lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20200123071313.GI1847@kadam>
Date:   Thu, 23 Jan 2020 10:13:13 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Eric Dumazet <eric.dumazet@...il.com>
Cc:     Cong Wang <xiyou.wangcong@...il.com>,
        syzbot <syzbot+5af9a90dad568aa9f611@...kaller.appspotmail.com>,
        David Miller <davem@...emloft.net>,
        Jamal Hadi Salim <jhs@...atatu.com>,
        Jiri Pirko <jiri@...nulli.us>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux Kernel Network Developers <netdev@...r.kernel.org>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>
Subject: Re: KASAN: slab-out-of-bounds Read in __nla_put_nohdr

On Wed, Jan 22, 2020 at 12:33:17PM -0800, Eric Dumazet wrote:
> 
> 
> On 1/22/20 12:27 PM, Cong Wang wrote:
> > On Tue, Jan 21, 2020 at 11:55 AM Eric Dumazet <eric.dumazet@...il.com> wrote:
> >> em_nbyte_change() sets
> >> em->datalen = sizeof(*nbyte) + nbyte->len;
> >>
> >> But later tcf_em_validate() overwrites em->datalen with the user provide value (em->datalen = data_len; )
> >> which can be bigger than the allocated (kmemdup) space in em_nbyte_change()
> >>
> >> Should net/sched/em_nbyte.c() provide a dump() handler to avoid this issue ?
> > 
> > I think for those who implement ->change() we should leave
> > ->datalen untouched to respect their choices. I don't see why
> > we have to set it twice.
> > 
> >
> 
> Agreed, but we need to audit them to make sure all of them are setting ->datalen
> 

Smatch provides a way to do this sort of search:

$ smdb where tcf_ematch datalen
net/sched/ematch.c             | tcf_em_validate                | (struct tcf_ematch)->datalen | 0-65519
net/sched/ematch.c             | tcf_em_tree_validate           | (struct tcf_ematch)->datalen | 0
net/sched/em_ipt.c             | em_ipt_change                  | (struct tcf_ematch)->datalen | 16-131080
net/sched/em_meta.c            | em_meta_change                 | (struct tcf_ematch)->datalen | 48
net/sched/em_text.c            | em_text_change                 | (struct tcf_ematch)->datalen | 16
net/sched/em_canid.c           | em_canid_change                | (struct tcf_ematch)->datalen | 276-4268
net/sched/em_ipset.c           | em_ipset_change                | (struct tcf_ematch)->datalen | 4
net/sched/em_nbyte.c           | em_nbyte_change                | (struct tcf_ematch)->datalen | 4-4099

It is imperfect...  The main drawback is that it's based on my
allmodconfig which might not include every function.  But always there
are other bugs to be discovered.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ