| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Feb 2020 11:28:38 -0800 (PST)
From: David Miller <davem@...emloft.net>
To: mkubecek@...e.cz
Cc: kuba@...nel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] ethtool: limit bitset size
From: Michal Kubecek <mkubecek@...e.cz>
Date: Mon, 24 Feb 2020 20:42:12 +0100 (CET)
> Syzbot reported that ethnl_compact_sanity_checks() can be tricked into
> reading past the end of ETHTOOL_A_BITSET_VALUE and ETHTOOL_A_BITSET_MASK
> attributes and even the message by passing a value between (u32)(-31)
> and (u32)(-1) as ETHTOOL_A_BITSET_SIZE.
>
> The problem is that DIV_ROUND_UP(attr_nbits, 32) is 0 for such values so
> that zero length ETHTOOL_A_BITSET_VALUE will pass the length check but
> ethnl_bitmap32_not_zero() check would try to access up to 512 MB of
> attribute "payload".
>
> Prevent this overflow byt limiting the bitset size. Technically, compact
> bitset format would allow bitset sizes up to almost 2^18 (so that the
> nest size does not exceed U16_MAX) but bitsets used by ethtool are much
> shorter. S16_MAX, the largest value which can be directly used as an
> upper limit in policy, should be a reasonable compromise.
>
> Fixes: 10b518d4e6dd ("ethtool: netlink bitset handling")
> Reported-by: syzbot+7fd4ed5b4234ab1fdccd@...kaller.appspotmail.com
> Reported-by: syzbot+709b7a64d57978247e44@...kaller.appspotmail.com
> Reported-by: syzbot+983cb8fb2d17a7af549d@...kaller.appspotmail.com
> Signed-off-by: Michal Kubecek <mkubecek@...e.cz>
Applied, thanks Michal.
Powered by blists - more mailing lists