lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 6 Jun 2023 20:54:47 +0800
From: "luwei (O)" <luwei32@...wei.com>
To: Jakub Kicinski <kuba@...nel.org>
CC: Networking <netdev@...r.kernel.org>
Subject: Re: [Question] integer overflow in function
 __qdisc_calculate_pkt_len()


在 2023/6/6 7:19 AM, Jakub Kicinski 写道:
> On Fri, 2 Jun 2023 10:50:44 +0800 luwei (O) wrote:
>>       I found an integer overflow issue in function
>> __qdisc_calculate_pkt_len(), the root cause is overhead and cell_align
>> in stab is not checked.
>>
>> For example, if overhead is set to -2147483559 and cell_align is set to
>> -32767 (tc tool limit it to 0 and -1, but other values can be set with
>> netlink api),
>>
>> the integer overflow occurs:
>>
>>    568 void __qdisc_calculate_pkt_len(struct sk_buff *skb,
>>    569                                const struct qdisc_size_table *stab)
>>    570 {
>>    571         int pkt_len, slot;
>>    572
>>    573         pkt_len = skb->len + stab->szopts.overhead; (1)
>>    574         if (unlikely(!stab->szopts.tsize))
>>    575                 goto out;
>>    576
>>    577         slot = pkt_len + stab->szopts.cell_align;   (2)
>>    578         if (unlikely(slot < 0))
>>    579                 slot = 0;
>>
>> if skb->len is 66, slot will be 66 + (-2147483559) + (-32767) =
>> 2147451036, and pkt_len will be 2147451040 finally.  I think the value
>> of overhead and cell_align
>>
>> should be limited, but not sure to which values they should be limited,
>> can any one give me some suggestions?
> on a quick look limiting the cell_align to S16_MIN at the netlink level
> (NLA_POLICY_MIN()) seems reasonable, feel free to send a patch.
> .

Thanks for your reply, but do your mean cell_align or overhead? It seems 
limit cell_align to

S16_MIN(-32768) can still cause the overflow:

     66 + (-2147483559) + (-32767) = 2147451036

   skb->len = 66
   stab->szopts.overhead = -2147483559
   stab->szopts.cell_align = -32767

-- 
Best Regards,
Lu Wei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ