| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Aug 2021 10:23:56 +1000
From: Kevin Dawson <hal@...net.au>
To: Dan Carpenter <dan.carpenter@...cle.com>
Cc: Pavel Skripkin <paskripkin@...il.com>, ajk@...nets.uni-bremen.de,
davem@...emloft.net, kuba@...nel.org, linux-hams@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
syzbot+fc8cd9a673d4577fb2e4@...kaller.appspotmail.com
Subject: Re: [PATCH] net: 6pack: fix slab-out-of-bounds in decode_data
On Fri, Aug 13, 2021 at 05:58:34PM +0300, Dan Carpenter wrote:
> On Fri, Aug 13, 2021 at 02:28:55PM +0300, Pavel Skripkin wrote:
> > Syzbot reported slab-out-of bounds write in decode_data().
> > The problem was in missing validation checks.
> >
> > Syzbot's reproducer generated malicious input, which caused
> > decode_data() to be called a lot in sixpack_decode(). Since
> > rx_count_cooked is only 400 bytes and noone reported before,
> > that 400 bytes is not enough, let's just check if input is malicious
> > and complain about buffer overrun.
> >
> > ...
> >
> > diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
> > index fcf3af76b6d7..f4ffc2a80ab7 100644
> > --- a/drivers/net/hamradio/6pack.c
> > +++ b/drivers/net/hamradio/6pack.c
> > @@ -827,6 +827,12 @@ static void decode_data(struct sixpack *sp, unsigned char inbyte)
> > return;
> > }
> >
> > + if (sp->rx_count_cooked + 3 >= sizeof(sp->cooked_buf)) {
>
> It should be + 2 instead of + 3.
>
> We write three bytes. idx, idx + 1, idx + 2. Otherwise, good fix!
I would suggest that the statement be:
if (sp->rx_count_cooked + 3 > sizeof(sp->cooked_buf)) {
or even, because it's a buffer overrun test:
if (sp->rx_count_cooked > sizeof(sp->cooked_buf) - 3) {
This is because if there are three bytes being written, that is the number that should be obvious in the test.
I haven't looked at the surrounding code and there may be some other consideration why the "+ 2 >=" rather than "+ 3 >" (and from the description of "idx, idx + 1, idx + 2", I suspect it's visual consistency), so if that is important, feel free to adjust as required.
Thanks,
Kevin
Powered by blists - more mailing lists