lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20230723075452.3711158-1-linma@zju.edu.cn>
Date:   Sun, 23 Jul 2023 15:54:52 +0800
From:   Lin Ma <linma@....edu.cn>
To:     davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com, ast@...nel.org, martin.lau@...nel.org,
        yhs@...com, andrii@...nel.org, void@...ifault.com,
        houtao1@...wei.com, laoar.shao@...il.com, inwardvessel@...il.com,
        kuniyu@...zon.com, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, bpf@...r.kernel.org
Cc:     Lin Ma <linma@....edu.cn>
Subject: [PATCH v1] bpf: Add length check for SK_DIAG_BPF_STORAGE_REQ_MAP_FD parsing

The nla_for_each_nested parsing in function bpf_sk_storage_diag_alloc
does not check the length of the nested attribute. This can lead to an
out-of-attribute read and allow a malformed nlattr (e.g., length 0) to
be viewed as a 4 byte integer.

This patch adds additional check before the execution of nla_get_u32 to
make sure the attribute has enough length.

Fixes: 1ed4d92458a9 ("bpf: INET_DIAG support in bpf_sk_storage")
Signed-off-by: Lin Ma <linma@....edu.cn>
---
 net/core/bpf_sk_storage.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/core/bpf_sk_storage.c b/net/core/bpf_sk_storage.c
index d4172534dfa8..6f1afbb394a6 100644
--- a/net/core/bpf_sk_storage.c
+++ b/net/core/bpf_sk_storage.c
@@ -511,6 +511,11 @@ bpf_sk_storage_diag_alloc(const struct nlattr *nla_stgs)
 		if (nla_type(nla) != SK_DIAG_BPF_STORAGE_REQ_MAP_FD)
 			continue;
 
+		if (nla_len(nla) < sizeof(map_fd)) {
+			err = -EINVAL;
+			goto err_free;
+		}
+
 		map_fd = nla_get_u32(nla);
 		map = bpf_map_get(map_fd);
 		if (IS_ERR(map)) {
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ