mirror of
https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable.git
synced 2025-09-14 11:19:08 +10:00
b502f16bad
[ Upstream commitec79003c5f] syzbot reported the splat below. [0] When atmtcp_v_open() or atmtcp_v_close() is called via connect() or close(), atmtcp_send_control() is called to send an in-kernel special message. The message has ATMTCP_HDR_MAGIC in atmtcp_control.hdr.length. Also, a pointer of struct atm_vcc is set to atmtcp_control.vcc. The notable thing is struct atmtcp_control is uAPI but has a space for an in-kernel pointer. struct atmtcp_control { struct atmtcp_hdr hdr; /* must be first */ ... atm_kptr_t vcc; /* both directions */ ... } __ATM_API_ALIGN; typedef struct { unsigned char _[8]; } __ATM_API_ALIGN atm_kptr_t; The special message is processed in atmtcp_recv_control() called from atmtcp_c_send(). atmtcp_c_send() is vcc->dev->ops->send() and called from 2 paths: 1. .ndo_start_xmit() (vcc->send() == atm_send_aal0()) 2. vcc_sendmsg() The problem is sendmsg() does not validate the message length and userspace can abuse atmtcp_recv_control() to overwrite any kptr by atmtcp_control. Let's add a new ->pre_send() hook to validate messages from sendmsg(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc00200000ab: 0000 [#1] SMP KASAN PTI KASAN: probably user-memory-access in range [0x0000000100000558-0x000000010000055f] CPU: 0 UID: 0 PID: 5865 Comm: syz-executor331 Not tainted 6.17.0-rc1-syzkaller-00215-gbab3ce404553 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:atmtcp_recv_control drivers/atm/atmtcp.c:93 [inline] RIP: 0010:atmtcp_c_send+0x1da/0x950 drivers/atm/atmtcp.c:297 Code: 4d 8d 75 1a 4c 89 f0 48 c1 e8 03 42 0f b6 04 20 84 c0 0f 85 15 06 00 00 41 0f b7 1e 4d 8d b7 60 05 00 00 4c 89 f0 48 c1 e8 03 <42> 0f b6 04 20 84 c0 0f 85 13 06 00 00 66 41 89 1e 4d 8d 75 1c 4c RSP: 0018:ffffc90003f5f810 EFLAGS: 00010203 RAX: 00000000200000ab RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88802a510000 RSI: 00000000ffffffff RDI: ffff888030a6068c RBP: ffff88802699fb40 R08: ffff888030a606eb R09: 1ffff1100614c0dd R10: dffffc0000000000 R11: ffffffff8718fc40 R12: dffffc0000000000 R13: ffff888030a60680 R14: 000000010000055f R15: 00000000ffffffff FS: 00007f8d7e9236c0(0000) GS:ffff888125c1c000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000045ad50 CR3: 0000000075bde000 CR4: 00000000003526f0 Call Trace: <TASK> vcc_sendmsg+0xa10/0xc60 net/atm/common.c:645 sock_sendmsg_nosec net/socket.c:714 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:729 ____sys_sendmsg+0x505/0x830 net/socket.c:2614 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2668 __sys_sendmsg net/socket.c:2700 [inline] __do_sys_sendmsg net/socket.c:2705 [inline] __se_sys_sendmsg net/socket.c:2703 [inline] __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2703 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8d7e96a4a9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f8d7e923198 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f8d7e9f4308 RCX: 00007f8d7e96a4a9 RDX: 0000000000000000 RSI: 0000200000000240 RDI: 0000000000000005 RBP: 00007f8d7e9f4300 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f8d7e9c10ac R13: 00007f8d7e9231a0 R14: 0000200000000200 R15: 0000200000000250 </TASK> Modules linked in: Fixes:1da177e4c3("Linux-2.6.12-rc2") Reported-by: syzbot+1741b56d54536f4ec349@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/68a6767c.050a0220.3d78fd.0011.GAE@google.com/ Tested-by: syzbot+1741b56d54536f4ec349@syzkaller.appspotmail.com Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com> Link: https://patch.msgid.link/20250821021901.2814721-1-kuniyu@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
333 lines
10 KiB
C
333 lines
10 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/* atmdev.h - ATM device driver declarations and various related items */
|
|
#ifndef LINUX_ATMDEV_H
|
|
#define LINUX_ATMDEV_H
|
|
|
|
|
|
#include <linux/wait.h> /* wait_queue_head_t */
|
|
#include <linux/time.h> /* struct timeval */
|
|
#include <linux/net.h>
|
|
#include <linux/bug.h>
|
|
#include <linux/skbuff.h> /* struct sk_buff */
|
|
#include <linux/uio.h>
|
|
#include <net/sock.h>
|
|
#include <linux/atomic.h>
|
|
#include <linux/refcount.h>
|
|
#include <uapi/linux/atmdev.h>
|
|
|
|
#ifdef CONFIG_PROC_FS
|
|
#include <linux/proc_fs.h>
|
|
|
|
extern struct proc_dir_entry *atm_proc_root;
|
|
#endif
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
#include <linux/compat.h>
|
|
struct compat_atm_iobuf {
|
|
int length;
|
|
compat_uptr_t buffer;
|
|
};
|
|
#endif
|
|
|
|
struct k_atm_aal_stats {
|
|
#define __HANDLE_ITEM(i) atomic_t i
|
|
__AAL_STAT_ITEMS
|
|
#undef __HANDLE_ITEM
|
|
};
|
|
|
|
|
|
struct k_atm_dev_stats {
|
|
struct k_atm_aal_stats aal0;
|
|
struct k_atm_aal_stats aal34;
|
|
struct k_atm_aal_stats aal5;
|
|
};
|
|
|
|
struct device;
|
|
|
|
enum {
|
|
ATM_VF_ADDR, /* Address is in use. Set by anybody, cleared
|
|
by device driver. */
|
|
ATM_VF_READY, /* VC is ready to transfer data. Set by device
|
|
driver, cleared by anybody. */
|
|
ATM_VF_PARTIAL, /* resources are bound to PVC (partial PVC
|
|
setup), controlled by socket layer */
|
|
ATM_VF_REGIS, /* registered with demon, controlled by SVC
|
|
socket layer */
|
|
ATM_VF_BOUND, /* local SAP is set, controlled by SVC socket
|
|
layer */
|
|
ATM_VF_RELEASED, /* demon has indicated/requested release,
|
|
controlled by SVC socket layer */
|
|
ATM_VF_HASQOS, /* QOS parameters have been set */
|
|
ATM_VF_LISTEN, /* socket is used for listening */
|
|
ATM_VF_META, /* SVC socket isn't used for normal data
|
|
traffic and doesn't depend on signaling
|
|
to be available */
|
|
ATM_VF_SESSION, /* VCC is p2mp session control descriptor */
|
|
ATM_VF_HASSAP, /* SAP has been set */
|
|
ATM_VF_CLOSE, /* asynchronous close - treat like VF_RELEASED*/
|
|
ATM_VF_WAITING, /* waiting for reply from sigd */
|
|
ATM_VF_IS_CLIP, /* in use by CLIP protocol */
|
|
};
|
|
|
|
|
|
#define ATM_VF2VS(flags) \
|
|
(test_bit(ATM_VF_READY,&(flags)) ? ATM_VS_CONNECTED : \
|
|
test_bit(ATM_VF_RELEASED,&(flags)) ? ATM_VS_CLOSING : \
|
|
test_bit(ATM_VF_LISTEN,&(flags)) ? ATM_VS_LISTEN : \
|
|
test_bit(ATM_VF_REGIS,&(flags)) ? ATM_VS_INUSE : \
|
|
test_bit(ATM_VF_BOUND,&(flags)) ? ATM_VS_BOUND : ATM_VS_IDLE)
|
|
|
|
|
|
enum {
|
|
ATM_DF_REMOVED, /* device was removed from atm_devs list */
|
|
};
|
|
|
|
|
|
#define ATM_PHY_SIG_LOST 0 /* no carrier/light */
|
|
#define ATM_PHY_SIG_UNKNOWN 1 /* carrier/light status is unknown */
|
|
#define ATM_PHY_SIG_FOUND 2 /* carrier/light okay */
|
|
|
|
#define ATM_ATMOPT_CLP 1 /* set CLP bit */
|
|
|
|
struct atm_vcc {
|
|
/* struct sock has to be the first member of atm_vcc */
|
|
struct sock sk;
|
|
unsigned long flags; /* VCC flags (ATM_VF_*) */
|
|
short vpi; /* VPI and VCI (types must be equal */
|
|
/* with sockaddr) */
|
|
int vci;
|
|
unsigned long aal_options; /* AAL layer options */
|
|
unsigned long atm_options; /* ATM layer options */
|
|
struct atm_dev *dev; /* device back pointer */
|
|
struct atm_qos qos; /* QOS */
|
|
struct atm_sap sap; /* SAP */
|
|
void (*release_cb)(struct atm_vcc *vcc); /* release_sock callback */
|
|
void (*push)(struct atm_vcc *vcc,struct sk_buff *skb);
|
|
void (*pop)(struct atm_vcc *vcc,struct sk_buff *skb); /* optional */
|
|
int (*push_oam)(struct atm_vcc *vcc,void *cell);
|
|
int (*send)(struct atm_vcc *vcc,struct sk_buff *skb);
|
|
void *dev_data; /* per-device data */
|
|
void *proto_data; /* per-protocol data */
|
|
struct k_atm_aal_stats *stats; /* pointer to AAL stats group */
|
|
struct module *owner; /* owner of ->push function */
|
|
/* SVC part --- may move later ------------------------------------- */
|
|
short itf; /* interface number */
|
|
struct sockaddr_atmsvc local;
|
|
struct sockaddr_atmsvc remote;
|
|
/* Multipoint part ------------------------------------------------- */
|
|
struct atm_vcc *session; /* session VCC descriptor */
|
|
/* Other stuff ----------------------------------------------------- */
|
|
void *user_back; /* user backlink - not touched by */
|
|
/* native ATM stack. Currently used */
|
|
/* by CLIP and sch_atm. */
|
|
};
|
|
|
|
static inline struct atm_vcc *atm_sk(struct sock *sk)
|
|
{
|
|
return (struct atm_vcc *)sk;
|
|
}
|
|
|
|
static inline struct atm_vcc *ATM_SD(struct socket *sock)
|
|
{
|
|
return atm_sk(sock->sk);
|
|
}
|
|
|
|
static inline struct sock *sk_atm(struct atm_vcc *vcc)
|
|
{
|
|
return (struct sock *)vcc;
|
|
}
|
|
|
|
struct atm_dev_addr {
|
|
struct sockaddr_atmsvc addr; /* ATM address */
|
|
struct list_head entry; /* next address */
|
|
};
|
|
|
|
enum atm_addr_type_t { ATM_ADDR_LOCAL, ATM_ADDR_LECS };
|
|
|
|
struct atm_dev {
|
|
const struct atmdev_ops *ops; /* device operations; NULL if unused */
|
|
const struct atmphy_ops *phy; /* PHY operations, may be undefined */
|
|
/* (NULL) */
|
|
const char *type; /* device type name */
|
|
int number; /* device index */
|
|
void *dev_data; /* per-device data */
|
|
void *phy_data; /* private PHY date */
|
|
unsigned long flags; /* device flags (ATM_DF_*) */
|
|
struct list_head local; /* local ATM addresses */
|
|
struct list_head lecs; /* LECS ATM addresses learned via ILMI */
|
|
unsigned char esi[ESI_LEN]; /* ESI ("MAC" addr) */
|
|
struct atm_cirange ci_range; /* VPI/VCI range */
|
|
struct k_atm_dev_stats stats; /* statistics */
|
|
char signal; /* signal status (ATM_PHY_SIG_*) */
|
|
int link_rate; /* link rate (default: OC3) */
|
|
refcount_t refcnt; /* reference count */
|
|
spinlock_t lock; /* protect internal members */
|
|
#ifdef CONFIG_PROC_FS
|
|
struct proc_dir_entry *proc_entry; /* proc entry */
|
|
char *proc_name; /* proc entry name */
|
|
#endif
|
|
struct device class_dev; /* sysfs device */
|
|
struct list_head dev_list; /* linkage */
|
|
};
|
|
|
|
|
|
/* OF: send_Oam Flags */
|
|
|
|
#define ATM_OF_IMMED 1 /* Attempt immediate delivery */
|
|
#define ATM_OF_INRATE 2 /* Attempt in-rate delivery */
|
|
|
|
struct atmdev_ops { /* only send is required */
|
|
void (*dev_close)(struct atm_dev *dev);
|
|
int (*open)(struct atm_vcc *vcc);
|
|
void (*close)(struct atm_vcc *vcc);
|
|
int (*ioctl)(struct atm_dev *dev,unsigned int cmd,void __user *arg);
|
|
#ifdef CONFIG_COMPAT
|
|
int (*compat_ioctl)(struct atm_dev *dev,unsigned int cmd,
|
|
void __user *arg);
|
|
#endif
|
|
int (*pre_send)(struct atm_vcc *vcc, struct sk_buff *skb);
|
|
int (*send)(struct atm_vcc *vcc,struct sk_buff *skb);
|
|
int (*send_oam)(struct atm_vcc *vcc,void *cell,int flags);
|
|
void (*phy_put)(struct atm_dev *dev,unsigned char value,
|
|
unsigned long addr);
|
|
unsigned char (*phy_get)(struct atm_dev *dev,unsigned long addr);
|
|
int (*change_qos)(struct atm_vcc *vcc,struct atm_qos *qos,int flags);
|
|
int (*proc_read)(struct atm_dev *dev,loff_t *pos,char *page);
|
|
struct module *owner;
|
|
};
|
|
|
|
struct atmphy_ops {
|
|
int (*start)(struct atm_dev *dev);
|
|
int (*ioctl)(struct atm_dev *dev,unsigned int cmd,void __user *arg);
|
|
void (*interrupt)(struct atm_dev *dev);
|
|
int (*stop)(struct atm_dev *dev);
|
|
};
|
|
|
|
struct atm_skb_data {
|
|
struct atm_vcc *vcc; /* ATM VCC */
|
|
unsigned long atm_options; /* ATM layer options */
|
|
unsigned int acct_truesize; /* truesize accounted to vcc */
|
|
};
|
|
|
|
#define VCC_HTABLE_SIZE 32
|
|
|
|
extern struct hlist_head vcc_hash[VCC_HTABLE_SIZE];
|
|
extern rwlock_t vcc_sklist_lock;
|
|
|
|
#define ATM_SKB(skb) (((struct atm_skb_data *) (skb)->cb))
|
|
|
|
struct atm_dev *atm_dev_register(const char *type, struct device *parent,
|
|
const struct atmdev_ops *ops,
|
|
int number, /* -1 == pick first available */
|
|
unsigned long *flags);
|
|
struct atm_dev *atm_dev_lookup(int number);
|
|
void atm_dev_deregister(struct atm_dev *dev);
|
|
|
|
/* atm_dev_signal_change
|
|
*
|
|
* Propagate lower layer signal change in atm_dev->signal to netdevice.
|
|
* The event will be sent via a notifier call chain.
|
|
*/
|
|
void atm_dev_signal_change(struct atm_dev *dev, char signal);
|
|
|
|
void vcc_insert_socket(struct sock *sk);
|
|
|
|
void atm_dev_release_vccs(struct atm_dev *dev);
|
|
|
|
static inline void atm_account_tx(struct atm_vcc *vcc, struct sk_buff *skb)
|
|
{
|
|
/*
|
|
* Because ATM skbs may not belong to a sock (and we don't
|
|
* necessarily want to), skb->truesize may be adjusted,
|
|
* escaping the hack in pskb_expand_head() which avoids
|
|
* doing so for some cases. So stash the value of truesize
|
|
* at the time we accounted it, and atm_pop_raw() can use
|
|
* that value later, in case it changes.
|
|
*/
|
|
refcount_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
|
|
ATM_SKB(skb)->acct_truesize = skb->truesize;
|
|
ATM_SKB(skb)->atm_options = vcc->atm_options;
|
|
}
|
|
|
|
static inline void atm_return_tx(struct atm_vcc *vcc, struct sk_buff *skb)
|
|
{
|
|
WARN_ON_ONCE(refcount_sub_and_test(ATM_SKB(skb)->acct_truesize,
|
|
&sk_atm(vcc)->sk_wmem_alloc));
|
|
}
|
|
|
|
static inline void atm_force_charge(struct atm_vcc *vcc,int truesize)
|
|
{
|
|
atomic_add(truesize, &sk_atm(vcc)->sk_rmem_alloc);
|
|
}
|
|
|
|
|
|
static inline void atm_return(struct atm_vcc *vcc,int truesize)
|
|
{
|
|
atomic_sub(truesize, &sk_atm(vcc)->sk_rmem_alloc);
|
|
}
|
|
|
|
|
|
static inline int atm_may_send(struct atm_vcc *vcc,unsigned int size)
|
|
{
|
|
return (size + refcount_read(&sk_atm(vcc)->sk_wmem_alloc)) <
|
|
sk_atm(vcc)->sk_sndbuf;
|
|
}
|
|
|
|
|
|
static inline void atm_dev_hold(struct atm_dev *dev)
|
|
{
|
|
refcount_inc(&dev->refcnt);
|
|
}
|
|
|
|
|
|
static inline void atm_dev_put(struct atm_dev *dev)
|
|
{
|
|
if (refcount_dec_and_test(&dev->refcnt)) {
|
|
BUG_ON(!test_bit(ATM_DF_REMOVED, &dev->flags));
|
|
if (dev->ops->dev_close)
|
|
dev->ops->dev_close(dev);
|
|
put_device(&dev->class_dev);
|
|
}
|
|
}
|
|
|
|
|
|
int atm_charge(struct atm_vcc *vcc,int truesize);
|
|
struct sk_buff *atm_alloc_charge(struct atm_vcc *vcc,int pdu_size,
|
|
gfp_t gfp_flags);
|
|
int atm_pcr_goal(const struct atm_trafprm *tp);
|
|
|
|
void vcc_release_async(struct atm_vcc *vcc, int reply);
|
|
|
|
struct atm_ioctl {
|
|
struct module *owner;
|
|
/* A module reference is kept if appropriate over this call.
|
|
* Return -ENOIOCTLCMD if you don't handle it. */
|
|
int (*ioctl)(struct socket *, unsigned int cmd, unsigned long arg);
|
|
struct list_head list;
|
|
};
|
|
|
|
/**
|
|
* register_atm_ioctl - register handler for ioctl operations
|
|
*
|
|
* Special (non-device) handlers of ioctl's should
|
|
* register here. If you're a normal device, you should
|
|
* set .ioctl in your atmdev_ops instead.
|
|
*/
|
|
void register_atm_ioctl(struct atm_ioctl *);
|
|
|
|
/**
|
|
* deregister_atm_ioctl - remove the ioctl handler
|
|
*/
|
|
void deregister_atm_ioctl(struct atm_ioctl *);
|
|
|
|
|
|
/* register_atmdevice_notifier - register atm_dev notify events
|
|
*
|
|
* Clients like br2684 will register notify events
|
|
* Currently we notify of signal found/lost
|
|
*/
|
|
int register_atmdevice_notifier(struct notifier_block *nb);
|
|
void unregister_atmdevice_notifier(struct notifier_block *nb);
|
|
|
|
#endif
|