lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Fri, 20 Aug 2021 01:09:28 +0800
From:   butt3rflyh4ck <butterflyhuangxx@...il.com>
To:     Manivannan Sadhasivam <mani@...nel.org>
Cc:     "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        linux-arm-msm@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c

Ok, no problem, I will send the fix later.

Regards,
 butt3rflyh4ck.

On Fri, Aug 20, 2021 at 12:57 AM Manivannan Sadhasivam <mani@...nel.org> wrote:
>
> Hi,
>
> On Wed, Aug 18, 2021 at 03:33:38PM +0800, butt3rflyh4ck wrote:
> > Here I make a patch for this issue.
>
> [...]
>
> > From 18d9f83f17375785beadbe6a0d0ee59503f65925 Mon Sep 17 00:00:00 2001
> > From: butt3rflyh4ck <butterflyhhuangxx@...il.com>
> > Date: Wed, 18 Aug 2021 14:19:38 +0800
> > Subject: [PATCH] net: qrtr: fix another OOB Read in qrtr_endpoint_post
> >
> > This check was incomplete, did not consider size is 0:
> >
> >       if (len != ALIGN(size, 4) + hdrlen)
> >                     goto err;
> >
> > if size from qrtr_hdr is 0, the result of ALIGN(size, 4)
> > will be 0, In case of len == hdrlen and size == 0
> > in header this check won't fail and
> >
> >       if (cb->type == QRTR_TYPE_NEW_SERVER) {
> >                 /* Remote node endpoint can bridge other distant nodes */
> >                 const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
> >
> >                 qrtr_node_assign(node, le32_to_cpu(pkt->server.node));
> >         }
> >
> > will also read out of bound from data, which is hdrlen allocated block.
> >
> > Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
> > Fixes: ad9d24c9429e ("net: qrtr: fix OOB Read in qrtr_endpoint_post")
> > Signed-off-by: butt3rflyh4ck <butterflyhhuangxx@...il.com>
>
> Thanks for the bug report and the fix. Could you please send the fix as a proper
> patch as per: Documentation/process/submitting-patches.rst
>
> Thanks,
> Mani
>
> > ---
> >  net/qrtr/qrtr.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
> > index 171b7f3be6ef..0c30908628ba 100644
> > --- a/net/qrtr/qrtr.c
> > +++ b/net/qrtr/qrtr.c
> > @@ -493,7 +493,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
> >               goto err;
> >       }
> >
> > -     if (len != ALIGN(size, 4) + hdrlen)
> > +     if (!size || len != ALIGN(size, 4) + hdrlen)
> >               goto err;
> >
> >       if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA &&
> > --
> > 2.25.1
> >
>


-- 
Active Defense Lab of Venustech

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ