diff options
author | Eric Biggers <ebiggers@google.com> | 2018-05-14 03:01:30 +0300 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2018-05-14 23:40:45 +0300 |
commit | d49baa7e12ee70c0a7b821d088a770c94c02e494 (patch) | |
tree | 533f8add47270500c196ce5241e8d578283a4dc6 /net/socket.c | |
parent | 57f6f99fdad9984801cde05c1db68fe39b474a10 (diff) | |
download | linux-d49baa7e12ee70c0a7b821d088a770c94c02e494.tar.xz |
net/smc: check for missing nlattrs in SMC_PNETID messages
It's possible to crash the kernel in several different ways by sending
messages to the SMC_PNETID generic netlink family that are missing the
expected attributes:
- Missing SMC_PNETID_NAME => null pointer dereference when comparing
names.
- Missing SMC_PNETID_ETHNAME => null pointer dereference accessing
smc_pnetentry::ndev.
- Missing SMC_PNETID_IBNAME => null pointer dereference accessing
smc_pnetentry::smcibdev.
- Missing SMC_PNETID_IBPORT => out of bounds array access to
smc_ib_device::pattr[-1].
Fix it by validating that all expected attributes are present and that
SMC_PNETID_IBPORT is nonzero.
Reported-by: syzbot+5cd61039dc9b8bfa6e47@syzkaller.appspotmail.com
Fixes: 6812baabf24d ("smc: establish pnet table management")
Cc: <stable@vger.kernel.org> # v4.11+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/socket.c')
0 files changed, 0 insertions, 0 deletions