lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 28 Apr 2021 23:44:56 +0800
From:   Hao Sun <sunhao.th@...il.com>
To:     Eric Dumazet <eric.dumazet@...il.com>
Cc:     Jamal Hadi Salim <jhs@...atatu.com>, xiyou.wangcong@...il.com,
        Jiří Pírko <jiri@...nulli.us>,
        davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: UBSAN: shift-out-of-bounds in __qdisc_calculate_pkt_len

Eric Dumazet <eric.dumazet@...il.com> 于2021年4月28日周三 下午10:15写道:
>
>
>
> On 4/28/21 4:53 AM, Hao Sun wrote:
> > Hi
> >
> > When using Healer to fuzz the Linux kernel, UBSAN reported a
> > shift-out-of-bounds bug in net/sched/sch_api.c:580:10.
> >
> > Here are the details:
> > commit:   89698becf06d341a700913c3d89ce2a914af69a2
> > version:   Linux 5.12
> > git tree:    upstream
> > kernel config, reproduction program can be found in the attached file.
> >
> > ================================================================================
> > UBSAN: shift-out-of-bounds in net/sched/sch_api.c:580:10
> > shift exponent 247 is too large for 32-bit type 'int'
> > CPU: 1 PID: 3176 Comm: kworker/1:2 Not tainted 5.12.0-rc7+ #3
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> > rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> > Workqueue: ipv6_addrconf addrconf_dad_work
> > Call Trace:
> >  __dump_stack lib/dump_stack.c:79 [inline]
> >  dump_stack+0xfa/0x151 lib/dump_stack.c:120
> >  ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
> >  __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x20c lib/ubsan.c:327
> >  __qdisc_calculate_pkt_len.cold+0x1b/0xcf net/sched/sch_api.c:580
> >  qdisc_calculate_pkt_len include/net/sch_generic.h:787 [inline]
> >  __dev_xmit_skb net/core/dev.c:3803 [inline]
> >  __dev_queue_xmit+0x13b2/0x3020 net/core/dev.c:4162
> >  neigh_hh_output include/net/neighbour.h:499 [inline]
> >  neigh_output include/net/neighbour.h:508 [inline]
> >  ip_finish_output2+0xf20/0x2240 net/ipv4/ip_output.c:230
> >  __ip_finish_output net/ipv4/ip_output.c:308 [inline]
> >  __ip_finish_output+0x699/0xe20 net/ipv4/ip_output.c:290
> >  ip_finish_output+0x35/0x200 net/ipv4/ip_output.c:318
> >  NF_HOOK_COND include/linux/netfilter.h:290 [inline]
> >  ip_output+0x201/0x610 net/ipv4/ip_output.c:432
> >  dst_output include/net/dst.h:448 [inline]
> >  ip_local_out+0xaf/0x1a0 net/ipv4/ip_output.c:126
> >  iptunnel_xmit+0x618/0x9f0 net/ipv4/ip_tunnel_core.c:82
> >  geneve_xmit_skb drivers/net/geneve.c:967 [inline]
> >  geneve_xmit+0xea7/0x41b0 drivers/net/geneve.c:1075
> >  __netdev_start_xmit include/linux/netdevice.h:4825 [inline]
> >  netdev_start_xmit include/linux/netdevice.h:4839 [inline]
> >  xmit_one net/core/dev.c:3605 [inline]
> >  dev_hard_start_xmit+0x1ff/0x940 net/core/dev.c:3621
> >  __dev_queue_xmit+0x2699/0x3020 net/core/dev.c:4194
> >  neigh_resolve_output net/core/neighbour.c:1491 [inline]
> >  neigh_resolve_output+0x4ee/0x810 net/core/neighbour.c:1471
> >  neigh_output include/net/neighbour.h:510 [inline]
> >  ip6_finish_output2+0xd09/0x21f0 net/ipv6/ip6_output.c:117
> >  __ip6_finish_output+0x4bb/0xe10 net/ipv6/ip6_output.c:182
> >  ip6_finish_output+0x35/0x200 net/ipv6/ip6_output.c:192
> >  NF_HOOK_COND include/linux/netfilter.h:290 [inline]
> >  ip6_output+0x242/0x810 net/ipv6/ip6_output.c:215
> >  dst_output include/net/dst.h:448 [inline]
> >  NF_HOOK include/linux/netfilter.h:301 [inline]
> >  ndisc_send_skb+0xf52/0x14c0 net/ipv6/ndisc.c:508
> >  ndisc_send_ns+0x3a9/0x840 net/ipv6/ndisc.c:650
> >  addrconf_dad_work+0xd29/0x1380 net/ipv6/addrconf.c:4119
> >  process_one_work+0x9ad/0x1620 kernel/workqueue.c:2275
> >  worker_thread+0x96/0xe20 kernel/workqueue.c:2421
> >  kthread+0x374/0x490 kernel/kthread.c:292
> >  ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
> > ================================================================================
> >
>
> Can you submit a patch ?

The following modifications should have fixed this problem, and I
tested it on the latest kernel (upstream).
Do you mean I should send an formal patch? If so, I'd be happy to do so.

>
> We are at a point that we are flooded with such report. (look at syzbot queue for instance)
>
> We prefer having formal patches, and as a bonus you will be a famous linux contributor.
>
> diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
> index f87d07736a1404edcfd17a792321758cd4bdd173..265289da7e84e4a408428767a57f82c00fd85b7f 100644
> --- a/net/sched/sch_api.c
> +++ b/net/sched/sch_api.c
> @@ -504,6 +504,11 @@ static struct qdisc_size_table *qdisc_get_stab(struct nlattr *opt,
>                 return ERR_PTR(-EINVAL);
>         }
>
> +       if (s->cell_log >= 32 || s->size_log >= 32) {
> +               NL_SET_ERR_MSG(extack, "Invalid cell_log/size_log of size table");
> +               return ERR_PTR(-EINVAL);
> +       }
> +
>         list_for_each_entry(stab, &qdisc_stab_list, list) {
>                 if (memcmp(&stab->szopts, s, sizeof(*s)))
>                         continue;
>
>
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ