| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YbT4ZJ+bSc/qeT5A@shredder>
Date: Sat, 11 Dec 2021 21:13:40 +0200
From: Ido Schimmel <idosch@...sch.org>
To: David Ahern <dsahern@...nel.org>
Cc: netdev@...r.kernel.org,
syzbot+d4b9a2851cc3ce998741@...kaller.appspotmail.com,
Thomas Graf <tgraf@...g.ch>
Subject: Re: [PATCH net] ipv4: Check attribute length for RTA_GATEWAY
On Sat, Dec 11, 2021 at 09:21:48AM -0700, David Ahern wrote:
> syzbot reported uninit-value:
> ============================================================
> BUG: KMSAN: uninit-value in fib_get_nhs+0xac4/0x1f80
> net/ipv4/fib_semantics.c:708
> fib_get_nhs+0xac4/0x1f80 net/ipv4/fib_semantics.c:708
> fib_create_info+0x2411/0x4870 net/ipv4/fib_semantics.c:1453
> fib_table_insert+0x45c/0x3a10 net/ipv4/fib_trie.c:1224
> inet_rtm_newroute+0x289/0x420 net/ipv4/fib_frontend.c:886
>
> Add length checking before using the attribute.
>
> Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
> Reported-by: syzbot+d4b9a2851cc3ce998741@...kaller.appspotmail.com
> Signed-off-by: David Ahern <dsahern@...nel.org>
> Cc: Thomas Graf <tgraf@...g.ch>
> ---
> I do not have KMSAN setup, so this is based on a code analysis. Before
Was using this in the past:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#kmsan-bugs
> 4e902c57417c fib_get_attr32 was checking the attribute length; the
> switch to nla_get_u32 does not.
>
> net/ipv4/fib_semantics.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
> index 3cad543dc747..930843ba3b17 100644
> --- a/net/ipv4/fib_semantics.c
> +++ b/net/ipv4/fib_semantics.c
> @@ -704,6 +704,10 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
> return -EINVAL;
> }
> if (nla) {
> + if (nla_len(nla) < sizeof(__be32)) {
> + NL_SET_ERR_MSG(extack, "Invalid IPv4 address in RTA_GATEWAY");
> + return -EINVAL;
> + }
Isn't the problem more general than that? It seems that there is no
minimum length validation to any of the attributes inside RTA_MULTIPATH.
Except maybe RTA_VIA
> fib_cfg.fc_gw4 = nla_get_in_addr(nla);
> if (fib_cfg.fc_gw4)
> fib_cfg.fc_gw_family = AF_INET;
> --
> 2.24.3 (Apple Git-128)
>
Powered by blists - more mailing lists