git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Eric Biggers <ebiggers@google.com>
	Mon, 14 May 2018 00:01:30 +0000 (17:01 -0700)
committer	Stefan Bader <stefan.bader@canonical.com>
	Tue, 14 Aug 2018 10:27:53 +0000 (12:27 +0200)
commit	0d0c55a30de9de961b2505236a4a25de08defc8b
tree	1bc391da3e22f17bdee6cfa63ca032933699b4a3	tree
parent	b5bf17ed2a978e8ad869effa9d25e0c5ff122615	commit \| diff

net/smc: check for missing nlattrs in SMC_PNETID messages

BugLink: http://bugs.launchpad.net/bugs/1783418
[ Upstream commit d49baa7e12ee70c0a7b821d088a770c94c02e494 ]

It's possible to crash the kernel in several different ways by sending
messages to the SMC_PNETID generic netlink family that are missing the
expected attributes:

- Missing SMC_PNETID_NAME => null pointer dereference when comparing
  names.
- Missing SMC_PNETID_ETHNAME => null pointer dereference accessing
  smc_pnetentry::ndev.
- Missing SMC_PNETID_IBNAME => null pointer dereference accessing
  smc_pnetentry::smcibdev.
- Missing SMC_PNETID_IBPORT => out of bounds array access to
  smc_ib_device::pattr[-1].

Fix it by validating that all expected attributes are present and that
SMC_PNETID_IBPORT is nonzero.

Reported-by: syzbot+5cd61039dc9b8bfa6e47@syzkaller.appspotmail.com
Fixes: 6812baabf24d ("smc: establish pnet table management")
Cc: <stable@vger.kernel.org> # v4.11+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>