]> git.baikalelectronics.ru Git - kernel.git/commitdiff
net_sched: fix datalen for ematch
authorCong Wang <xiyou.wangcong@gmail.com>
Wed, 22 Jan 2020 23:42:02 +0000 (15:42 -0800)
committerDavid S. Miller <davem@davemloft.net>
Thu, 23 Jan 2020 20:34:42 +0000 (21:34 +0100)
syzbot reported an out-of-bound access in em_nbyte. As initially
analyzed by Eric, this is because em_nbyte sets its own em->datalen
in em_nbyte_change() other than the one specified by user, but this
value gets overwritten later by its caller tcf_em_validate().
We should leave em->datalen untouched to respect their choices.

I audit all the in-tree ematch users, all of those implement
->change() set em->datalen, so we can just avoid setting it twice
in this case.

Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com
Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/sched/ematch.c

index 8f2ad706784d24b6daec7a7cee5baca2e743112f..d0140a92694a4e6185ff80bdd00ef75b7267872c 100644 (file)
@@ -263,12 +263,12 @@ static int tcf_em_validate(struct tcf_proto *tp,
                                }
                                em->data = (unsigned long) v;
                        }
+                       em->datalen = data_len;
                }
        }
 
        em->matchid = em_hdr->matchid;
        em->flags = em_hdr->flags;
-       em->datalen = data_len;
        em->net = net;
 
        err = 0;