| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 14 Aug 2021 17:17:44 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: Kevin Dawson <hal@...net.au>,
Dan Carpenter <dan.carpenter@...cle.com>
Cc: ajk@...nets.uni-bremen.de, davem@...emloft.net, kuba@...nel.org,
linux-hams@...r.kernel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzbot+fc8cd9a673d4577fb2e4@...kaller.appspotmail.com
Subject: Re: [PATCH] net: 6pack: fix slab-out-of-bounds in decode_data
On 8/14/21 3:23 AM, Kevin Dawson wrote:
> On Fri, Aug 13, 2021 at 05:58:34PM +0300, Dan Carpenter wrote:
>> On Fri, Aug 13, 2021 at 02:28:55PM +0300, Pavel Skripkin wrote:
>> > Syzbot reported slab-out-of bounds write in decode_data().
>> > The problem was in missing validation checks.
>> >
>> > Syzbot's reproducer generated malicious input, which caused
>> > decode_data() to be called a lot in sixpack_decode(). Since
>> > rx_count_cooked is only 400 bytes and noone reported before,
>> > that 400 bytes is not enough, let's just check if input is malicious
>> > and complain about buffer overrun.
>> >
>> > ...
>> >
>> > diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
>> > index fcf3af76b6d7..f4ffc2a80ab7 100644
>> > --- a/drivers/net/hamradio/6pack.c
>> > +++ b/drivers/net/hamradio/6pack.c
>> > @@ -827,6 +827,12 @@ static void decode_data(struct sixpack *sp, unsigned char inbyte)
>> > return;
>> > }
>> >
>> > + if (sp->rx_count_cooked + 3 >= sizeof(sp->cooked_buf)) {
>>
>> It should be + 2 instead of + 3.
>>
>> We write three bytes. idx, idx + 1, idx + 2. Otherwise, good fix!
>
> I would suggest that the statement be:
>
> if (sp->rx_count_cooked + 3 > sizeof(sp->cooked_buf)) {
>
> or even, because it's a buffer overrun test:
>
> if (sp->rx_count_cooked > sizeof(sp->cooked_buf) - 3) {
>
Hmm, I think, it will be more straightforward for someone not aware
about driver details.
@Dan, can I add your Reviewed-by tag to v3 and what do you think about
Kevin's suggestion?
> This is because if there are three bytes being written, that is the number that should be obvious in the test.
>
> I haven't looked at the surrounding code and there may be some other consideration why the "+ 2 >=" rather than "+ 3 >" (and from the description of "idx, idx + 1, idx + 2", I suspect it's visual consistency), so if that is important, feel free to adjust as required.
>
With regards,
Pavel Skripkin
Powered by blists - more mailing lists