[commits] [batman-adv] maint, master: batman-adv: fix uninit-value in batadv_netlink_get_ifindex() (9b470b8a)

postmaster at open-mesh.org postmaster at open-mesh.org
Wed Aug 14 19:31:41 CEST 2019


Repository : ssh://git@open-mesh.org/batman-adv

On branches: maint,master

>---------------------------------------------------------------

commit 9b470b8a2b9ef4ce68d6e95febd3a0574be1ac14
Author: Eric Dumazet <edumazet at google.com>
Date:   Mon Aug 12 04:57:27 2019 -0700

    batman-adv: fix uninit-value in batadv_netlink_get_ifindex()
    
    batadv_netlink_get_ifindex() needs to make sure user passed
    a correct u32 attribute.
    
    syzbot reported :
    BUG: KMSAN: uninit-value in batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
    CPU: 1 PID: 11705 Comm: syz-executor888 Not tainted 5.1.0+ #1
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x191/0x1f0 lib/dump_stack.c:113
     kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
     __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
     batadv_netlink_dump_hardif+0x70d/0x880 net/batman-adv/netlink.c:968
     genl_lock_dumpit+0xc6/0x130 net/netlink/genetlink.c:482
     netlink_dump+0xa84/0x1ab0 net/netlink/af_netlink.c:2253
     __netlink_dump_start+0xa3a/0xb30 net/netlink/af_netlink.c:2361
     genl_family_rcv_msg net/netlink/genetlink.c:550 [inline]
     genl_rcv_msg+0xfc1/0x1a40 net/netlink/genetlink.c:627
     netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2486
     genl_rcv+0x63/0x80 net/netlink/genetlink.c:638
     netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
     netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1337
     netlink_sendmsg+0x127e/0x12f0 net/netlink/af_netlink.c:1926
     sock_sendmsg_nosec net/socket.c:651 [inline]
     sock_sendmsg net/socket.c:661 [inline]
     ___sys_sendmsg+0xcc6/0x1200 net/socket.c:2260
     __sys_sendmsg net/socket.c:2298 [inline]
     __do_sys_sendmsg net/socket.c:2307 [inline]
     __se_sys_sendmsg+0x305/0x460 net/socket.c:2305
     __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2305
     do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
     entry_SYSCALL_64_after_hwframe+0x63/0xe7
    RIP: 0033:0x440209
    
    Fixes: 55d368c3a57e ("batman-adv: netlink: hardif query")
    Signed-off-by: Eric Dumazet <edumazet at google.com>
    Reported-by: syzbot <syzkaller at googlegroups.com>
    Signed-off-by: Sven Eckelmann <sven at narfation.org>


>---------------------------------------------------------------

9b470b8a2b9ef4ce68d6e95febd3a0574be1ac14
 net/batman-adv/netlink.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c
index 6f08fd12..7e052d6f 100644
--- a/net/batman-adv/netlink.c
+++ b/net/batman-adv/netlink.c
@@ -164,7 +164,7 @@ batadv_netlink_get_ifindex(const struct nlmsghdr *nlh, int attrtype)
 {
 	struct nlattr *attr = nlmsg_find_attr(nlh, GENL_HDRLEN, attrtype);
 
-	return attr ? nla_get_u32(attr) : 0;
+	return (attr && nla_len(attr) == sizeof(u32)) ? nla_get_u32(attr) : 0;
 }
 
 /**



More information about the commits mailing list