lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250524055159.32982-1-rafalbilkowski@gmail.com>
Date: Sat, 24 May 2025 07:51:59 +0200
From: Rafal Bilkowski <rafalbilkowski@...il.com>
To: netdev@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
	dsahern@...nel.org,
	edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	Rafal Bilkowski <rafalbilkowski@...il.com>
Subject: [PATCH]    net: ipv6: sanitize RPL SRH cmpre/cmpre fields to fix taint issue

   Coverity flagged that the cmpre and cmpri fields in
   struct ipv6_rpl_sr_hdr are used without proper bounds checking,
   which may allow tainted values to be used as offsets or divisors,
   potentially leading to out-of-bounds access or division by zero.

   This patch adds explicit range checks for cmpre and cmpri before
   using them, ensuring they are within the valid range (0-15) and
   cmpri is non-zero. Coverity was run loccaly

   Fixes:  ("Untrusted value as argument (TAINTED_SCALAR)")

Signed-off-by: Rafal Bilkowski <rafalbilkowski@...il.com>
---
 net/ipv6/exthdrs.c | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 02e9ffb63af1..9646738cb872 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -504,6 +504,15 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb)
 	}
 
 looped_back:
+
+	if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct ipv6_rpl_sr_hdr)))
+		goto error;
+	// Check if there is enough memory available for the header and hdrlen is in valid range
+	if (skb_tailroom(skb) < ((hdr->hdrlen + 1) << 3) ||
+	    hdr->hdrlen == 0 ||
+	    hdr->hdrlen > U8_MAX)
+		goto error;
+
 	hdr = (struct ipv6_rpl_sr_hdr *)skb_transport_header(skb);
 
 	if (hdr->segments_left == 0) {
@@ -534,7 +543,18 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb)
 		return 1;
 	}
 
+	// Check if cmpri and cmpre are valid and do not exceed 15
+	if (hdr->cmpri > 15 || hdr->cmpre > 15)
+		goto error;
+	// Check if pad value is valid and does not exceed 15
+	if (hdr->pad > 15)
+		goto error;
+
 	n = (hdr->hdrlen << 3) - hdr->pad - (16 - hdr->cmpre);
+	// Check if n is non-negative
+	if (n <= 0)
+		goto error;
+
 	r = do_div(n, (16 - hdr->cmpri));
 	/* checks if calculation was without remainder and n fits into
 	 * unsigned char which is segments_left field. Should not be
@@ -638,6 +658,9 @@ static int ipv6_rpl_srh_rcv(struct sk_buff *skb)
 	dst_input(skb);
 
 	return -1;
+
+error:
+	return -1;
 }
 
 /********************************
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ