Re: net/can: warning in raw_setsockopt/__alloc_pages_slowpath

Fri, 02 Dec 2016 05:26:01 -0800 

On 12/02/2016 01:43 PM, Andrey Konovalov wrote:
> Hi!
> 
> I've got the following error report while running the syzkaller fuzzer.
> 
> A reproducer is attached.
> 
> On commit d8e435f3ab6fea2ea324dce72b51dd7761747523 (Nov 26).
> 
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 4009 at mm/page_alloc.c:3511
> __alloc_pages_slowpath+0x3d4/0x1bf0
> Modules linked in:
> CPU: 0 PID: 4009 Comm: a.out Not tainted 4.9.0-rc6+ #54
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>  ffff88006832f8a8 ffffffff81c73b14 0000000000000000 0000000000000000
>  ffffffff842c6320 0000000000000000 ffff88006832f8f0 ffffffff8123dc57
>  ffff880067d86000 ffffffff00000db7 ffffffff842c6320 0000000000000db7
> Call Trace:
>  [<     inline     >] __dump_stack lib/dump_stack.c:15
>  [<ffffffff81c73b14>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
>  [<ffffffff8123dc57>] __warn+0x1a7/0x1f0 kernel/panic.c:550
>  [<ffffffff8123de6c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
>  [<ffffffff81559b04>] __alloc_pages_slowpath+0x3d4/0x1bf0 mm/page_alloc.c:3511
>  [<ffffffff8155b8e2>] __alloc_pages_nodemask+0x5c2/0x710 mm/page_alloc.c:3781
>  [<ffffffff816236a4>] alloc_pages_current+0xf4/0x400 mm/mempolicy.c:2072
>  [<     inline     >] alloc_pages ./include/linux/gfp.h:469
>  [<ffffffff815a834f>] kmalloc_order+0x1f/0x70 mm/slab_common.c:1015
>  [<ffffffff815a83bf>] kmalloc_order_trace+0x1f/0x160 mm/slab_common.c:1026
>  [<     inline     >] kmalloc_large ./include/linux/slab.h:422
>  [<ffffffff81635e67>] __kmalloc_track_caller+0x227/0x2a0 mm/slub.c:4233
>  [<ffffffff8159932c>] memdup_user+0x2c/0xa0 mm/util.c:137
>  [<ffffffff8369e0de>] raw_setsockopt+0x1be/0x9f0 net/can/raw.c:506

We should add a check for a sensible optlen....

> static int raw_setsockopt(struct socket *sock, int level, int optname,
>                         char __user *optval, unsigned int optlen)
> {
>       struct sock *sk = sock->sk;
>       struct raw_sock *ro = raw_sk(sk);
>       struct can_filter *filter = NULL;  /* dyn. alloc'ed filters */
>       struct can_filter sfilter;         /* single filter */
>       struct net_device *dev = NULL;
>       can_err_mask_t err_mask = 0;
>       int count = 0;
>       int err = 0;
> 
>       if (level != SOL_CAN_RAW)
>               return -EINVAL;
> 
>       switch (optname) {
> 
>       case CAN_RAW_FILTER:
>               if (optlen % sizeof(struct can_filter) != 0)
>                       return -EINVAL;

here...

                if (optlen > 64 * sizeof(struct can_filter))
                        return -EINVAL;

> 
>               count = optlen / sizeof(struct can_filter);
> 
>               if (count > 1) {
>                       /* filter does not fit into dfilter => alloc space */
>                       filter = memdup_user(optval, optlen);
>                       if (IS_ERR(filter))
>                               return PTR_ERR(filter);
>               } else if (count == 1) {
>                       if (copy_from_user(&sfilter, optval, sizeof(sfilter)))
>                               return -EFAULT;
>               }
> 
>               lock_sock(sk);

Marc

-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to