lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 26 May 2022 11:41:20 +0200
From:   Paolo Abeni <pabeni@...hat.com>
To:     Wang Yufen <wangyufen@...wei.com>, davem@...emloft.net,
        yoshfuji@...ux-ipv6.org, dsahern@...nel.org, edumazet@...gle.com,
        kuba@...nel.org, ast@...nel.org, daniel@...earbox.net,
        andrii@...nel.org, kafai@...com, songliubraving@...com, yhs@...com,
        john.fastabend@...il.com, kpsingh@...nel.org
Cc:     netdev@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [PATCH net-next v2] ipv6: Fix signed integer overflow in
 __ip6_append_data

On Wed, 2022-05-25 at 10:08 +0800, Wang Yufen wrote:
> Resurrect ubsan overflow checks and ubsan report this warning,
> fix it by change the variable [length] type to size_t.
> 
> UBSAN: signed-integer-overflow in net/ipv6/ip6_output.c:1489:19
> 2147479552 + 8567 cannot be represented in type 'int'
> CPU: 0 PID: 253 Comm: err Not tainted 5.16.0+ #1
> Hardware name: linux,dummy-virt (DT)
> Call trace:
>   dump_backtrace+0x214/0x230
>   show_stack+0x30/0x78
>   dump_stack_lvl+0xf8/0x118
>   dump_stack+0x18/0x30
>   ubsan_epilogue+0x18/0x60
>   handle_overflow+0xd0/0xf0
>   __ubsan_handle_add_overflow+0x34/0x44
>   __ip6_append_data.isra.48+0x1598/0x1688
>   ip6_append_data+0x128/0x260
>   udpv6_sendmsg+0x680/0xdd0
>   inet6_sendmsg+0x54/0x90
>   sock_sendmsg+0x70/0x88
>   ____sys_sendmsg+0xe8/0x368
>   ___sys_sendmsg+0x98/0xe0
>   __sys_sendmmsg+0xf4/0x3b8
>   __arm64_sys_sendmmsg+0x34/0x48
>   invoke_syscall+0x64/0x160
>   el0_svc_common.constprop.4+0x124/0x300
>   do_el0_svc+0x44/0xc8
>   el0_svc+0x3c/0x1e8
>   el0t_64_sync_handler+0x88/0xb0
>   el0t_64_sync+0x16c/0x170
> 
> Changes since v1: 
> -Change the variable [length] type to unsigned, as Eric Dumazet suggested.
>   
> Reported-by: Hulk Robot <hulkci@...wei.com>
> Signed-off-by: Wang Yufen <wangyufen@...wei.com>
> ---
>  include/net/ipv6.h    | 4 ++--
>  net/ipv6/ip6_output.c | 8 ++++----
>  net/ipv6/udp.c        | 2 +-
>  net/l2tp/l2tp_ip6.c   | 2 +-
>  4 files changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/include/net/ipv6.h b/include/net/ipv6.h
> index 5b38bf1a586b..de9dcc5652c4 100644
> --- a/include/net/ipv6.h
> +++ b/include/net/ipv6.h
> @@ -1063,7 +1063,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr);
>  int ip6_append_data(struct sock *sk,
>  		    int getfrag(void *from, char *to, int offset, int len,
>  				int odd, struct sk_buff *skb),
> -		    void *from, int length, int transhdrlen,
> +		    void *from, size_t length, int transhdrlen,
>  		    struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
>  		    struct rt6_info *rt, unsigned int flags);
>  
> @@ -1079,7 +1079,7 @@ struct sk_buff *__ip6_make_skb(struct sock *sk, struct sk_buff_head *queue,
>  struct sk_buff *ip6_make_skb(struct sock *sk,
>  			     int getfrag(void *from, char *to, int offset,
>  					 int len, int odd, struct sk_buff *skb),
> -			     void *from, int length, int transhdrlen,
> +			     void *from, size_t length, int transhdrlen,
>  			     struct ipcm6_cookie *ipc6,
>  			     struct rt6_info *rt, unsigned int flags,
>  			     struct inet_cork_full *cork);
> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> index 4081b12a01ff..7d47ddd1e1f2 100644
> --- a/net/ipv6/ip6_output.c
> +++ b/net/ipv6/ip6_output.c
> @@ -1450,7 +1450,7 @@ static int __ip6_append_data(struct sock *sk,
>  			     struct page_frag *pfrag,
>  			     int getfrag(void *from, char *to, int offset,
>  					 int len, int odd, struct sk_buff *skb),
> -			     void *from, int length, int transhdrlen,
> +			     void *from, size_t length, int transhdrlen,
>  			     unsigned int flags, struct ipcm6_cookie *ipc6)
>  {
>  	struct sk_buff *skb, *skb_prev = NULL;
> @@ -1798,7 +1798,7 @@ static int __ip6_append_data(struct sock *sk,
>  int ip6_append_data(struct sock *sk,
>  		    int getfrag(void *from, char *to, int offset, int len,
>  				int odd, struct sk_buff *skb),
> -		    void *from, int length, int transhdrlen,
> +		    void *from, size_t length, int transhdrlen,
>  		    struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
>  		    struct rt6_info *rt, unsigned int flags)
>  {
> @@ -1995,13 +1995,13 @@ EXPORT_SYMBOL_GPL(ip6_flush_pending_frames);
>  struct sk_buff *ip6_make_skb(struct sock *sk,
>  			     int getfrag(void *from, char *to, int offset,
>  					 int len, int odd, struct sk_buff *skb),
> -			     void *from, int length, int transhdrlen,
> +			     void *from, size_t length, int transhdrlen,
>  			     struct ipcm6_cookie *ipc6, struct rt6_info *rt,
>  			     unsigned int flags, struct inet_cork_full *cork)
>  {
>  	struct inet6_cork v6_cork;
>  	struct sk_buff_head queue;
> -	int exthdrlen = (ipc6->opt ? ipc6->opt->opt_flen : 0);
> +	size_t exthdrlen = (ipc6->opt ? ipc6->opt->opt_flen : 0);

Is this the above line change needed? Why?

Thanks!

Paolo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ