[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <db846ae8-d1e8-5539-30a2-4bd04f9d3d9d@gmail.com>
Date: Wed, 31 May 2023 13:57:38 +0800
From: Hangyu Hua <hbh25y@...il.com>
To: Pieter Jansen van Vuuren <pieter.jansen-van-vuuren@....com>,
Simon Horman <simon.horman@...igine.com>
Cc: jhs@...atatu.com, xiyou.wangcong@...il.com, jiri@...nulli.us,
davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
pabeni@...hat.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net: sched: fix possible OOB write in fl_set_geneve_opt()
On 30/5/2023 22:29, Pieter Jansen van Vuuren wrote:
>
>
> On 30/05/2023 12:36, Simon Horman wrote:
>> [Updated Pieter's email address, dropped old email address of mine]
>
> Thank you Simon.
>
>>
>> On Mon, May 29, 2023 at 12:36:15PM +0800, Hangyu Hua wrote:
>>> If we send two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets and their total
>>> size is 252 bytes(key->enc_opts.len = 252) then
>>> key->enc_opts.len = opt->length = data_len / 4 = 0 when the third
>>> TCA_FLOWER_KEY_ENC_OPTS_GENEVE packet enters fl_set_geneve_opt. This
>>> bypasses the next bounds check and results in an out-of-bounds.
>>>
>>> Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
>>> Signed-off-by: Hangyu Hua <hbh25y@...il.com>
>>
>> Hi Hangyu Hua,
>>
>> Thanks. I think I see the problem too.
>> But I do wonder, is this more general than Geneve options?
>> That is, can this occur with any sequence of options, that
>> consume space in enc_opts (configured in fl_set_key()) that
>> in total are more than 256 bytes?
>>
>
> Hi Hangyu Hua,
>
> Thank you for the patch. In addition to Simon's comment; I think the subject
> headline should include net, i.e. [PATCH net]. Also could you please provide
My bad. I forgot this rule. It seems this won't be included in the final
patch. Do i need to send a v2?
> an example tc filter add dev... command to replicate the issue? (Just to make
> it a bit easier to understand).
>
I use poc.c instead of commands to trigger this bug. If you want poc You
can check if there is an email named "Re: A possible LPE vulnerability
in fl_set_geneve_opt" in your e-mail. I should have sent it to you and
Simon while replying to security@...nel.org.
Thanks,
Hangyu
>>> ---
>>> net/sched/cls_flower.c | 3 +++
>>> 1 file changed, 3 insertions(+)
>>>
>>> diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
>>> index e960a46b0520..a326fbfe4339 100644
>>> --- a/net/sched/cls_flower.c
>>> +++ b/net/sched/cls_flower.c
>>> @@ -1153,6 +1153,9 @@ static int fl_set_geneve_opt(const struct nlattr *nla, struct fl_flow_key *key,
>>> if (option_len > sizeof(struct geneve_opt))
>>> data_len = option_len - sizeof(struct geneve_opt);
>>>
>>> + if (key->enc_opts.len > FLOW_DIS_TUN_OPTS_MAX - 4)
>>> + return -ERANGE;
>>> +
>>> opt = (struct geneve_opt *)&key->enc_opts.data[key->enc_opts.len];
>>> memset(opt, 0xff, option_len);
>>> opt->length = data_len / 4;
>>> --
>>> 2.34.1
>>>
>>>
Powered by blists - more mailing lists