lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 1 Mar 2024 16:29:25 +0100
From: Jiri Pirko <jiri@...nulli.us>
To: Lena Wang (王娜) <Lena.Wang@...iatek.com>
Cc: "fw@...len.de" <fw@...len.de>,
	"davem@...emloft.net" <davem@...emloft.net>,
	"pablo@...filter.org" <pablo@...filter.org>,
	"kadlec@...filter.org" <kadlec@...filter.org>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"netfilter-devel@...r.kernel.org" <netfilter-devel@...r.kernel.org>
Subject: Re: [PATCH net v2] netfilter: Add protection for bmp length out of
 range

Fri, Mar 01, 2024 at 04:12:24PM CET, Lena.Wang@...iatek.com wrote:
>From: Lena Wang <lena.wang@...iatek.com>
>
>UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts
>that are out of bounds for their data type.
>
>vmlinux   get_bitmap(b=75) + 712
><net/netfilter/nf_conntrack_h323_asn1.c:0>
>vmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018,
>level=134443100) + 1956
><net/netfilter/nf_conntrack_h323_asn1.c:592>
>vmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216
><net/netfilter/nf_conntrack_h323_asn1.c:814>
>vmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812
><net/netfilter/nf_conntrack_h323_asn1.c:576>
>vmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216
><net/netfilter/nf_conntrack_h323_asn1.c:814>
>vmlinux   DecodeRasMessage() + 304
><net/netfilter/nf_conntrack_h323_asn1.c:833>
>vmlinux   ras_help() + 684
><net/netfilter/nf_conntrack_h323_main.c:1728>
>vmlinux   nf_confirm() + 188
><net/netfilter/nf_conntrack_proto.c:137>
>
>Due to abnormal data in skb->data, the extension bitmap length
>exceeds 32 when decoding ras message. Then get_bitmap uses the
>length to make a shift operation. It will change into negative
>after several loop.
>
>UBSAN load can detect a negative shift as an undefined behaviour
>and reports an exception.
>
>So we should add the protection to avoid the length exceeding 32.
>If it exceeds it will return out of range error and stop decoding
>ras message.
>
>Signed-off-by: Lena Wang <lena.wang@...iatek.com>

Missing "Fixes" tag, again...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ