| developer | 7e32f7e | 2022-05-18 21:10:08 +0800 | [diff] [blame] | 1 | From 022e9d6090599c0593c78e87dc9ba98a290e6bc4 Mon Sep 17 00:00:00 2001 |
| 2 | From: Taehee Yoo <ap420073@gmail.com> |
| 3 | Date: Thu, 9 Apr 2020 14:08:08 +0000 |
| 4 | Subject: net: macsec: fix using wrong structure in macsec_changelink() |
| 5 | |
| 6 | In the macsec_changelink(), "struct macsec_tx_sa tx_sc" is used to |
| 7 | store "macsec_secy.tx_sc". |
| 8 | But, the struct type of tx_sc is macsec_tx_sc, not macsec_tx_sa. |
| 9 | So, the macsec_tx_sc should be used instead. |
| 10 | |
| 11 | Test commands: |
| 12 | ip link add dummy0 type dummy |
| 13 | ip link add macsec0 link dummy0 type macsec |
| 14 | ip link set macsec0 type macsec encrypt off |
| 15 | |
| 16 | Splat looks like: |
| 17 | [61119.963483][ T9335] ================================================================== |
| 18 | [61119.964709][ T9335] BUG: KASAN: slab-out-of-bounds in macsec_changelink.part.34+0xb6/0x200 [macsec] |
| 19 | [61119.965787][ T9335] Read of size 160 at addr ffff888020d69c68 by task ip/9335 |
| 20 | [61119.966699][ T9335] |
| 21 | [61119.966979][ T9335] CPU: 0 PID: 9335 Comm: ip Not tainted 5.6.0+ #503 |
| 22 | [61119.967791][ T9335] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 |
| 23 | [61119.968914][ T9335] Call Trace: |
| 24 | [61119.969324][ T9335] dump_stack+0x96/0xdb |
| 25 | [61119.969809][ T9335] ? macsec_changelink.part.34+0xb6/0x200 [macsec] |
| 26 | [61119.970554][ T9335] print_address_description.constprop.5+0x1be/0x360 |
| 27 | [61119.971294][ T9335] ? macsec_changelink.part.34+0xb6/0x200 [macsec] |
| 28 | [61119.971973][ T9335] ? macsec_changelink.part.34+0xb6/0x200 [macsec] |
| 29 | [61119.972703][ T9335] __kasan_report+0x12a/0x170 |
| 30 | [61119.973323][ T9335] ? macsec_changelink.part.34+0xb6/0x200 [macsec] |
| 31 | [61119.973942][ T9335] kasan_report+0xe/0x20 |
| 32 | [61119.974397][ T9335] check_memory_region+0x149/0x1a0 |
| 33 | [61119.974866][ T9335] memcpy+0x1f/0x50 |
| 34 | [61119.975209][ T9335] macsec_changelink.part.34+0xb6/0x200 [macsec] |
| 35 | [61119.975825][ T9335] ? macsec_get_stats64+0x3e0/0x3e0 [macsec] |
| 36 | [61119.976451][ T9335] ? kernel_text_address+0x111/0x120 |
| 37 | [61119.976990][ T9335] ? pskb_expand_head+0x25f/0xe10 |
| 38 | [61119.977503][ T9335] ? stack_trace_save+0x82/0xb0 |
| 39 | [61119.977986][ T9335] ? memset+0x1f/0x40 |
| 40 | [61119.978397][ T9335] ? __nla_validate_parse+0x98/0x1ab0 |
| 41 | [61119.978936][ T9335] ? macsec_alloc_tfm+0x90/0x90 [macsec] |
| 42 | [61119.979511][ T9335] ? __kasan_slab_free+0x111/0x150 |
| 43 | [61119.980021][ T9335] ? kfree+0xce/0x2f0 |
| 44 | [61119.980700][ T9335] ? netlink_trim+0x196/0x1f0 |
| 45 | [61119.981420][ T9335] ? nla_memcpy+0x90/0x90 |
| 46 | [61119.982036][ T9335] ? register_lock_class+0x19e0/0x19e0 |
| 47 | [61119.982776][ T9335] ? memcpy+0x34/0x50 |
| 48 | [61119.983327][ T9335] __rtnl_newlink+0x922/0x1270 |
| 49 | [ ... ] |
| 50 | |
| 51 | Fixes: 3cf3227a21d1 ("net: macsec: hardware offloading infrastructure") |
| 52 | Signed-off-by: Taehee Yoo <ap420073@gmail.com> |
| 53 | Signed-off-by: David S. Miller <davem@davemloft.net> |
| 54 | --- |
| 55 | drivers/net/macsec.c | 2 +- |
| 56 | 1 file changed, 1 insertion(+), 1 deletion(-) |
| 57 | |
| 58 | diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c |
| 59 | index 0d580d81d910f..a183250ff66ad 100644 |
| 60 | --- a/drivers/net/macsec.c |
| 61 | +++ b/drivers/net/macsec.c |
| 62 | @@ -3809,7 +3809,7 @@ static int macsec_changelink(struct net_device *dev, struct nlattr *tb[], |
| 63 | struct netlink_ext_ack *extack) |
| 64 | { |
| 65 | struct macsec_dev *macsec = macsec_priv(dev); |
| 66 | - struct macsec_tx_sa tx_sc; |
| 67 | + struct macsec_tx_sc tx_sc; |
| 68 | struct macsec_secy secy; |
| 69 | int ret; |
| 70 | |
| 71 | -- |
| 72 | cgit 1.2.3-1.el7 |
| 73 | |