[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAEkJfYMfU8bSrvpgSCgCG4-canwkq3dZKSUKbd0xsjLuLPGMQQ@mail.gmail.com>
Date: Tue, 5 Mar 2024 11:20:49 +0800
From: Sam Sun <samsun1006219@...il.com>
To: Jay Vosburgh <jay.vosburgh@...onical.com>
Cc: linux-kernel@...r.kernel.org, netdev@...r.kernel.org, andy@...yhouse.net,
davem@...emloft.net, Eric Dumazet <edumazet@...gle.com>, kuba@...nel.org,
pabeni@...hat.com
Subject: Re: [PATCH net] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()
On Tue, Mar 5, 2024 at 10:47 AM Jay Vosburgh <jay.vosburgh@...onical.com> wrote:
>
> Sam Sun <samsun1006219@...il.com> wrote:
>
> >Dear kernel developers and maintainers,
> >
> >We found a bug through our modified Syzkaller. In function
> >bond_option_arp_ip_targets_set(), if newval->string is an empty
> >string, newval->string+1 will point to the byte after the string,
> >causing an out-of-bound read. KASAN report is listed below.
>
> Conceptually, the change here seems fine. However, I don't
> think including the full KASAN report adds much to the description
> above.
>
Thanks for pointing this out! I will remove this next time when I
submit a patch.
> >We developed a patch to fix this problem. Check the string length
> >first before calling in4_pton().
> >
> >Reported-by: Yue Sun <samsun1006219@...il.com>
> >Signed-off-by: Yue Sun <samsun1006219@...il.com>
> >
> >diff --git a/drivers/net/bonding/bond_options.c
> >b/drivers/net/bonding/bond_options.c
> >index f3f27f0bd2a6..a6d01055f455 100644
> >--- a/drivers/net/bonding/bond_options.c
> >+++ b/drivers/net/bonding/bond_options.c
> >@@ -1198,7 +1198,7 @@ static int bond_option_arp_ip_targets_set(struct
> >bonding *bond,
> > __be32 target;
> >
> > if (newval->string) {
> >- if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) {
> >+ if (!strlen(newval->string) || !in4_pton(newval->string+1,
> >-1, (u8 *)&target, -1, NULL)) {
>
> The text beginning with "-1," is a separate line, and something
> messed up the tabs. Also, this should be rewritten as
>
> if (!strlen(newval->string) ||
> !in4_pton(newval->string + 1, -1, (u8 *)&target, -1, NULL)) {
>
> to avoid a long line.
>
Yes you are right, I should have used the checkpatch script before
submitting the patch. Sorry for the inconvenience.
> -J
>
> > netdev_err(bond->dev, "invalid ARP target %pI4 specified\n",
> > &target);
> > return ret;
> >
>
>
> ---
> -Jay Vosburgh, jay.vosburgh@...onical.com
I modified the patch and it is listed below.
Reported-by: Yue Sun <samsun1006219@...il.com>
Signed-off-by: Yue Sun <samsun1006219@...il.com>
diff --git a/drivers/net/bonding/bond_options.c
b/drivers/net/bonding/bond_options.c
index f3f27f0bd2a6..7f765b42fad4 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -1198,7 +1198,8 @@ static int bond_option_arp_ip_targets_set(struct
bonding *bond,
__be32 target;
if (newval->string) {
- if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) {
+ if (!strlen(newval->string) ||
+ !in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) {
netdev_err(bond->dev, "invalid ARP target %pI4 specified\n",
&target);
return ret;
Best Regards,
Yue
Powered by blists - more mailing lists