OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/net/ipv4
History
Nikolay Aleksandrov 4ae9ebf9e8 net: nexthop: don't allow empty NHA_GROUP 
[ Upstream commit eeaac3634e ]

Currently the nexthop code will use an empty NHA_GROUP attribute, but it
requires at least 1 entry in order to function properly. Otherwise we
end up derefencing null or random pointers all over the place due to not
having any nh_grp_entry members allocated, nexthop code relies on having at
least the first member present. Empty NHA_GROUP doesn't make any sense so
just disallow it.
Also add a WARN_ON for any future users of nexthop_create_group().

 BUG: kernel NULL pointer dereference, address: 0000000000000080
 #PF: supervisor read access in kernel mode
 #PF: error_code(0x0000) - not-present page
 PGD 0 P4D 0
 Oops: 0000 [#1] SMP
 CPU: 0 PID: 558 Comm: ip Not tainted 5.9.0-rc1+ #93
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-2.fc32 04/01/2014
 RIP: 0010:fib_check_nexthop+0x4a/0xaa
 Code: 0f 84 83 00 00 00 48 c7 02 80 03 f7 81 c3 40 80 fe fe 75 12 b8 ea ff ff ff 48 85 d2 74 6b 48 c7 02 40 03 f7 81 c3 48 8b 40 10 <48> 8b 80 80 00 00 00 eb 36 80 78 1a 00 74 12 b8 ea ff ff ff 48 85
 RSP: 0018:ffff88807983ba00 EFLAGS: 00010213
 RAX: 0000000000000000 RBX: ffff88807983bc00 RCX: 0000000000000000
 RDX: ffff88807983bc00 RSI: 0000000000000000 RDI: ffff88807bdd0a80
 RBP: ffff88807983baf8 R08: 0000000000000dc0 R09: 000000000000040a
 R10: 0000000000000000 R11: ffff88807bdd0ae8 R12: 0000000000000000
 R13: 0000000000000000 R14: ffff88807bea3100 R15: 0000000000000001
 FS:  00007f10db393700(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000080 CR3: 000000007bd0f004 CR4: 00000000003706f0
 Call Trace:
  fib_create_info+0x64d/0xaf7
  fib_table_insert+0xf6/0x581
  ? __vma_adjust+0x3b6/0x4d4
  inet_rtm_newroute+0x56/0x70
  rtnetlink_rcv_msg+0x1e3/0x20d
  ? rtnl_calcit.isra.0+0xb8/0xb8
  netlink_rcv_skb+0x5b/0xac
  netlink_unicast+0xfa/0x17b
  netlink_sendmsg+0x334/0x353
  sock_sendmsg_nosec+0xf/0x3f
  ____sys_sendmsg+0x1a0/0x1fc
  ? copy_msghdr_from_user+0x4c/0x61
  ___sys_sendmsg+0x63/0x84
  ? handle_mm_fault+0xa39/0x11b5
  ? sockfd_lookup_light+0x72/0x9a
  __sys_sendmsg+0x50/0x6e
  do_syscall_64+0x54/0xbe
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
 RIP: 0033:0x7f10dacc0bb7
 Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb cd 66 0f 1f 44 00 00 8b 05 9a 4b 2b 00 85 c0 75 2e 48 63 ff 48 63 d2 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 01 c3 48 8b 15 b1 f2 2a 00 f7 d8 64 89 02 48
 RSP: 002b:00007ffcbe628bf8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 RAX: ffffffffffffffda RBX: 00007ffcbe628f80 RCX: 00007f10dacc0bb7
 RDX: 0000000000000000 RSI: 00007ffcbe628c60 RDI: 0000000000000003
 RBP: 000000005f41099c R08: 0000000000000001 R09: 0000000000000008
 R10: 00000000000005e9 R11: 0000000000000246 R12: 0000000000000000
 R13: 0000000000000000 R14: 00007ffcbe628d70 R15: 0000563a86c6e440
 Modules linked in:
 CR2: 0000000000000080

CC: David Ahern <dsahern@gmail.com>
Fixes: 430a049190 ("nexthop: Add support for nexthop groups")
Reported-by: syzbot+a61aa19b0c14c8770bd9@syzkaller.appspotmail.com
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2020-09-03 11:26:40 +02:00
..
bpfilter
netfilter netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code 2020-06-03 08:21:35 +02:00
Kconfig vti[6]: fix packet tx through bpf_redirect() in XinY cases 2020-04-01 11:02:05 +02:00
Makefile
af_inet.c
ah4.c
arp.c
cipso_ipv4.c netlabel: cope with NULL catmap 2020-05-20 08:20:08 +02:00
datagram.c
devinet.c devinet: fix memleak in inetdev_init() 2020-06-10 20:24:54 +02:00
esp4.c
esp4_offload.c xfrm: remove the xfrm_state_put call becofe going to out_reset 2020-06-03 08:21:32 +02:00
fib_frontend.c ipv4: nexthop version of fib_info_nh_uses_dev 2020-06-03 08:21:37 +02:00
fib_lookup.h
fib_notifier.c
fib_rules.c
fib_semantics.c net: Fix the arp error in some cases 2020-06-30 15:36:44 -04:00
fib_trie.c ipv4: Silence suspicious RCU usage warning 2020-08-11 15:33:39 +02:00
fou.c
gre_demux.c
gre_offload.c net: gre: recompute gre csum for sctp over gre tunnels 2020-08-11 15:33:40 +02:00
icmp.c ip: Fix SO_MARK in RST, ACK and ICMP packets 2020-07-22 09:32:50 +02:00
igmp.c
inet_connection_sock.c net: refactor bind_bucket fastreuse into helper 2020-08-19 08:16:23 +02:00
inet_diag.c inet_diag: return classid for all socket types 2020-03-18 07:17:38 +01:00
inet_fragment.c
inet_hashtables.c net: initialize fastreuse on inet_inherit_port 2020-08-19 08:16:23 +02:00
inet_timewait_sock.c
inetpeer.c
ip_forward.c
ip_fragment.c
ip_gre.c net: ip_gre: Accept IFLA_INFO_DATA-less configuration 2020-04-01 11:01:46 +02:00
ip_input.c
ip_options.c
ip_output.c ip: Fix SO_MARK in RST, ACK and ICMP packets 2020-07-22 09:32:50 +02:00
ip_sockglue.c
ip_tunnel.c ip_tunnel: fix use-after-free in ip_tunnel_lookup() 2020-06-30 15:36:46 -04:00
ip_tunnel_core.c
ip_vti.c ip_vti: receive ipip packet by calling ip_tunnel_rcv 2020-06-03 08:21:34 +02:00
ipcomp.c
ipconfig.c
ipip.c net: ipip: fix wrong address family in init error path 2020-06-03 08:20:52 +02:00
ipmr.c net: don't return invalid table id error when we fall back to PF_UNSPEC 2020-06-03 08:20:41 +02:00
ipmr_base.c
metrics.c
netfilter.c
netlink.c
nexthop.c net: nexthop: don't allow empty NHA_GROUP 2020-09-03 11:26:40 +02:00
ping.c ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg 2020-07-22 09:32:47 +02:00
proc.c
protocol.c
raw.c
raw_diag.c inet_diag: return classid for all socket types 2020-03-18 07:17:38 +01:00
route.c net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" 2020-06-03 08:21:00 +02:00
syncookies.c
sysctl_net_ipv4.c tcp: correct read of TFO keys on big endian systems 2020-08-19 08:16:23 +02:00
tcp.c tcp: correct read of TFO keys on big endian systems 2020-08-19 08:16:23 +02:00
tcp_bbr.c
tcp_bic.c
tcp_bpf.c bpf/sockmap: Fix kernel panic at __tcp_bpf_recvmsg 2020-06-24 17:50:42 +02:00
tcp_cdg.c
tcp_cong.c tcp: make sure listeners don't initialize congestion-control state 2020-07-22 09:32:48 +02:00
tcp_cubic.c tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT 2020-06-30 15:36:47 -04:00
tcp_dctcp.c
tcp_dctcp.h
tcp_diag.c
tcp_fastopen.c tcp: correct read of TFO keys on big endian systems 2020-08-19 08:16:23 +02:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: apply a floor of 1 for RTT samples from TCP timestamps 2020-08-11 15:33:41 +02:00
tcp_ipv4.c tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers 2020-07-22 09:32:49 +02:00
tcp_lp.c
tcp_metrics.c
tcp_minisocks.c
tcp_nv.c
tcp_offload.c
tcp_output.c tcp: allow at most one TLP probe per flight 2020-07-31 18:39:31 +02:00
tcp_rate.c
tcp_recovery.c
tcp_scalable.c
tcp_timer.c
tcp_ulp.c
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c
tunnel4.c
udp.c udp: Improve load balancing for SO_REUSEPORT. 2020-07-31 18:39:31 +02:00
udp_diag.c inet_diag: return classid for all socket types 2020-03-18 07:17:38 +01:00
udp_impl.h
udp_offload.c
udp_tunnel.c
udplite.c
xfrm4_input.c
xfrm4_output.c xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish 2020-04-29 16:33:11 +02:00
xfrm4_policy.c
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c