From patchwork Mon Oct 30 22:50:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Craig Gallek X-Patchwork-Id: 832201 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3yQqST63Hcz9sNc for ; Tue, 31 Oct 2017 09:50:17 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752786AbdJ3WuP (ORCPT ); Mon, 30 Oct 2017 18:50:15 -0400 Received: from mail-yw0-f193.google.com ([209.85.161.193]:53777 "EHLO mail-yw0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752608AbdJ3WuN (ORCPT ); Mon, 30 Oct 2017 18:50:13 -0400 Received: by mail-yw0-f193.google.com with SMTP id q126so13075350ywq.10 for ; Mon, 30 Oct 2017 15:50:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=FD3hELCMkCI+hSyPxtx/CQkRR5sTQadAEswEyP/KO14=; b=RbAwPDknQERuROk20emzf9Yxo2ug+zQj0coyciTBRB9SsjnDPQez5kmkHk8pbSmSR/ v1mTe/gXL5PJ9ICaBfdGXWkSlIsLbcKocpEi9uYsOm+QnPAqHVyTue6u2OURpoJfjwPS ZxgexjWMMK2Yp+X00wTdf7gPV6EQQQakdabM3mK+RzqDs1fvw+lkdL7l4woKJNsTX0Pr Bs0ePLUTwcqPHVWMikMKdwdpOdapTDxqVdxaf0aewwFPyEFMimisbf+AiG8LM6U/hIaV amtrw2AFRdR3DmEan6ecsw1AXxc8GYQa7ea6QR4fz6EU1iQMvVMCBMXlwsZil8oPlp+S L/ag== X-Gm-Message-State: AMCzsaXG1sqFML4Yf3JF/Tl4KdrKfTbbOrQHsamvw6D7tqkLvnkvBFz1 AfCiNAbDQBDMWrDNqBPH+6NCFmSXqkw= X-Google-Smtp-Source: ABhQp+R2r6Aq5BkVdSOBM4ZEO0NL91t8PQY7862tWMF8873JKs1PTrn146YykNpUSJoPtUDUjKSAqA== X-Received: by 10.37.88.66 with SMTP id m63mr218039ybb.383.1509403812473; Mon, 30 Oct 2017 15:50:12 -0700 (PDT) Received: from monkey.nyc.corp.google.com ([100.101.213.10]) by smtp.gmail.com with ESMTPSA id u24sm4991ywh.108.2017.10.30.15.50.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 30 Oct 2017 15:50:12 -0700 (PDT) From: Craig Gallek To: "David S . Miller" Cc: netdev@vger.kernel.org Subject: [PATCH net] tun/tap: sanitize TUNSETSNDBUF input Date: Mon, 30 Oct 2017 18:50:11 -0400 Message-Id: <20171030225011.184639-1-kraigatgoog@gmail.com> X-Mailer: git-send-email 2.15.0.rc2.357.g7e34df9404-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Craig Gallek Syzkaller found several variants of the lockup below by setting negative values with the TUNSETSNDBUF ioctl. This patch adds a sanity check to both the tun and tap versions of this ioctl. watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [repro:2389] Modules linked in: irq event stamp: 329692056 hardirqs last enabled at (329692055): [] _raw_spin_unlock_irqrestore+0x31/0x75 hardirqs last disabled at (329692056): [] apic_timer_interrupt+0x98/0xb0 softirqs last enabled at (35659740): [] __do_softirq+0x328/0x48c softirqs last disabled at (35659731): [] irq_exit+0xbc/0xd0 CPU: 0 PID: 2389 Comm: repro Not tainted 4.14.0-rc7 #23 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff880009452140 task.stack: ffff880006a20000 RIP: 0010:_raw_spin_lock_irqsave+0x11/0x80 RSP: 0018:ffff880006a27c50 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff10 RAX: ffff880009ac68d0 RBX: ffff880006a27ce0 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffff880006a27ce0 RDI: ffff880009ac6900 RBP: ffff880006a27c60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 000000000063ff00 R12: ffff880009ac6900 R13: ffff880006a27cf8 R14: 0000000000000001 R15: ffff880006a27cf8 FS: 00007f4be4838700(0000) GS:ffff88000cc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020101000 CR3: 0000000009616000 CR4: 00000000000006f0 Call Trace: prepare_to_wait+0x26/0xc0 sock_alloc_send_pskb+0x14e/0x270 ? remove_wait_queue+0x60/0x60 tun_get_user+0x2cc/0x19d0 ? __tun_get+0x60/0x1b0 tun_chr_write_iter+0x57/0x86 __vfs_write+0x156/0x1e0 vfs_write+0xf7/0x230 SyS_write+0x57/0xd0 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x7f4be4356df9 RSP: 002b:00007ffc18101c08 EFLAGS: 00000293 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f4be4356df9 RDX: 0000000000000046 RSI: 0000000020101000 RDI: 0000000000000005 RBP: 00007ffc18101c40 R08: 0000000000000001 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000293 R12: 0000559c75f64780 R13: 00007ffc18101d30 R14: 0000000000000000 R15: 0000000000000000 Fixes: 33dccbb050bb ("tun: Limit amount of queued packets per device") Fixes: 20d29d7a916a ("net: macvtap driver") Signed-off-by: Craig Gallek Reviewed-by: Eric Dumazet --- drivers/net/tap.c | 2 ++ drivers/net/tun.c | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/drivers/net/tap.c b/drivers/net/tap.c index 1b10fcc6a58d..6c0c84c33e1f 100644 --- a/drivers/net/tap.c +++ b/drivers/net/tap.c @@ -1032,6 +1032,8 @@ static long tap_ioctl(struct file *file, unsigned int cmd, case TUNSETSNDBUF: if (get_user(s, sp)) return -EFAULT; + if (s <= 0) + return -EINVAL; q->sk.sk_sndbuf = s; return 0; diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 5550f56cb895..42bb820a56c9 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -2429,6 +2429,10 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd, ret = -EFAULT; break; } + if (sndbuf <= 0) { + ret = -EINVAL; + break; + } tun->sndbuf = sndbuf; tun_set_sndbuf(tun);