lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 16 Aug 2021 10:13:16 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Pavel Skripkin <paskripkin@...il.com>
Cc:     Kevin Dawson <hal@...net.au>, ajk@...nets.uni-bremen.de,
        davem@...emloft.net, kuba@...nel.org, linux-hams@...r.kernel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzbot+fc8cd9a673d4577fb2e4@...kaller.appspotmail.com
Subject: Re: [PATCH] net: 6pack: fix slab-out-of-bounds in decode_data

On Sat, Aug 14, 2021 at 05:17:44PM +0300, Pavel Skripkin wrote:
> On 8/14/21 3:23 AM, Kevin Dawson wrote:
> > On Fri, Aug 13, 2021 at 05:58:34PM +0300, Dan Carpenter wrote:
> > > On Fri, Aug 13, 2021 at 02:28:55PM +0300, Pavel Skripkin wrote:
> > > > Syzbot reported slab-out-of bounds write in decode_data().
> > > > The problem was in missing validation checks.
> > > > > Syzbot's reproducer generated malicious input, which caused
> > > > decode_data() to be called a lot in sixpack_decode(). Since
> > > > rx_count_cooked is only 400 bytes and noone reported before,
> > > > that 400 bytes is not enough, let's just check if input is malicious
> > > > and complain about buffer overrun.
> > > > > ...
> > > > > diff --git a/drivers/net/hamradio/6pack.c
> > > b/drivers/net/hamradio/6pack.c
> > > > index fcf3af76b6d7..f4ffc2a80ab7 100644
> > > > --- a/drivers/net/hamradio/6pack.c
> > > > +++ b/drivers/net/hamradio/6pack.c
> > > > @@ -827,6 +827,12 @@ static void decode_data(struct sixpack *sp, unsigned char inbyte)
> > > >  		return;
> > > >  	}
> > > >  > +	if (sp->rx_count_cooked + 3 >= sizeof(sp->cooked_buf)) {
> > > 
> > > It should be + 2 instead of + 3.
> > > 
> > > We write three bytes.  idx, idx + 1, idx + 2.  Otherwise, good fix!
> > 
> > I would suggest that the statement be:
> > 
> > 	if (sp->rx_count_cooked + 3 > sizeof(sp->cooked_buf)) {
> > 
> > or even, because it's a buffer overrun test:
> > 
> > 	if (sp->rx_count_cooked > sizeof(sp->cooked_buf) - 3) {
> > 
> 
> Hmm, I think, it will be more straightforward for someone not aware about
> driver details.
> 
> @Dan, can I add your Reviewed-by tag to v3 and what do you think about
> Kevin's suggestion?
> 

I don't care.  Sure.  I'm also fine with leaving it as is.  I've been
using "idx + 2 >= sizeof()" enough recently that it has become an idiom
for me.  But that's probably a bias on my part.

I guess "idx + 3 > sizeof()" is probably the most readable.  Moving
the + 3 to the other side would prevent integer overflows but we're not
concerned about that here and no need to over engineer things if it
hurts readability.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ