| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <73de092c-e6d0-72d6-3547-b4217076f6f9@gmail.com>
Date: Sat, 11 Dec 2021 15:13:02 -0700
From: David Ahern <dsahern@...il.com>
To: Ido Schimmel <idosch@...sch.org>, David Ahern <dsahern@...nel.org>
Cc: netdev@...r.kernel.org,
syzbot+d4b9a2851cc3ce998741@...kaller.appspotmail.com,
Thomas Graf <tgraf@...g.ch>
Subject: Re: [PATCH net] ipv4: Check attribute length for RTA_GATEWAY
On 12/11/21 12:13 PM, Ido Schimmel wrote:
> On Sat, Dec 11, 2021 at 09:21:48AM -0700, David Ahern wrote:
>> syzbot reported uninit-value:
>> ============================================================
>> BUG: KMSAN: uninit-value in fib_get_nhs+0xac4/0x1f80
>> net/ipv4/fib_semantics.c:708
>> fib_get_nhs+0xac4/0x1f80 net/ipv4/fib_semantics.c:708
>> fib_create_info+0x2411/0x4870 net/ipv4/fib_semantics.c:1453
>> fib_table_insert+0x45c/0x3a10 net/ipv4/fib_trie.c:1224
>> inet_rtm_newroute+0x289/0x420 net/ipv4/fib_frontend.c:886
>>
>> Add length checking before using the attribute.
>>
>> Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
>> Reported-by: syzbot+d4b9a2851cc3ce998741@...kaller.appspotmail.com
>> Signed-off-by: David Ahern <dsahern@...nel.org>
>> Cc: Thomas Graf <tgraf@...g.ch>
>> ---
>> I do not have KMSAN setup, so this is based on a code analysis. Before
>
> Was using this in the past:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#kmsan-bugs
thanks for the pointer. I am a bit hardware challenged at the moment for
out of tree features.
>
>> 4e902c57417c fib_get_attr32 was checking the attribute length; the
>> switch to nla_get_u32 does not.
>>
>> net/ipv4/fib_semantics.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
>> index 3cad543dc747..930843ba3b17 100644
>> --- a/net/ipv4/fib_semantics.c
>> +++ b/net/ipv4/fib_semantics.c
>> @@ -704,6 +704,10 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
>> return -EINVAL;
>> }
>> if (nla) {
>> + if (nla_len(nla) < sizeof(__be32)) {
>> + NL_SET_ERR_MSG(extack, "Invalid IPv4 address in RTA_GATEWAY");
>> + return -EINVAL;
>> + }
>
> Isn't the problem more general than that? It seems that there is no
> minimum length validation to any of the attributes inside RTA_MULTIPATH.
> Except maybe RTA_VIA
>
A follow up commit is needed for RTA_FLOW.
Powered by blists - more mailing lists