linux/net
YueHaibing 58bdd544e2 net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
KASAN report this:

BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc]
Read of size 3 at addr 0000000000000000 by task syz-executor.0/5401

CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0xfa/0x1ce lib/dump_stack.c:113
 kasan_report+0x171/0x18d mm/kasan/report.c:321
 memcpy+0x1f/0x50 mm/kasan/common.c:130
 nfc_llcp_build_gb+0x37f/0x540 [nfc]
 nfc_llcp_register_device+0x6eb/0xb50 [nfc]
 nfc_register_device+0x50/0x1d0 [nfc]
 nfcsim_device_new+0x394/0x67d [nfcsim]
 ? 0xffffffffc1080000
 nfcsim_init+0x6b/0x1000 [nfcsim]
 do_one_initcall+0xfa/0x5ca init/main.c:887
 do_init_module+0x204/0x5f6 kernel/module.c:3460
 load_module+0x66b2/0x8570 kernel/module.c:3808
 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9cb79dcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00007f9cb79dcc70 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9cb79dd6bc
R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004

nfc_llcp_build_tlv will return NULL on fails, caller should check it,
otherwise will trigger a NULL dereference.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: eda21f16a5 ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames")
Fixes: d646960f79 ("NFC: Initial LLCP support")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-02-27 12:47:08 -08:00
..
6lowpan 6lowpan: convert to DEFINE_SHOW_ATTRIBUTE 2018-12-19 00:28:05 +01:00
9p 9p/net: put a lower bound on msize 2018-12-25 17:07:49 +09:00
802
8021q net: core: dev: Add extack argument to dev_change_flags() 2018-12-06 13:26:07 -08:00
appletalk
atm Revert "net: simplify sock_poll_wait" 2018-10-23 10:57:06 -07:00
ax25 ax25: fix possible use-after-free 2019-01-23 11:18:00 -08:00
batman-adv batman-adv: fix uninit-value in batadv_interface_tx() 2019-02-12 13:30:43 -05:00
bluetooth Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2018-12-27 13:53:32 -08:00
bpf bpf/test_run: fix unkillable BPF_PROG_TEST_RUN 2019-02-19 00:17:03 +01:00
bpfilter net: bpfilter: change section name of bpfilter UMH blob. 2019-01-16 15:46:46 -08:00
bridge Revert "bridge: do not add port to router list when receives query with source 0.0.0.0" 2019-02-23 18:36:06 -08:00
caif Revert "net: simplify sock_poll_wait" 2018-10-23 10:57:06 -07:00
can can: bcm: check timer values before ktime conversion 2019-01-22 11:33:46 +01:00
ceph libceph: handle an empty authorize reply 2019-02-18 18:05:33 +01:00
core net: Do not allocate page fragments that are not skb aligned 2019-02-17 15:48:43 -08:00
dcb
dccp dccp: fool proof ccid_hc_[rt]x_parse_options() 2019-02-01 14:49:10 -08:00
decnet decnet: fix DN_IFREQ_SIZE 2019-01-27 23:11:55 -08:00
dns_resolver dns: Allow the dns resolver to retrieve a server set 2018-10-04 09:40:52 -07:00
dsa net: dsa: fix a leaked reference by adding missing of_node_put 2019-02-25 09:34:52 -08:00
ethernet net: ethernet: provide nvmem_get_mac_address() 2018-12-03 15:40:30 -08:00
hsr
ieee802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-12-24 16:19:56 -08:00
ife
ipv4 ipv4: Return error for RTA_VIA attribute 2019-02-26 13:23:17 -08:00
ipv6 ipv6: Return error for RTA_VIA attribute 2019-02-26 13:23:17 -08:00
iucv iucv: Remove SKB list assumptions. 2018-11-10 16:55:11 -08:00
kcm
key af_key: unconditionally clone on broadcast 2019-02-12 10:36:42 +01:00
l2tp l2tp: copy 4 more bytes to linear part if necessary 2019-01-31 08:58:46 -08:00
l3mdev l3mdev: add function to retreive upper master 2018-12-03 14:15:26 -08:00
lapb
llc llc: do not use sk_eat_skb() 2018-10-22 19:59:20 -07:00
mac80211 mac80211: allocate tailroom for forwarded mesh packets 2019-02-22 14:00:40 +01:00
mac802154 mac802154: Remove VLA usage of skcipher 2018-09-28 12:46:07 +08:00
mpls mpls: Return error for RTA_GATEWAY attribute 2019-02-26 13:23:17 -08:00
ncsi net/ncsi: Add NCSI Mellanox OEM command 2018-11-27 16:37:20 -08:00
netfilter ipvs: fix warning on unused variable 2019-02-16 10:41:42 +01:00
netlabel
netlink net: netlink: rename NETLINK_DUMP_STRICT_CHK -> NETLINK_GET_STRICT_CHK 2018-12-14 11:44:31 -08:00
netrom netrom: switch to sock timer API 2019-01-27 10:38:04 -08:00
nfc net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails 2019-02-27 12:47:08 -08:00
nsh
openvswitch openvswitch: Avoid OOB read when parsing flow nlattrs 2019-01-16 13:35:21 -08:00
packet net/packet: fix 4gb buffer limit due to overflow check 2019-02-12 13:37:23 -05:00
phonet phonet: fix building with clang 2019-02-21 16:23:56 -08:00
psample
qrtr
rds rds: fix refcount bug in rds_sock_addref 2019-01-31 09:43:27 -08:00
rfkill rfkill: gpio: Remove unused include 2018-12-18 13:13:56 +01:00
rose net/rose: fix NULL ax25_cb kernel panic 2019-01-27 10:40:01 -08:00
rxrpc rxrpc: bad unlock balance in rxrpc_recvmsg 2019-02-06 10:54:07 -08:00
sched net: sched: act_tunnel_key: fix NULL pointer dereference during init 2019-02-25 10:13:38 -08:00
sctp sctp: don't compare hb_timer expire date before starting it 2019-02-22 11:11:54 -08:00
smc net/smc: fix smc_poll in SMC_INIT state 2019-02-21 10:19:20 -08:00
strparser bpf, sockmap: convert to generic sk_msg interface 2018-10-15 12:23:19 -07:00
sunrpc Two small fixes, one for crashes using nfs/krb5 with older enctypes, one 2019-02-16 17:38:01 -08:00
switchdev net: switchdev: Add extack to switchdev_handle_port_obj_add() callback 2018-12-12 16:34:22 -08:00
tipc tipc: fix race condition causing hung sendto 2019-02-26 14:50:50 -08:00
tls net: tls: Fix deadlock in free_resources tx 2019-01-28 23:07:08 -08:00
unix missing barriers in some of unix_sock ->addr and ->path accesses 2019-02-20 20:06:28 -08:00
vmw_vsock vsock: cope with memory allocation failure at socket creation time 2019-02-08 22:32:05 -08:00
wimax
wireless cfg80211: prevent speculation on cfg80211_classify8021d() return 2019-02-11 15:50:56 +01:00
x25 net/x25: fix a race in x25_bind() 2019-02-23 18:41:06 -08:00
xdp Revert "xsk: simplify AF_XDP socket teardown" 2019-02-21 16:32:25 +01:00
xfrm xfrm: Fix inbound traffic via XFRM interfaces across network namespaces 2019-02-18 10:58:54 +01:00
compat.c net: socket: add check for negative optlen in compat setsockopt 2019-02-22 11:49:28 -08:00
Kconfig net: convert bridge_nf to use skb extension infrastructure 2018-12-19 11:21:37 -08:00
Makefile
socket.c net: socket: set sock->sk to NULL after calling proto_ops::release() 2019-02-25 10:40:57 -08:00
sysctl_net.c