• Taehee Yoo's avatar
    net: macsec: fix using wrong structure in macsec_changelink() · 022e9d60
    Taehee Yoo authored
    In the macsec_changelink(), "struct macsec_tx_sa tx_sc" is used to
    store "macsec_secy.tx_sc".
    But, the struct type of tx_sc is macsec_tx_sc, not macsec_tx_sa.
    So, the macsec_tx_sc should be used instead.
    
    Test commands:
        ip link add dummy0 type dummy
        ip link add macsec0 link dummy0 type macsec
        ip link set macsec0 type macsec encrypt off
    
    Splat looks like:
    [61119.963483][ T9335] ==================================================================
    [61119.964709][ T9335] BUG: KASAN: slab-out-of-bounds in macsec_changelink.part.34+0xb6/0x200 [macsec]
    [61119.965787][ T9335] Read of size 160 at addr ffff888020d69c68 by task ip/9335
    [61119.966699][ T9335]
    [61119.966979][ T9335] CPU: 0 PID: 9335 Comm: ip Not tainted 5.6.0+ #503
    [61119.967791][ T9335] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
    [61119.968914][ T9335] Call Trace:
    [61119.969324][ T9335]  dump_stack+0x96/0xdb
    [61119.969809][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
    [61119.970554][ T9335]  print_address_description.constprop.5+0x1be/0x360
    [61119.971294][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
    [61119.971973][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
    [61119.972703][ T9335]  __kasan_report+0x12a/0x170
    [61119.973323][ T9335]  ? macsec_changelink.part.34+0xb6/0x200 [macsec]
    [61119.973942][ T9335]  kasan_report+0xe/0x20
    [61119.974397][ T9335]  check_memory_region+0x149/0x1a0
    [61119.974866][ T9335]  memcpy+0x1f/0x50
    [61119.975209][ T9335]  macsec_changelink.part.34+0xb6/0x200 [macsec]
    [61119.975825][ T9335]  ? macsec_get_stats64+0x3e0/0x3e0 [macsec]
    [61119.976451][ T9335]  ? kernel_text_address+0x111/0x120
    [61119.976990][ T9335]  ? pskb_expand_head+0x25f/0xe10
    [61119.977503][ T9335]  ? stack_trace_save+0x82/0xb0
    [61119.977986][ T9335]  ? memset+0x1f/0x40
    [61119.978397][ T9335]  ? __nla_validate_parse+0x98/0x1ab0
    [61119.978936][ T9335]  ? macsec_alloc_tfm+0x90/0x90 [macsec]
    [61119.979511][ T9335]  ? __kasan_slab_free+0x111/0x150
    [61119.980021][ T9335]  ? kfree+0xce/0x2f0
    [61119.980700][ T9335]  ? netlink_trim+0x196/0x1f0
    [61119.981420][ T9335]  ? nla_memcpy+0x90/0x90
    [61119.982036][ T9335]  ? register_lock_class+0x19e0/0x19e0
    [61119.982776][ T9335]  ? memcpy+0x34/0x50
    [61119.983327][ T9335]  __rtnl_newlink+0x922/0x1270
    [ ... ]
    
    Fixes: 3cf3227a ("net: macsec: hardware offloading infrastructure")
    Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    022e9d60
macsec.c 106 KB