lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue,  3 Dec 2019 11:03:45 -0500
From:   Laura Abbott <labbott@...hat.com>
To:     Pablo Neira Ayuso <pablo@...filter.org>,
        Jozsef Kadlecsik <kadlec@...filter.org>,
        Florian Westphal <fw@...len.de>,
        "David S. Miller" <davem@...emloft.net>
Cc:     Laura Abbott <labbott@...hat.com>, netfilter-devel@...r.kernel.org,
        coreteam@...filter.org, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org, Kees Cook <keescook@...omium.org>
Subject: [PATCH] netfilter: nf_flow_table_offload: Correct memcpy size for flow_overload_mangle

The sizes for memcpy in flow_offload_mangle don't match
the source variables, leading to overflow errors on some
build configurations:

In function 'memcpy',
    inlined from 'flow_offload_mangle' at net/netfilter/nf_flow_table_offload.c:112:2,
    inlined from 'flow_offload_port_dnat' at net/netfilter/nf_flow_table_offload.c:373:2,
    inlined from 'nf_flow_rule_route_ipv4' at net/netfilter/nf_flow_table_offload.c:424:3:
./include/linux/string.h:376:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
  376 |    __read_overflow2();
      |    ^~~~~~~~~~~~~~~~~~
make[2]: *** [scripts/Makefile.build:266: net/netfilter/nf_flow_table_offload.o] Error 1

Fix this by using the corresponding type.

Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Laura Abbott <labbott@...hat.com>
---
Seen on a Fedora powerpc little endian build with -O3 but it looks like
it is correctly catching an error with doing a memcpy outside the source
variable.
---
 net/netfilter/nf_flow_table_offload.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index c54c9a6cc981..526f894d0bdb 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -108,8 +108,8 @@ static void flow_offload_mangle(struct flow_action_entry *entry,
 	entry->id = FLOW_ACTION_MANGLE;
 	entry->mangle.htype = htype;
 	entry->mangle.offset = offset;
-	memcpy(&entry->mangle.mask, mask, sizeof(u32));
-	memcpy(&entry->mangle.val, value, sizeof(u32));
+	memcpy(&entry->mangle.mask, mask, sizeof(u8));
+	memcpy(&entry->mangle.val, value, sizeof(u8));
 }
 
 static inline struct flow_action_entry *
-- 
2.21.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ