Message ID | 20200712210300.200399-1-yepeilin.cs@gmail.com |
---|---|
State | Not Applicable |
Delegated to: | David Miller |
Headers | show |
Series | [Linux-kernel-mentees,net] qrtr: Fix ZERO_SIZE_PTR deref in qrtr_tun_write_iter() | expand |
On Sun, Jul 12, 2020 at 05:03:00PM -0400, Peilin Ye wrote: > qrtr_tun_write_iter() is dereferencing `ZERO_SIZE_PTR`s when `from->count` > equals to zero. Fix it by rejecting zero-length kzalloc() requests. > > This patch fixes the following syzbot bug: > > https://syzkaller.appspot.com/bug?id=f56bbe6668873ee245986bbd23312b895fa5a50a > > Reported-by: syzbot+03e343dbccf82a5242a2@syzkaller.appspotmail.com > Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com> > --- > net/qrtr/tun.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c > index 15ce9b642b25..5465e94ba8e5 100644 > --- a/net/qrtr/tun.c > +++ b/net/qrtr/tun.c > @@ -80,6 +80,9 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, struct iov_iter *from) > ssize_t ret; > void *kbuf; > > + if (!len) > + return -EINVAL; > + > kbuf = kzalloc(len, GFP_KERNEL); > if (!kbuf) > return -ENOMEM; Wasn't this already fixed by: commit 8ff41cc21714704ef0158a546c3c4d07fae2c952 Author: Dan Carpenter <dan.carpenter@oracle.com> Date: Tue Jun 30 14:46:15 2020 +0300 net: qrtr: Fix an out of bounds read qrtr_endpoint_post()
On Sun, Jul 12, 2020 at 02:36:31PM -0700, Eric Biggers wrote: > On Sun, Jul 12, 2020 at 05:03:00PM -0400, Peilin Ye wrote: > > qrtr_tun_write_iter() is dereferencing `ZERO_SIZE_PTR`s when `from->count` > > equals to zero. Fix it by rejecting zero-length kzalloc() requests. > > > > This patch fixes the following syzbot bug: > > > > https://syzkaller.appspot.com/bug?id=f56bbe6668873ee245986bbd23312b895fa5a50a > > > > Reported-by: syzbot+03e343dbccf82a5242a2@syzkaller.appspotmail.com > > Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com> > > --- > > net/qrtr/tun.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c > > index 15ce9b642b25..5465e94ba8e5 100644 > > --- a/net/qrtr/tun.c > > +++ b/net/qrtr/tun.c > > @@ -80,6 +80,9 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, struct iov_iter *from) > > ssize_t ret; > > void *kbuf; > > > > + if (!len) > > + return -EINVAL; > > + > > kbuf = kzalloc(len, GFP_KERNEL); > > if (!kbuf) > > return -ENOMEM; > > Wasn't this already fixed by: > > commit 8ff41cc21714704ef0158a546c3c4d07fae2c952 > Author: Dan Carpenter <dan.carpenter@oracle.com> > Date: Tue Jun 30 14:46:15 2020 +0300 > > net: qrtr: Fix an out of bounds read qrtr_endpoint_post() Yep. If you're using kmalloc() you can allocate a zero byte buffer but you just can't access the array. for (i = 0; i < 0; i++) works. It's interesting because at the time, I wrote the patch I thought "len" probably couldn't be zero but I just checked it for completeness and readability. regards, dan carpenter
diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c index 15ce9b642b25..5465e94ba8e5 100644 --- a/net/qrtr/tun.c +++ b/net/qrtr/tun.c @@ -80,6 +80,9 @@ static ssize_t qrtr_tun_write_iter(struct kiocb *iocb, struct iov_iter *from) ssize_t ret; void *kbuf; + if (!len) + return -EINVAL; + kbuf = kzalloc(len, GFP_KERNEL); if (!kbuf) return -ENOMEM;
qrtr_tun_write_iter() is dereferencing `ZERO_SIZE_PTR`s when `from->count` equals to zero. Fix it by rejecting zero-length kzalloc() requests. This patch fixes the following syzbot bug: https://syzkaller.appspot.com/bug?id=f56bbe6668873ee245986bbd23312b895fa5a50a Reported-by: syzbot+03e343dbccf82a5242a2@syzkaller.appspotmail.com Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com> --- net/qrtr/tun.c | 3 +++ 1 file changed, 3 insertions(+)