From patchwork Wed May 17 20:07:40 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
X-Patchwork-Id: 763745
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3wSlkV5GKxz9s4s
	for <patchwork-incoming@ozlabs.org>;
	Thu, 18 May 2017 06:08:34 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754297AbdEQUIa (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 17 May 2017 16:08:30 -0400
Received: from www.llwyncelyn.cymru ([82.70.14.225]:33208 "EHLO fuzix.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1754233AbdEQUI0 (ORCPT <rfc822;netdev@vger.kernel.org>);
	Wed, 17 May 2017 16:08:26 -0400
Received: from alans-desktop (82-70-14-226.dsl.in-addr.zen.co.uk
	[82.70.14.226])
	by fuzix.org (8.15.2/8.15.2) with ESMTP id v4HK7eQe006512;
	Wed, 17 May 2017 21:07:40 +0100
Date: Wed, 17 May 2017 21:07:40 +0100
From: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
To: Andrey Konovalov <andreyknvl@google.com>
Cc: "David S. Miller" <davem@davemloft.net>, Alan Cox <alan@linux.intel.com>,
	Thomas Osterried <thomas@osterried.de>,
	Javier Martinez Canillas <javier@osg.samsung.com>,
	David Howells <dhowells@redhat.com>,
	Geliang Tang <geliangtang@gmail.com>, netdev <netdev@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>
Subject: Re: drivers/net/hamradio: divide error in hdlcdrv_ioctl
Message-ID: <20170517210740.20cbbb82@alans-desktop>
In-Reply-To: 
 <CAAeHK+ya2sAtLmJ0VyP6e=13OXUw98dp1WdRFU=o5+xGFGPtbQ@mail.gmail.com>
References: 
 <CAAeHK+ya2sAtLmJ0VyP6e=13OXUw98dp1WdRFU=o5+xGFGPtbQ@mail.gmail.com>
Organization: Intel Corporation
X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.31; x86_64-redhat-linux-gnu)
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Tue, 16 May 2017 17:05:32 +0200
Andrey Konovalov <andreyknvl@google.com> wrote:

> Hi,
> 
> I've got the following error report while fuzzing the kernel with syzkaller.
> 
> On commit 2ea659a9ef488125eb46da6eb571de5eae5c43f6 (4.12-rc1).
> 
> A reproducer and .config are attached.

This should fix it.

commit 37b3fa4b617681f00cfa1f76d6d7716cc6d9f79a
Author: Alan Cox <alan@llwyncelyn.cymru>
Date:   Wed May 17 21:04:27 2017 +0100

    hdlcdrv: Fix division by zero when bitrate is unset
    
    The code attempts to check for out of range calibration. What it forgets to do
    is check for the 0 bitrate case. As a result the range check itself oopses the
    kernel.
    
    Found by Andrey Konovalov using Syzkaller.
    
    Signed-off-by: Alan Cox <alan@linux.intel.com>

diff --git a/drivers/net/hamradio/hdlcdrv.c b/drivers/net/hamradio/hdlcdrv.c
index 8c3633c..9f34a48 100644
--- a/drivers/net/hamradio/hdlcdrv.c
+++ b/drivers/net/hamradio/hdlcdrv.c
@@ -576,7 +576,7 @@ static int hdlcdrv_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
 	case HDLCDRVCTL_CALIBRATE:
 		if(!capable(CAP_SYS_RAWIO))
 			return -EPERM;
-		if (bi.data.calibrate > INT_MAX / s->par.bitrate)
+		if (!s->par.bitrate || bi.data.calibrate > INT_MAX / s->par.bitrate)
 			return -EINVAL;
 		s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16;
 		return 0;