[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210816071316.GF1931@kadam>
Date: Mon, 16 Aug 2021 10:13:16 +0300
From: Dan Carpenter <dan.carpenter@...cle.com>
To: Pavel Skripkin <paskripkin@...il.com>
Cc: Kevin Dawson <hal@...net.au>, ajk@...nets.uni-bremen.de,
davem@...emloft.net, kuba@...nel.org, linux-hams@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
syzbot+fc8cd9a673d4577fb2e4@...kaller.appspotmail.com
Subject: Re: [PATCH] net: 6pack: fix slab-out-of-bounds in decode_data
On Sat, Aug 14, 2021 at 05:17:44PM +0300, Pavel Skripkin wrote:
> On 8/14/21 3:23 AM, Kevin Dawson wrote:
> > On Fri, Aug 13, 2021 at 05:58:34PM +0300, Dan Carpenter wrote:
> > > On Fri, Aug 13, 2021 at 02:28:55PM +0300, Pavel Skripkin wrote:
> > > > Syzbot reported slab-out-of bounds write in decode_data().
> > > > The problem was in missing validation checks.
> > > > > Syzbot's reproducer generated malicious input, which caused
> > > > decode_data() to be called a lot in sixpack_decode(). Since
> > > > rx_count_cooked is only 400 bytes and noone reported before,
> > > > that 400 bytes is not enough, let's just check if input is malicious
> > > > and complain about buffer overrun.
> > > > > ...
> > > > > diff --git a/drivers/net/hamradio/6pack.c
> > > b/drivers/net/hamradio/6pack.c
> > > > index fcf3af76b6d7..f4ffc2a80ab7 100644
> > > > --- a/drivers/net/hamradio/6pack.c
> > > > +++ b/drivers/net/hamradio/6pack.c
> > > > @@ -827,6 +827,12 @@ static void decode_data(struct sixpack *sp, unsigned char inbyte)
> > > > return;
> > > > }
> > > > > + if (sp->rx_count_cooked + 3 >= sizeof(sp->cooked_buf)) {
> > >
> > > It should be + 2 instead of + 3.
> > >
> > > We write three bytes. idx, idx + 1, idx + 2. Otherwise, good fix!
> >
> > I would suggest that the statement be:
> >
> > if (sp->rx_count_cooked + 3 > sizeof(sp->cooked_buf)) {
> >
> > or even, because it's a buffer overrun test:
> >
> > if (sp->rx_count_cooked > sizeof(sp->cooked_buf) - 3) {
> >
>
> Hmm, I think, it will be more straightforward for someone not aware about
> driver details.
>
> @Dan, can I add your Reviewed-by tag to v3 and what do you think about
> Kevin's suggestion?
>
I don't care. Sure. I'm also fine with leaving it as is. I've been
using "idx + 2 >= sizeof()" enough recently that it has become an idiom
for me. But that's probably a bias on my part.
I guess "idx + 3 > sizeof()" is probably the most readable. Moving
the + 3 to the other side would prevent integer overflows but we're not
concerned about that here and no need to over engineer things if it
hurts readability.
regards,
dan carpenter
Powered by blists - more mailing lists