| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <c0b3bc83-2a3a-92c4-94c5-8b92d22df948@cumulusnetworks.com>
Date: Sun, 16 Feb 2020 01:42:38 +0200
From: Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
To: Christophe Leroy <christophe.leroy@....fr>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [netlink_bind()] [Bug 206525] BUG: KASAN: stack-out-of-bounds in
test_bit+0x30/0x44 (kernel 5.6-rc1)
On 2/15/20 7:58 PM, Christophe Leroy wrote:
>
>
>
> -------- Message transféré --------
> Sujet : [Bug 206525] BUG: KASAN: stack-out-of-bounds in test_bit+0x30/0x44 (kernel 5.6-rc1)
> Date : Sat, 15 Feb 2020 17:52:44 +0000
> De : bugzilla-daemon@...zilla.kernel.org
> Pour : linuxppc-dev@...ts.ozlabs.org
>
> https://bugzilla.kernel.org/show_bug.cgi?id=206525
>
> --- Comment #3 from Christophe Leroy (christophe.leroy@....fr) ---
> Bug introduced by commit ("cf5bddb95cbe net: bridge: vlan: add rtnetlink group
> and notify support")
>
> RTNLGRP_MAX is now 33.
>
> 'unsigned long groups' is 32 bits long on PPC32
>
> Following loop in netlink_bind() overflows.
>
>
> for (group = 0; group < nlk->ngroups; group++) {
> if (!test_bit(group, &groups))
> continue;
> err = nlk->netlink_bind(net, group + 1);
> if (!err)
> continue;
> netlink_undo_bind(group, groups, sk);
> goto unlock;
> }
>
>
> Should 'groups' be changes to 'unsigned long long' ?
>
Hi,
I'm currently traveling and will be able to look into this properly in a few days, but
I think we can just cap these at min(BITS_PER_TYPE(u32), nlk->ngroups) since "groups" is coming
from sockaddr_nl's "nl_groups" which is a u32, for any groups beyond u32 one has to use
setsockopt().
Cheers,
Nik
Powered by blists - more mailing lists