lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 5 Mar 2024 11:20:49 +0800
From: Sam Sun <samsun1006219@...il.com>
To: Jay Vosburgh <jay.vosburgh@...onical.com>
Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org, andy@...yhouse.net, 
	davem@...emloft.net, Eric Dumazet <edumazet@...gle.com>, kuba@...nel.org, 
	pabeni@...hat.com
Subject: Re: [PATCH net] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

On Tue, Mar 5, 2024 at 10:47 AM Jay Vosburgh <jay.vosburgh@...onical.com> wrote:
>
> Sam Sun <samsun1006219@...il.com> wrote:
>
> >Dear kernel developers and maintainers,
> >
> >We found a bug through our modified Syzkaller. In function
> >bond_option_arp_ip_targets_set(), if newval->string is an empty
> >string, newval->string+1 will point to the byte after the string,
> >causing an out-of-bound read.  KASAN report is listed below.
>
>         Conceptually, the change here seems fine.  However, I don't
> think including the full KASAN report adds much to the description
> above.
>

Thanks for pointing this out! I will remove this next time when I
submit a patch.

> >We developed a patch to fix this problem. Check the string length
> >first before calling in4_pton().
> >
> >Reported-by: Yue Sun <samsun1006219@...il.com>
> >Signed-off-by: Yue Sun <samsun1006219@...il.com>
> >
> >diff --git a/drivers/net/bonding/bond_options.c
> >b/drivers/net/bonding/bond_options.c
> >index f3f27f0bd2a6..a6d01055f455 100644
> >--- a/drivers/net/bonding/bond_options.c
> >+++ b/drivers/net/bonding/bond_options.c
> >@@ -1198,7 +1198,7 @@ static int bond_option_arp_ip_targets_set(struct
> >bonding *bond,
> >     __be32 target;
> >
> >     if (newval->string) {
> >-        if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) {
> >+        if (!strlen(newval->string) || !in4_pton(newval->string+1,
> >-1, (u8 *)&target, -1, NULL)) {
>
>         The text beginning with "-1," is a separate line, and something
> messed up the tabs.  Also, this should be rewritten as
>
>                 if (!strlen(newval->string) ||
>                     !in4_pton(newval->string + 1, -1, (u8 *)&target, -1, NULL)) {
>
>         to avoid a long line.
>

Yes you are right, I should have used the checkpatch script before
submitting the patch. Sorry for the inconvenience.

>         -J
>
> >             netdev_err(bond->dev, "invalid ARP target %pI4 specified\n",
> >                    &target);
> >             return ret;
> >
>
>
> ---
>         -Jay Vosburgh, jay.vosburgh@...onical.com

I modified the patch and it is listed below.

Reported-by: Yue Sun <samsun1006219@...il.com>
Signed-off-by: Yue Sun <samsun1006219@...il.com>
diff --git a/drivers/net/bonding/bond_options.c
b/drivers/net/bonding/bond_options.c
index f3f27f0bd2a6..7f765b42fad4 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -1198,7 +1198,8 @@ static int bond_option_arp_ip_targets_set(struct
bonding *bond,
     __be32 target;

     if (newval->string) {
-        if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) {
+        if (!strlen(newval->string) ||
+            !in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) {
             netdev_err(bond->dev, "invalid ARP target %pI4 specified\n",
                    &target);
             return ret;

Best Regards,
Yue

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ