lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <f387b6098460f4da0f5ec24c1692190155863de4.camel@mediatek.com>
Date: Tue, 20 Feb 2024 10:01:54 +0000
From: Lena Wang (王娜) <Lena.Wang@...iatek.com>
To: "fw@...len.de" <fw@...len.de>, "davem@...emloft.net"
	<davem@...emloft.net>, "pablo@...filter.org" <pablo@...filter.org>,
	"kadlec@...filter.org" <kadlec@...filter.org>
CC: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>
Subject: [PATCH] Add protection for bmp length out of range

From 39a008cc80e0373ed0cffdc2f27daba5592c2012 Mon Sep 17 00:00:00 2001
From: lena wang <lena.wang@...iatek.com>
Date: Tue, 20 Feb 2024 14:00:31 +0800
Subject: [PATCH] Add protection for bmp length out of range

UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts
that are out of bounds for their data type.

vmlinux   get_bitmap(b=75) + 712
<net/netfilter/nf_conntrack_h323_asn1.c:0>
vmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018,
level=134443100) + 1956
<net/netfilter/nf_conntrack_h323_asn1.c:592>
vmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216
<net/netfilter/nf_conntrack_h323_asn1.c:814>
vmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812
<net/netfilter/nf_conntrack_h323_asn1.c:576>
vmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216
<net/netfilter/nf_conntrack_h323_asn1.c:814>
vmlinux   DecodeRasMessage() + 304
<net/netfilter/nf_conntrack_h323_asn1.c:833>
vmlinux   ras_help() + 684
<net/netfilter/nf_conntrack_h323_main.c:1728>
vmlinux   nf_confirm() + 188
<net/netfilter/nf_conntrack_proto.c:137>
vmlinux   ipv4_confirm() + 204
<net/netfilter/nf_conntrack_proto.c:169>
vmlinux   nf_hook_entry_hookfn() + 56
<include/linux/netfilter.h:137>
vmlinux   nf_hook_slow(s=0) + 156
<net/netfilter/core.c:584>
vmlinux   nf_hook(pf=2, hook=1, sk=0, outdev=0) + 748
<include/linux/netfilter.h:254>
vmlinux   NF_HOOK(pf=2, hook=1, sk=0, out=0) + 748
<include/linux/netfilter.h:297>
vmlinux   ip_local_deliver() + 1072
<net/ipv4/ip_input.c:252>
vmlinux   dst_input() + 64
<include/net/dst.h:443>
vmlinux   ip_rcv_finish(sk=0) + 120
<net/ipv4/ip_input.c:435>
vmlinux   NF_HOOK(pf=2, hook=0, sk=0, out=0) + 136
<include/linux/netfilter.h:299>
vmlinux   ip_rcv() + 320
<net/ipv4/ip_input.c:546>
vmlinux   deliver_skb(orig_dev=0xFFFFFFD0080B7F5C) + 268
<net/core/dev.c:2274>
vmlinux   deliver_ptype_list_skb(orig_dev=0xFFFFFFD008037AB8) + 96
<net/core/dev.c:2289>
vmlinux   __netif_receive_skb_core(pfmemalloc=false) + 4984
<net/core/dev.c:5328>
vmlinux   __netif_receive_skb_one_core(pfmemalloc=false) + 72
<net/core/dev.c:5370>
vmlinux   __netif_receive_skb() + 268
<net/core/dev.c:5486>
vmlinux   process_backlog(quota=134446100) + 672
<net/core/dev.c:6393>
vmlinux   napi_poll() + 312
<net/core/dev.c:6844>
vmlinux   net_rx_action() + 732
<net/core/dev.c:6914>
vmlinux   __do_softirq() + 712
<kernel/softirq.c:305>
vmlinux   do_softirq_own_stack()
<include/linux/interrupt.h:578>
vmlinux   invoke_softirq() + 152
<kernel/softirq.c:402>
vmlinux   el0_svc() + 32
<arch/arm64/kernel/entry-common.c:357>
vmlinux   el0_sync_handler() + 132
<arch/arm64/kernel/entry-common.c:373>

Due to abnormal data in skb->data, the extension bitmap length
exceeds 32 when decoding ras message then uses the length to make
a shift operation. It will change into negative after several loop.
UBSAN load could detect a negative shift as an undefined behaviour
and reports exception.
So we add the protection to avoid the length exceeding 32. Or else
it will return out of range error and stop decoding.

Signed-off-by: lena wang <lena.wang@...iatek.com>
---
 net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
b/net/netfilter/nf_conntrack_h323_asn1.c
index e697a824b001..85be1c589ef0 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -589,6 +589,8 @@ static int decode_seq(struct bitstr *bs, const
struct field_t *f,
        bmp2_len = get_bits(bs, 7) + 1;
        if (nf_h323_error_boundary(bs, 0, bmp2_len))
                return H323_ERROR_BOUND;
+       if (bmp2_len > 32)
+               return H323_ERROR_RANGE;
        bmp2 = get_bitmap(bs, bmp2_len);
        bmp |= bmp2 >> f->sz;
        if (base)
--
2.18.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ