Re: [Linux-kernel-mentees] [PATCH net-next v2] ipvs: Fix uninit-value in do_ip_vs_set_ctl()
On Tue, Aug 11, 2020 at 03:46:40AM -0400, Peilin Ye wrote: > do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is > zero. Fix it. Applied to nf-next, thanks.
Re: [Linux-kernel-mentees] [PATCH net-next v2] ipvs: Fix uninit-value in do_ip_vs_set_ctl()
On Tue, Aug 11, 2020 at 02:59:59PM +0200, Simon Horman wrote: > On Tue, Aug 11, 2020 at 01:29:04PM +0300, Julian Anastasov wrote: > > > > Hello, > > > > On Tue, 11 Aug 2020, Peilin Ye wrote: > > > > > do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is > > > zero. Fix it. > > > > > > Reported-by: syzbot+23b5f9e7caf61d9a3...@syzkaller.appspotmail.com > > > Link: > > > https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2 > > > Suggested-by: Julian Anastasov > > > Signed-off-by: Peilin Ye > > > > Looks good to me, thanks! > > > > Acked-by: Julian Anastasov > > Pablo, could you consider this for nf-next or should we repost when > net-next re-opens? No worries, it will sit in netfilter's patchwork until net-next reopens.
Re: [Linux-kernel-mentees] [PATCH net-next v2] ipvs: Fix uninit-value in do_ip_vs_set_ctl()
On Tue, Aug 11, 2020 at 01:29:04PM +0300, Julian Anastasov wrote: > > Hello, > > On Tue, 11 Aug 2020, Peilin Ye wrote: > > > do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is > > zero. Fix it. > > > > Reported-by: syzbot+23b5f9e7caf61d9a3...@syzkaller.appspotmail.com > > Link: > > https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2 > > Suggested-by: Julian Anastasov > > Signed-off-by: Peilin Ye > > Looks good to me, thanks! > > Acked-by: Julian Anastasov Pablo, could you consider this for nf-next or should we repost when net-next re-opens? Reviewed-by: Simon Horman
Re: [Linux-kernel-mentees] [PATCH net-next v2] ipvs: Fix uninit-value in do_ip_vs_set_ctl()
Hello, On Tue, 11 Aug 2020, Peilin Ye wrote: > do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is > zero. Fix it. > > Reported-by: syzbot+23b5f9e7caf61d9a3...@syzkaller.appspotmail.com > Link: > https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2 > Suggested-by: Julian Anastasov > Signed-off-by: Peilin Ye Looks good to me, thanks! Acked-by: Julian Anastasov > --- > Changes in v2: > - Target net-next tree. (Suggested by Julian Anastasov ) > - Reject all `len == 0` requests except `IP_VS_SO_SET_FLUSH`, instead > of initializing `arg`. (Suggested by Cong Wang > , Julian Anastasov ) > > net/netfilter/ipvs/ip_vs_ctl.c | 7 --- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c > index 412656c34f20..beeafa42aad7 100644 > --- a/net/netfilter/ipvs/ip_vs_ctl.c > +++ b/net/netfilter/ipvs/ip_vs_ctl.c > @@ -2471,6 +2471,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user > *user, unsigned int len) > /* Set timeout values for (tcp tcpfin udp) */ > ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg); > goto out_unlock; > + } else if (!len) { > + /* No more commands with len == 0 below */ > + ret = -EINVAL; > + goto out_unlock; > } > > usvc_compat = (struct ip_vs_service_user *)arg; > @@ -2547,9 +2551,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user > *user, unsigned int len) > break; > case IP_VS_SO_SET_DELDEST: > ret = ip_vs_del_dest(svc, &udest); > - break; > - default: > - ret = -EINVAL; > } > >out_unlock: > -- > 2.25.1 Regards -- Julian Anastasov
[Linux-kernel-mentees] [PATCH net-next v2] ipvs: Fix uninit-value in do_ip_vs_set_ctl()
do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is zero. Fix it. Reported-by: syzbot+23b5f9e7caf61d9a3...@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2 Suggested-by: Julian Anastasov Signed-off-by: Peilin Ye --- Changes in v2: - Target net-next tree. (Suggested by Julian Anastasov ) - Reject all `len == 0` requests except `IP_VS_SO_SET_FLUSH`, instead of initializing `arg`. (Suggested by Cong Wang , Julian Anastasov ) net/netfilter/ipvs/ip_vs_ctl.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 412656c34f20..beeafa42aad7 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -2471,6 +2471,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) /* Set timeout values for (tcp tcpfin udp) */ ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg); goto out_unlock; + } else if (!len) { + /* No more commands with len == 0 below */ + ret = -EINVAL; + goto out_unlock; } usvc_compat = (struct ip_vs_service_user *)arg; @@ -2547,9 +2551,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) break; case IP_VS_SO_SET_DELDEST: ret = ip_vs_del_dest(svc, &udest); - break; - default: - ret = -EINVAL; } out_unlock: -- 2.25.1