap_value)
|
|
goto out;
|
|
sap = NULL;
|
|
out:
|
|
return sap;
|
|
}
|
|
|
|
/**
|
|
* llc_sap_find - searches a SAP in station
|
|
* @sap_value: sap to be found
|
|
*
|
|
* Searches for a sap in the sap list of the LLC's station upon the sap ID.
|
|
* If the sap is found it will be refcounted and the user will have to do
|
|
* a llc_sap_put after use.
|
|
* Returns the sap or %NULL if not found.
|
|
*/
|
|
struct llc_sap *llc_sap_find(unsigned char sap_value)
|
|
{
|
|
struct llc_sap *sap;
|
|
|
|
rcu_read_lock_bh();
|
|
sap = __llc_sap_find(sap_value);
|
|
if (!sap || !llc_sap_hold_safe(sap))
|
|
sap = NULL;
|
|
rcu_read_unlock_bh();
|
|
return sap;
|
|
}
|
|
|
|
/**
|
|
* llc_sap_open - open interface to the upper layers.
|
|
* @lsap: SAP number.
|
|
* @func: rcv func for datalink protos
|
|
*
|
|
* Interface function to upper layer. Each one who wants to get a SAP
|
|
* (for example NetBEUI) should call this function. Returns the opened
|
|
* SAP for success, NULL for failure.
|
|
*/
|
|
struct llc_sap *llc_sap_open(unsigned char lsap,
|
|
int (*func)(struct sk_buff *skb,
|
|
struct net_device *dev,
|
|
struct packet_type *pt,
|
|
struct net_device *orig_dev))
|
|
{
|
|
struct llc_sap *sap = NULL;
|
|
|
|
spin_lock_bh(&llc_sap_list_lock);
|
|
if (__llc_sap_find(lsap)) /* SAP already exists */
|
|
goto out;
|
|
sap = llc_sap_alloc();
|
|
if (!sap)
|
|
goto out;
|
|
sap->laddr.lsap = lsap;
|
|
sap->rcv_func = func;
|
|
list_add_tail_rcu(&sap->node, &llc_sap_list);
|
|
out:
|
|
spin_unlock_bh(&llc_sap_list_lock);
|
|
return sap;
|
|
}
|
|
|
|
/**
|
|
* llc_sap_close - close interface for upper layers.
|
|
* @sap: SAP to be closed.
|
|
*
|
|
* Close interface function to upper layer. Each one who wants to
|
|
* close an open SAP (for example NetBEUI) should call this function.
|
|
* Removes this sap from the list of saps in the station and then
|
|
* frees the memory for this sap.
|
|
*/
|
|
void llc_sap_close(struct llc_sap *sap)
|
|
{
|
|
WARN_ON(sap->sk_count);
|
|
|
|
spin_lock_bh(&llc_sap_list_lock);
|
|
list_del_rcu(&sap->node);
|
|
spin_unlock_bh(&llc_sap_list_lock);
|
|
|
|
kfree_rcu(sap, rcu);
|
|
}
|
|
|
|
static struct packet_type llc_packet_type __read_mostly = {
|
|
.type = cpu_to_be16(ETH_P_802_2),
|
|
.func = llc_rcv,
|
|
};
|
|
|
|
static int __init llc_init(void)
|
|
{
|
|
dev_add_pack(&llc_packet_type);
|
|
return 0;
|
|
}
|
|
|
|
static void __exit llc_exit(void)
|
|
{
|
|
dev_remove_pack(&llc_packet_type);
|
|
}
|
|
|
|
module_init(llc_init);
|
|
module_exit(llc_exit);
|
|
|
|
EXPORT_SYMBOL(llc_sap_list);
|
|
EXPORT_SYMBOL(llc_sap_find);
|
|
EXPORT_SYMBOL(llc_sap_open);
|
|
EXPORT_SYMBOL(llc_sap_close);
|
|
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_AUTHOR("Procom 1997, Jay Schullist 2001, Arnaldo C. Melo 2001-2003");
|
|
MODULE_DESCRIPTION("LLC IEEE 802.2 core support");
|