tun: call dev_get_valid_name() before register_netdevice()

congwang · Brian Maly · commit aa134544bac9 · 2019-06-25T13:58:16.000-04:00
register_netdevice() could fail early when we have an invalid dev name, in which case ->ndo_uninit() is not called. For tun device, this is a problem because a timer etc. are already initialized and it expects ->ndo_uninit() to clean them up. We could move these initializations into a ->ndo_init() so that register_netdevice() knows better, however this is still complicated due to the logic in tun_detach(). Therefore, I choose to just call dev_get_valid_name() before register_netdevice(), which is quicker and much easier to audit. And for this specific case, it is already enough. Fixes: 96442e4 ("tuntap: choose the txq based on rxq") Reported-by: Dmitry Alexeev <avekceeb@gmail.com> Cc: Jason Wang <jasowang@redhat.com> Cc: "Michael S. Tsirkin" <mst@redhat.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 0ad646c) Orabug: 29925555 CVE: CVE-2018-7191 Reviewed-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com> Signed-off-by: Allen Pais <allen.pais@oracle.com> Signed-off-by: Brian Maly <brian.maly@oracle.com>
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
@@ -1635,6 +1635,9 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 
 		if (!dev)
 			return -ENOMEM;
+		err = dev_get_valid_name(net, dev, name);
+		if (err)
+			goto err_free_dev;
 
 		dev_net_set(dev, net);
 		dev->rtnl_link_ops = &tun_link_ops;
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
@@ -3449,6 +3449,9 @@ struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name,
 				    unsigned char name_assign_type,
 				    void (*setup)(struct net_device *),
 				    unsigned int txqs, unsigned int rxqs);
+int dev_get_valid_name(struct net *net, struct net_device *dev,
+		       const char *name);
+
 #define alloc_netdev(sizeof_priv, name, name_assign_type, setup) \
 	alloc_netdev_mqs(sizeof_priv, name, name_assign_type, setup, 1, 1)
 
diff --git a/net/core/dev.c b/net/core/dev.c
@@ -1088,9 +1088,8 @@ static int dev_alloc_name_ns(struct net *net,
 	return ret;
 }
 
-static int dev_get_valid_name(struct net *net,
-			      struct net_device *dev,
-			      const char *name)
+int dev_get_valid_name(struct net *net, struct net_device *dev,
+		       const char *name)
 {
 	BUG_ON(!net);
 
@@ -1106,6 +1105,7 @@ static int dev_get_valid_name(struct net *net,
 
 	return 0;
 }
+EXPORT_SYMBOL(dev_get_valid_name);
 
 /**
  *	dev_change_name - change name of a device

Original file line number	Diff line number	Diff line change
`@@ -1088,9 +1088,8 @@ static int dev_alloc_name_ns(struct net *net,`
`1088`	`1088`	`return ret;`
`1089`	`1089`	`}`
`1090`	`1090`
`1091`		`-static int dev_get_valid_name(struct net *net,`
`1092`		`- struct net_device *dev,`
`1093`		`- const char *name)`
	`1091`	`+int dev_get_valid_name(struct net net, struct net_device dev,`
	`1092`	`+ const char *name)`
`1094`	`1093`	`{`
`1095`	`1094`	`BUG_ON(!net);`
`1096`	`1095`
`@@ -1106,6 +1105,7 @@ static int dev_get_valid_name(struct net *net,`
`1106`	`1105`
`1107`	`1106`	`return 0;`
`1108`	`1107`	`}`
	`1108`	`+EXPORT_SYMBOL(dev_get_valid_name);`
`1109`	`1109`
`1110`	`1110`	`/**`
`1111`	`1111`	`* dev_change_name - change name of a device`