iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Taehee Yoo 04b69426d8 hsr: fix slab-out-of-bounds Read in hsr_debugfs_rename() 
hsr slave interfaces don't have debugfs directory.
So, hsr_debugfs_rename() shouldn't be called when hsr slave interface name
is changed.

Test commands:
    ip link add dummy0 type dummy
    ip link add dummy1 type dummy
    ip link add hsr0 type hsr slave1 dummy0 slave2 dummy1
    ip link set dummy0 name ap

Splat looks like:
[21071.899367][T22666] ap: renamed from dummy0
[21071.914005][T22666] ==================================================================
[21071.919008][T22666] BUG: KASAN: slab-out-of-bounds in hsr_debugfs_rename+0xaa/0xb0 [hsr]
[21071.923640][T22666] Read of size 8 at addr ffff88805febcd98 by task ip/22666
[21071.926941][T22666]
[21071.927750][T22666] CPU: 0 PID: 22666 Comm: ip Not tainted 5.5.0-rc2+ #240
[21071.929919][T22666] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[21071.935094][T22666] Call Trace:
[21071.935867][T22666]  dump_stack+0x96/0xdb
[21071.936687][T22666]  ? hsr_debugfs_rename+0xaa/0xb0 [hsr]
[21071.937774][T22666]  print_address_description.constprop.5+0x1be/0x360
[21071.939019][T22666]  ? hsr_debugfs_rename+0xaa/0xb0 [hsr]
[21071.940081][T22666]  ? hsr_debugfs_rename+0xaa/0xb0 [hsr]
[21071.940949][T22666]  __kasan_report+0x12a/0x16f
[21071.941758][T22666]  ? hsr_debugfs_rename+0xaa/0xb0 [hsr]
[21071.942674][T22666]  kasan_report+0xe/0x20
[21071.943325][T22666]  hsr_debugfs_rename+0xaa/0xb0 [hsr]
[21071.944187][T22666]  hsr_netdev_notify+0x1fe/0x9b0 [hsr]
[21071.945052][T22666]  ? __module_text_address+0x13/0x140
[21071.945897][T22666]  notifier_call_chain+0x90/0x160
[21071.946743][T22666]  dev_change_name+0x419/0x840
[21071.947496][T22666]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[21071.948600][T22666]  ? netdev_adjacent_rename_links+0x280/0x280
[21071.949577][T22666]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
[21071.950672][T22666]  ? lock_downgrade+0x6e0/0x6e0
[21071.951345][T22666]  ? do_setlink+0x811/0x2ef0
[21071.951991][T22666]  do_setlink+0x811/0x2ef0
[21071.952613][T22666]  ? is_bpf_text_address+0x81/0xe0
[ ... ]

Reported-by: syzbot+9328206518f08318a5fd@syzkaller.appspotmail.com
Fixes: 4c2d5e33dcd3 ("hsr: rename debugfs file when interface name is changed")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-12-30 20:36:27 -08:00
..
6lowpan
6lowpan: no need to check return value of debugfs_create functions
2019-07-06 12:50:01 +02:00
9p
9p pull request for inclusion in 5.4
2019-09-27 15:10:34 -07:00
802
treewide: Use sizeof_field() macro
2019-12-09 10:36:44 -08:00
8021q
net: remove unnecessary variables and callback
2019-10-24 14:53:49 -07:00
appletalk
appletalk: enforce CAP_NET_RAW for raw sockets
2019-09-24 16:37:18 +02:00
atm
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2019-11-22 16:27:24 -08:00
ax25
net: use helpers to change sk_ack_backlog
2019-11-06 16:14:48 -08:00
batman-adv
treewide: Use sizeof_field() macro
2019-12-09 10:36:44 -08:00
bluetooth
compat_ioctl: remove most of fs/compat_ioctl.c
2019-12-01 13:46:15 -08:00
bpf
treewide: Use sizeof_field() macro
2019-12-09 10:36:44 -08:00
bpfilter
Kbuild updates for v5.3
2019-07-12 16:03:16 -07:00
bridge
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
2019-12-26 13:11:40 -08:00
caif
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2019-11-02 13:54:56 -07:00
can
can: j1939: j1939_sk_bind(): take priv after lock is held
2019-12-08 11:52:02 +01:00
ceph
libceph, rbd, ceph: convert to use the new mount API
2019-11-27 22:28:37 +01:00
core
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2019-12-22 09:54:33 -08:00
dcb
dccp
treewide: Use sizeof_field() macro
2019-12-09 10:36:44 -08:00
decnet
net: add bool confirm_neigh parameter for dst_ops.update_pmtu
2019-12-24 22:28:54 -08:00
dns_resolver
Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs"
2019-07-10 18:43:43 -07:00
dsa
net: dsa: ksz: use common define for tag len
2019-12-20 21:06:49 -08:00
ethernet
net: add annotations on hh->hh_len lockless accesses
2019-11-07 20:07:30 -08:00
hsr
hsr: fix slab-out-of-bounds Read in hsr_debugfs_rename()
2019-12-30 20:36:27 -08:00
ieee802154
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2019-11-02 13:54:56 -07:00
ife
net: Fix Kconfig indentation
2019-09-26 08:56:17 +02:00
ipv4
tcp: Fix highest_sack and highest_sack_seq
2019-12-30 20:28:39 -08:00
ipv6
sit: do not confirm neighbor when do pmtu update
2019-12-24 22:28:55 -08:00
iucv
treewide: Use sizeof_field() macro
2019-12-09 10:36:44 -08:00
kcm
kcm: disable preemption in kcm_parse_func_strparser()
2019-09-27 10:27:14 +02:00
key
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-07-08 19:48:57 -07:00
l2tp
net: ipv6: add net argument to ip6_dst_lookup_flow
2019-12-04 12:27:12 -08:00
l3mdev
ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF
2019-06-23 13:24:17 -07:00
lapb
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-06-17 20:20:36 -07:00
llc
llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c)
2019-12-20 21:19:36 -08:00
mac80211
mac80211: Turn AQL into an NL80211_EXT_FEATURE
2019-12-13 10:34:04 +01:00
mac802154
mpls
net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
2019-12-04 12:27:13 -08:00
ncsi
net/ncsi: Disable global multicast filter
2019-09-19 18:04:40 -07:00
netfilter
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
2019-12-26 13:11:40 -08:00
netlabel
netlabel: remove redundant assignment to pointer iter
2019-09-01 11:45:02 -07:00
netlink
treewide: Use sizeof_field() macro
2019-12-09 10:36:44 -08:00
netrom
net: core: add generic lockdep keys
2019-10-24 14:53:48 -07:00
nfc
net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive()
2019-12-18 11:57:33 -08:00
nsh
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
openvswitch
treewide: Use sizeof_field() macro
2019-12-09 10:36:44 -08:00
packet
af_packet: set defaule value for tmo
2019-12-09 14:30:19 -08:00
phonet
net: use skb_queue_empty_lockless() in poll() handlers
2019-10-28 13:33:41 -07:00
psample
net: psample: fix skb_over_panic
2019-11-26 14:40:13 -08:00
qrtr
net: qrtr: Simplify 'qrtr_tun_release()'
2019-10-30 17:58:23 -07:00
rds
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2019-11-16 21:51:42 -08:00
rfkill
rfkill: Fix incorrect check to avoid NULL pointer dereference
2019-12-16 10:15:49 +01:00
rose
net: use helpers to change sk_ack_backlog
2019-11-06 16:14:48 -08:00
rxrpc
RxRPC fixes
2019-12-24 16:12:47 -08:00
sched
net/sched: add delete_empty() to filters and use it in cls_flower
2019-12-30 20:35:19 -08:00
sctp
net: add bool confirm_neigh parameter for dst_ops.update_pmtu
2019-12-24 22:28:54 -08:00
smc
net/smc: unregister ib devices in reboot_event
2019-12-20 21:31:19 -08:00
strparser
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-06-22 08:59:24 -04:00
sunrpc
This is a relatively quiet cycle for nfsd, mainly various bugfixes.
2019-12-07 16:56:00 -08:00
switchdev
tipc
tipc: fix use-after-free in tipc_disc_rcv()
2019-12-10 17:45:04 -08:00
tls
net/tls: Fix return values to avoid ENOTSUPP
2019-12-06 20:15:39 -08:00
unix
treewide: Use sizeof_field() macro
2019-12-09 10:36:44 -08:00
vmw_vsock
vsock/virtio: add WARN_ON check on virtio_transport_get_ops()
2019-12-16 16:07:12 -08:00
wimax
wimax: no need to check return value of debugfs_create functions
2019-08-10 15:25:47 -07:00
wireless
cfg80211: fix double-free after changing network namespace
2019-12-13 10:08:09 +01:00
x25
net/x25: add new state X25_STATE_5
2019-12-09 10:28:43 -08:00
xdp
xsk: Add rcu_read_lock around the XSK wakeup
2019-12-19 16:20:48 +01:00
xfrm
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2019-11-25 20:02:57 -08:00
compat.c
y2038: socket: use __kernel_old_timespec instead of timespec
2019-11-15 14:38:29 +01:00
Kconfig
net: Fix Kconfig indentation, continued
2019-11-21 12:00:21 -08:00
Makefile
socket.c
io_uring-5.5-20191212
2019-12-13 14:24:54 -08:00
sysctl_net.c