lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 11 Dec 2021 21:13:40 +0200
From:   Ido Schimmel <idosch@...sch.org>
To:     David Ahern <dsahern@...nel.org>
Cc:     netdev@...r.kernel.org,
        syzbot+d4b9a2851cc3ce998741@...kaller.appspotmail.com,
        Thomas Graf <tgraf@...g.ch>
Subject: Re: [PATCH net] ipv4: Check attribute length for RTA_GATEWAY

On Sat, Dec 11, 2021 at 09:21:48AM -0700, David Ahern wrote:
> syzbot reported uninit-value:
> ============================================================
>   BUG: KMSAN: uninit-value in fib_get_nhs+0xac4/0x1f80
>   net/ipv4/fib_semantics.c:708
>    fib_get_nhs+0xac4/0x1f80 net/ipv4/fib_semantics.c:708
>    fib_create_info+0x2411/0x4870 net/ipv4/fib_semantics.c:1453
>    fib_table_insert+0x45c/0x3a10 net/ipv4/fib_trie.c:1224
>    inet_rtm_newroute+0x289/0x420 net/ipv4/fib_frontend.c:886
> 
> Add length checking before using the attribute.
> 
> Fixes: 4e902c57417c ("[IPv4]: FIB configuration using struct fib_config")
> Reported-by: syzbot+d4b9a2851cc3ce998741@...kaller.appspotmail.com
> Signed-off-by: David Ahern <dsahern@...nel.org>
> Cc: Thomas Graf <tgraf@...g.ch>
> ---
> I do not have KMSAN setup, so this is based on a code analysis. Before

Was using this in the past:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#kmsan-bugs

> 4e902c57417c fib_get_attr32 was checking the attribute length; the
> switch to nla_get_u32 does not.
> 
>  net/ipv4/fib_semantics.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
> index 3cad543dc747..930843ba3b17 100644
> --- a/net/ipv4/fib_semantics.c
> +++ b/net/ipv4/fib_semantics.c
> @@ -704,6 +704,10 @@ static int fib_get_nhs(struct fib_info *fi, struct rtnexthop *rtnh,
>  				return -EINVAL;
>  			}
>  			if (nla) {
> +				if (nla_len(nla) < sizeof(__be32)) {
> +					NL_SET_ERR_MSG(extack, "Invalid IPv4 address in RTA_GATEWAY");
> +					return -EINVAL;
> +				}

Isn't the problem more general than that? It seems that there is no
minimum length validation to any of the attributes inside RTA_MULTIPATH.
Except maybe RTA_VIA

>  				fib_cfg.fc_gw4 = nla_get_in_addr(nla);
>  				if (fib_cfg.fc_gw4)
>  					fib_cfg.fc_gw_family = AF_INET;
> -- 
> 2.24.3 (Apple Git-128)
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ