lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20221206162556.ibgw6xyi7jnjwbsg@skbuf>
Date:   Tue, 6 Dec 2022 18:25:56 +0200
From:   Vladimir Oltean <olteanv@...il.com>
To:     Greg KH <gregkh@...uxfoundation.org>,
        "Radu Nicolae Pirea (OSS)" <radu-nicolae.pirea@....nxp.com>
Cc:     netdev@...r.kernel.org, stable@...r.kernel.org,
        linux-kernel@...r.kernel.org, andrew@...n.ch, pabeni@...hat.com,
        kuba@...nel.org, edumazet@...gle.com, davem@...emloft.net,
        f.fainelli@...il.com, Radu Pirea <radu-nicolae.pirea@....com>
Subject: Re: [PATCH] net: dsa: sja1105: fix slab-out-of-bounds in
 sja1105_setup

On Tue, Dec 06, 2022 at 05:06:00PM +0100, Greg KH wrote:
> On Tue, Dec 06, 2022 at 05:11:36PM +0200, Radu Nicolae Pirea (OSS) wrote:
> > From: Radu Pirea <radu-nicolae.pirea@....com>
> > 
> > Fix slab-out-of-bounds in sja1105_setup.
> > 
> > Kernel log:
> 
> <snip>
> 
> This log doesn't say much, sorry.  Please read the kernel documentation
> for how to write a good changelog text and how to submit a patch to the
> stable trees (hint, this isn't how...)

Agree with Greg.

The commit description should say that the SJA1105 family has 45 L2
policing table entries (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has
110 (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but
accounting for the difference in port count (5 in SJA1105 vs 10 in SJA1110)
does not fully explain the difference. Rather, the SJA1110 also has L2
ingress policers for multicast traffic. If a packet is classified as
multicast, it will be processed by the policer index 99 + SRCPORT.

The sja1105_setup() function initializes all L2 policers such that they
don't interfere with normal packet reception by default. To have common
code between SJA1105 and SJA1110, the index of the multicast policer for
the port is calculated, and because it's an index that is out of bounds
for SJA1105 but in bounds for SJA1110, a bounds check is performed.

The code fails to do the proper thing when determining what to do with
the multicast policer of port 0 on SJA1105 (ds->num_ports = 5). The
"mcast" index will be equal to 45, which is also equal to
table->ops->max_entry_count (SJA1105_MAX_L2_POLICING_COUNT). So it
passes through the check. But at the same time, SJA1105 doesn't have
multicast policers. So the code programs the SHARINDX field of an
out-of-bounds element in the L2 Policing table of the static config.

The comparison between index 45 and 45 entries should have determined
the code to not access this policer index on SJA1105, since its memory
wasn't even allocated.

With enough bad luck, the out of bounds write could even overwrite other
valid kernel data, but in this case the issue was detected using KASAN.

Or something like that. The point is that you should use the commit
description to prove to yourself (and also to readers) that the change
is correct.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ