in the (rare) case of failure in nla_nest_start(), missing NULL checks in
tcf_pedit_key_ex_dump() can make the following command
# tc action add action pedit ex munge ip ttl set 64
dereference a NULL pointer:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000000
PGD
800000007d1cd067 P4D
800000007d1cd067 PUD
7acd3067 PMD 0
Oops: 0002 [#1] SMP PTI
CPU: 0 PID: 3336 Comm: tc Tainted: G E 4.18.0.pedit+ #425
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:tcf_pedit_dump+0x19d/0x358 [act_pedit]
Code: be 02 00 00 00 48 89 df 66 89 44 24 20 e8 9b b1 fd e0 85 c0 75 46 8b 83 c8 00 00 00 49 83 c5 08 48 03 83 d0 00 00 00 4d 39 f5 <66> 89 04 25 00 00 00 00 0f 84 81 01 00 00 41 8b 45 00 48 8d 4c 24
RSP: 0018:
ffffb5d4004478a8 EFLAGS:
00010246
RAX:
ffff8880fcda2070 RBX:
ffff8880fadd2900 RCX:
0000000000000000
RDX:
0000000000000002 RSI:
ffffb5d4004478ca RDI:
ffff8880fcda206e
RBP:
ffff8880fb9cb900 R08:
0000000000000008 R09:
ffff8880fcda206e
R10:
ffff8880fadd2900 R11:
0000000000000000 R12:
ffff8880fd26cf40
R13:
ffff8880fc957430 R14:
ffff8880fc957430 R15:
ffff8880fb9cb988
FS:
00007f75a537a740(0000) GS:
ffff8880fda00000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000000000000 CR3:
000000007a2fa005 CR4:
00000000001606f0
Call Trace:
? __nla_reserve+0x38/0x50
tcf_action_dump_1+0xd2/0x130
tcf_action_dump+0x6a/0xf0
tca_get_fill.constprop.31+0xa3/0x120
tcf_action_add+0xd1/0x170
tc_ctl_action+0x137/0x150
rtnetlink_rcv_msg+0x263/0x2d0
? _cond_resched+0x15/0x40
? rtnl_calcit.isra.30+0x110/0x110
netlink_rcv_skb+0x4d/0x130
netlink_unicast+0x1a3/0x250
netlink_sendmsg+0x2ae/0x3a0
sock_sendmsg+0x36/0x40
___sys_sendmsg+0x26f/0x2d0
? do_wp_page+0x8e/0x5f0
? handle_pte_fault+0x6c3/0xf50
? __handle_mm_fault+0x38e/0x520
? __sys_sendmsg+0x5e/0xa0
__sys_sendmsg+0x5e/0xa0
do_syscall_64+0x5b/0x180
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f75a4583ba0
Code: c3 48 8b 05 f2 62 2c 00 f7 db 64 89 18 48 83 cb ff eb dd 0f 1f 80 00 00 00 00 83 3d fd c3 2c 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 ae cc 00 00 48 89 04 24
RSP: 002b:
00007fff60ee7418 EFLAGS:
00000246 ORIG_RAX:
000000000000002e
RAX:
ffffffffffffffda RBX:
00007fff60ee7540 RCX:
00007f75a4583ba0
RDX:
0000000000000000 RSI:
00007fff60ee7490 RDI:
0000000000000003
RBP:
000000005b842d3e R08:
0000000000000002 R09:
0000000000000000
R10:
00007fff60ee6ea0 R11:
0000000000000246 R12:
0000000000000000
R13:
00007fff60ee7554 R14:
0000000000000001 R15:
000000000066c100
Modules linked in: act_pedit(E) ip6table_filter ip6_tables iptable_filter binfmt_misc crct10dif_pclmul ext4 crc32_pclmul mbcache ghash_clmulni_intel jbd2 pcbc snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer cryptd glue_helper snd joydev pcspkr soundcore virtio_balloon i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi virtio_net net_failover virtio_blk virtio_console failover qxl crc32c_intel drm_kms_helper syscopyarea serio_raw sysfillrect sysimgblt fb_sys_fops ttm drm ata_piix virtio_pci libata virtio_ring i2c_core virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_pedit]
CR2:
0000000000000000
Like it's done for other TC actions, give up dumping pedit rules and return
an error if nla_nest_start() returns NULL.
Fixes: 7f9a4c7f565e ("net/act_pedit: Support using offset relative to the conventional network headers")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
{
struct nlattr *keys_start = nla_nest_start(skb, TCA_PEDIT_KEYS_EX);
+ if (!keys_start)
+ goto nla_failure;
for (; n > 0; n--) {
struct nlattr *key_start;
key_start = nla_nest_start(skb, TCA_PEDIT_KEY_EX);
+ if (!key_start)
+ goto nla_failure;
if (nla_put_u16(skb, TCA_PEDIT_KEY_EX_HTYPE, keys_ex->htype) ||
- nla_put_u16(skb, TCA_PEDIT_KEY_EX_CMD, keys_ex->cmd)) {
- nlmsg_trim(skb, keys_start);
- return -EINVAL;
- }
+ nla_put_u16(skb, TCA_PEDIT_KEY_EX_CMD, keys_ex->cmd))
+ goto nla_failure;
nla_nest_end(skb, key_start);
nla_nest_end(skb, keys_start);
return 0;
+nla_failure:
+ nla_nest_cancel(skb, keys_start);
+ return -EINVAL;
}
static int tcf_pedit_init(struct net *net, struct nlattr *nla,
opt->bindcnt = atomic_read(&p->tcf_bindcnt) - bind;
if (p->tcfp_keys_ex) {
- tcf_pedit_key_ex_dump(skb, p->tcfp_keys_ex, p->tcfp_nkeys);
+ if (tcf_pedit_key_ex_dump(skb,
+ p->tcfp_keys_ex,
+ p->tcfp_nkeys))
+ goto nla_put_failure;
if (nla_put(skb, TCA_PEDIT_PARMS_EX, s, opt))
goto nla_put_failure;