lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 11 Dec 2021 15:13:02 -0700
From:   David Ahern <dsahern@...il.com>
To:     Ido Schimmel <idosch@...sch.org>, David Ahern <dsahern@...nel.org>
Cc:     netdev@...r.kernel.org,
        syzbot+d4b9a2851cc3ce998741@...kaller.appspotmail.com,
        Thomas Graf <tgraf@...g.ch>
Subject: Re: [PATCH net] ipv4: Check attribute length for RTA_GATEWAY

On 12/11/21 12:13 PM, Ido Schimmel wrote:
> On Sat, Dec 11, 2021 at 09:21:48AM -0700, David Ahern wrote:
>> syzbot reported uninit-value:
>> ============================================================
>>   BUG: KMSAN: uninit-value in fib_get_nhs+0xac4/0x1f80
>>   net/ipv4/fib_semantics.c:708
>>    fib_get_nhs+0xac4/0x1f80 net/ipv4/fib_semantics.c:708
>>    fib_create_info+0x2411/0x4870 net/ipv4/fib_semantics.c:1453
>>    fib_table_insert+0x45c/0x3a10 net/ipv4/fib_trie.c:1224
>>    inet_rtm_newroute+0x289/0x420 net/ipv4/fib_frontend.c:886
>>
>> Add length checking before using the attribute.
>>
>> Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
>> Reported-by: syzbot+d4b9a2851cc3ce998741@...kaller.appspotmail.com
>> Signed-off-by: David Ahern <dsahern@...nel.org>
>> Cc: Thomas Graf <tgraf@...g.ch>
>> ---
>> I do not have KMSAN setup, so this is based on a code analysis. Before
> 
> Was using this in the past:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#kmsan-bugs

thanks for the pointer. I am a bit hardware challenged at the moment for
out of tree features.

> 
>> 4e902c57417c fib_get_attr32 was checking the attribute length; the
>> switch to nla_get_u32 does not.
>>
>>  net/ipv4/fib_semantics.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
>> index 3cad543dc747..930843ba3b17 100644
>> --- a/net/ipv4/fib_semantics.c
>> +++ b/net/ipv4/fib_semantics.c
>> @@ -704,6 +704,10 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
>>  				return -EINVAL;
>>  			}
>>  			if (nla) {
>> +				if (nla_len(nla) < sizeof(__be32)) {
>> +					NL_SET_ERR_MSG(extack, "Invalid IPv4 address in RTA_GATEWAY");
>> +					return -EINVAL;
>> +				}
> 
> Isn't the problem more general than that? It seems that there is no
> minimum length validation to any of the attributes inside RTA_MULTIPATH.
> Except maybe RTA_VIA
> 

A follow up commit is needed for RTA_FLOW.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ