iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet 6cfe6f5185 vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() 
[ Upstream commit dacab578c7c6cd06c50c89dfa36b0e0f10decd4e ]

syzbot triggered the following splat [1], sending an empty message
through pppoe_sendmsg().

When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header()
does not push extra bytes for the VLAN header, because vlan is offloaded.

Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto
before testing (vlan->flags & VLAN_FLAG_REORDER_HDR).

We need to swap the two conditions.

[1]
BUG: KMSAN: uninit-value in vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111
vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111
__netdev_start_xmit include/linux/netdevice.h:4883 [inline]
netdev_start_xmit include/linux/netdevice.h:4897 [inline]
xmit_one net/core/dev.c:3580 [inline]
dev_hard_start_xmit+0x253/0xa20 net/core/dev.c:3596
__dev_queue_xmit+0x3c7f/0x5ac0 net/core/dev.c:4246
dev_queue_xmit include/linux/netdevice.h:3053 [inline]
pppoe_sendmsg+0xa93/0xb80 drivers/net/ppp/pppoe.c:900
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
__sys_sendmmsg+0x411/0xa50 net/socket.c:2641
__do_sys_sendmmsg net/socket.c:2670 [inline]
__se_sys_sendmmsg net/socket.c:2667 [inline]
__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

Uninit was created at:
slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:774
slab_alloc_node mm/slub.c:3452 [inline]
kmem_cache_alloc_node+0x543/0xab0 mm/slub.c:3497
kmalloc_reserve+0x148/0x470 net/core/skbuff.c:520
__alloc_skb+0x3a7/0x850 net/core/skbuff.c:606
alloc_skb include/linux/skbuff.h:1277 [inline]
sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2583
pppoe_sendmsg+0x3af/0xb80 drivers/net/ppp/pppoe.c:867
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
__sys_sendmmsg+0x411/0xa50 net/socket.c:2641
__do_sys_sendmmsg net/socket.c:2670 [inline]
__se_sys_sendmmsg net/socket.c:2667 [inline]
__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd

CPU: 0 PID: 29770 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller-gc478e5b17829 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-05-30 12:57:53 +01:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:50:34 +02:00
9p
9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition
2023-04-20 12:10:25 +02:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-14 10:16:18 +01:00
8021q
vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
2023-05-30 12:57:53 +01:00
appletalk
appletalk: Fix skb allocation size in loopback case
2021-04-07 15:00:08 +02:00
atm
net/atm: fix proc_mpc_write incorrect return value
2022-10-30 09:41:16 +01:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:13:17 +02:00
batman-adv
batman-adv: Don't skb_split skbuffs with frag_list
2022-05-18 10:23:42 +02:00
bluetooth
Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
2023-05-30 12:57:49 +01:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2023-01-14 10:15:31 +01:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:56:29 +02:00
bridge
net: add vlan_get_protocol_and_depth() helper
2023-05-30 12:57:46 +01:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:45:11 +01:00
can
can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events
2023-04-20 12:10:23 +02:00
ceph
libceph: fix potential use-after-free on linger ping and resends
2022-05-25 09:17:56 +02:00
core
net: Catch invalid index in XPS mapping
2023-05-30 12:57:48 +01:00
dcb
net: dcb: disable softirqs in dcbnl_flush_dev()
2022-03-08 19:09:37 +01:00
dccp
dccp: Call inet6_destroy_sock() via sk->sk_destruct().
2023-04-26 11:27:42 +02:00
decnet
net: Fix data-races around sysctl_[rw]mem(_offset)?.
2022-08-31 17:15:19 +02:00
dns_resolver
dsa
net: dsa: ksz: Check return value
2022-12-14 11:32:01 +01:00
ethernet
ethtool
net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
2023-01-24 07:19:55 +01:00
hsr
hsr: ratelimit only when errors are printed
2023-04-05 11:23:52 +02:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:57:51 +09:00
ife
ipv4
tcp: fix possible sk_priority leak in tcp_v4_send_reset()
2023-05-30 12:57:52 +01:00
ipv6
erspan: get the proto with the md version for collect_md
2023-05-30 12:57:52 +01:00
iucv
net/iucv: Fix size of interrupt data
2023-03-22 13:30:00 +01:00
kcm
kcm: close race conditions on sk_receive_queue
2022-11-25 17:45:56 +01:00
key
af_key: Reject optional tunnel/BEET mode templates in outbound policies
2023-05-30 12:57:51 +01:00
l2tp
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
2023-04-26 11:27:41 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:53:50 +02:00
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:29:14 +01:00
llc
net: deal with most data-races in sk_wait_event()
2023-05-30 12:57:46 +01:00
mac80211
wifi: mac80211: fix min center freq offset tracing
2023-05-30 12:57:53 +01:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:32:01 +01:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:55:58 +01:00
mptcp
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
2023-04-26 11:27:41 +02:00
ncsi
net/ncsi: clear Tx enable mode when handling a Config required AEN
2023-05-17 11:48:10 +02:00
netfilter
ipvs: Update width of source for ip_vs_sync_conn_options
2023-05-30 12:57:49 +01:00
netlabel
netlabel: fix out-of-bounds memory accesses
2022-04-13 21:01:00 +02:00
netlink
netlink: annotate accesses to nlk->cb_running
2023-05-30 12:57:46 +01:00
netrom
netrom: Fix use-after-free caused by accept on already connected socket
2023-02-15 17:22:12 +01:00
nfc
nfc: change order inside nfc_se_io error path
2023-03-17 08:45:07 +01:00
nsh
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
2023-05-30 12:57:52 +01:00
openvswitch
net: openvswitch: fix possible memory leak in ovs_meter_cmd_set()
2023-02-22 12:55:57 +01:00
packet
net: add vlan_get_protocol_and_depth() helper
2023-05-30 12:57:46 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:25:01 +01:00
psample
net: psample: Fix netlink skb length with tunnel info
2021-03-07 12:34:07 +01:00
qrtr
net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
2023-04-20 12:10:26 +02:00
rds
rds: rds_rm_zerocopy_callback() correct order for list_add_tail()
2023-03-11 16:39:26 +01:00
rfkill
rose
net/rose: Fix to not accept on connected socket
2023-02-22 12:55:53 +01:00
rxrpc
rxrpc: Fix hard call timeout units
2023-05-17 11:48:11 +02:00
sched
net/sched: act_mirred: Add carrier check
2023-05-17 11:48:11 +02:00
sctp
sctp: Call inet6_destroy_sock() via sk->sk_destruct().
2023-04-26 11:27:42 +02:00
smc
net: deal with most data-races in sk_wait_event()
2023-05-30 12:57:46 +01:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 14:04:27 +01:00
sunrpc
SUNRPC: Fix trace_svc_register() call site
2023-05-30 12:57:52 +01:00
switchdev
net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP
2021-02-07 15:37:12 +01:00
tipc
tipc: check the bearer min mtu properly when setting it by netlink
2023-05-30 12:57:52 +01:00
tls
net: deal with most data-races in sk_wait_event()
2023-05-30 12:57:46 +01:00
unix
af_unix: Fix data races around sk->sk_shutdown.
2023-05-30 12:57:46 +01:00
vmw_vsock
vsock: avoid to close connected socket after the timeout
2023-05-30 12:57:52 +01:00
wimax
wireless
wifi: cfg80211: Partial revert "wifi: cfg80211: Fix use after free for wext"
2023-03-13 10:19:36 +01:00
x25
net/x25: Fix to not accept on connected socket
2023-02-15 17:22:15 +01:00
xdp
xsk: Fix unaligned descriptor validation
2023-05-17 11:47:50 +02:00
xfrm
Revert "Fix XFRM-I support for nested ESP tunnels"
2023-05-30 12:57:51 +01:00
compat.c
net: Return the correct errno code
2021-06-18 10:00:06 +02:00
devres.c
Kconfig
Makefile
socket.c
net: annotate sk->sk_err write from do_recvmmsg()
2023-05-30 12:57:46 +01:00
sysctl_net.c