| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e8e9f99e-9123-9a9a-f5b7-123e11800c06@gmail.com>
Date: Tue, 2 Jun 2020 06:20:53 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: YueHaibing <yuehaibing@...wei.com>, davem@...emloft.net,
kuznet@....inr.ac.ru, yoshfuji@...ux-ipv6.org, kuba@...nel.org,
alex.aring@...il.com, ahabdels@...il.com
Cc: netdev@...r.kernel.org, Ahmed Abdelsalam <ahabdels@...il.com>,
David Lebrun <david.lebrun@...ouvain.be>
Subject: Re: [PATCH] seg6: Fix slab-out-of-bounds in fl6_update_dst()
On 6/1/20 11:51 PM, YueHaibing wrote:
> When update flowi6 daddr in fl6_update_dst() for srcrt, the used index
> of segments should be segments_left minus one per RFC8754
> (section 4.3.1.1) S15 S16. Otherwise it may results in an out-of-bounds
> read.
>
> Reported-by: syzbot+e8c028b62439eac42073@...kaller.appspotmail.com
> Fixes: 0cb7498f234e ("seg6: fix SRH processing to comply with RFC8754")
> Signed-off-by: YueHaibing <yuehaibing@...wei.com>
> ---
> net/ipv6/exthdrs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
> index 5a8bbcdcaf2b..f5304bf33ab1 100644
> --- a/net/ipv6/exthdrs.c
> +++ b/net/ipv6/exthdrs.c
> @@ -1353,7 +1353,7 @@ struct in6_addr *fl6_update_dst(struct flowi6 *fl6,
> {
> struct ipv6_sr_hdr *srh = (struct ipv6_sr_hdr *)opt->srcrt;
>
> - fl6->daddr = srh->segments[srh->segments_left];
> + fl6->daddr = srh->segments[srh->segments_left - 1];
> break;
> }
> default:
>
1) Any reason you do not cc the author of the buggy patch ?
I also cced David Lebrun <david.lebrun@...ouvain.be> to get more eyes.
2) What happens if segments_left == 0 ?
Powered by blists - more mailing lists