| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210923090054.3556deb0@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Date: Thu, 23 Sep 2021 09:00:54 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: 王贇 <yun.wang@...ux.alibaba.com>
Cc: Jamal Hadi Salim <jhs@...atatu.com>,
Cong Wang <xiyou.wangcong@...il.com>,
Jiri Pirko <jiri@...nulli.us>,
"David S. Miller" <davem@...emloft.net>,
"open list:TC subsystem" <netdev@...r.kernel.org>
Subject: Re: [PATCH] net: prevent user from passing illegal stab size
On Thu, 23 Sep 2021 17:08:13 +0800 王贇 wrote:
> We observed below report when playing with netlink sock:
>
> UBSAN: shift-out-of-bounds in net/sched/sch_api.c:580:10
> shift exponent 249 is too large for 32-bit type
> CPU: 0 PID: 685 Comm: a.out Not tainted
> Call Trace:
> dump_stack_lvl+0x8d/0xcf
> ubsan_epilogue+0xa/0x4e
> __ubsan_handle_shift_out_of_bounds+0x161/0x182
> __qdisc_calculate_pkt_len+0xf0/0x190
> __dev_queue_xmit+0x2ed/0x15b0
>
> it seems like kernel won't check the stab size_log passing from
> user, and will use the insane value later to calculate pkt_len.
>
> This patch just add a check on the size_log to avoid insane
> calculation.
>
> Reported-by: Abaci <abaci@...ux.alibaba.com>
> Signed-off-by: Michael Wang <yun.wang@...ux.alibaba.com>
> ---
> include/uapi/linux/pkt_sched.h | 1 +
> net/sched/sch_api.c | 3 +++
> 2 files changed, 4 insertions(+)
>
> diff --git a/include/uapi/linux/pkt_sched.h b/include/uapi/linux/pkt_sched.h
> index ec88590..fa194a0 100644
> --- a/include/uapi/linux/pkt_sched.h
> +++ b/include/uapi/linux/pkt_sched.h
> @@ -98,6 +98,7 @@ struct tc_ratespec {
> };
>
> #define TC_RTAB_SIZE 1024
> +#define TC_LOG_MAX 30
Adding a uAPI define is not necessary.
> struct tc_sizespec {
> unsigned char cell_log;
> diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c
> index 5e90e9b..1b6b8f8 100644
> --- a/net/sched/sch_api.c
> +++ b/net/sched/sch_api.c
> @@ -513,6 +513,9 @@ static struct qdisc_size_table *qdisc_get_stab(struct nlattr *opt,
> return stab;
> }
>
> + if (s->size_log > TC_LOG_MAX)
> + return ERR_PTR(-EINVAL);
Looks sane, please add an extack message.
Why not cover cell_log as well while at it?
> stab = kmalloc(sizeof(*stab) + tsize * sizeof(u16), GFP_KERNEL);
> if (!stab)
> return ERR_PTR(-ENOMEM);
Powered by blists - more mailing lists