| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Jan 2024 17:32:35 +0800 From: Edward Adam Davis <eadavis@...com> To: syzbot+f2977222e0e95cec15c8@...kaller.appspotmail.com Cc: andrii@...nel.org, ast@...nel.org, borisp@...dia.com, bpf@...r.kernel.org, daniel@...earbox.net, davem@...emloft.net, dhowells@...hat.com, edumazet@...gle.com, jakub@...udflare.com, john.fastabend@...il.com, kuba@...nel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com, syzkaller-bugs@...glegroups.com Subject: [PATCH] tls: fix WARNING in __sk_msg_free Syzbot constructed 32 scatterlists, and the data members in struct sk_msg_sg can only store a maximum of MAX_MSG_FRAGS scatterlists. However, the value of MAX_MSG_FRAGS=CONFIG_MAX_SKB_FRAG is less than 32, which leads to the warning reported here. Prevent similar issues from occurring by checking whether sg.end is greater than MAX_MSG_FRAGS. Reported-and-tested-by: syzbot+f2977222e0e95cec15c8@...kaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@...com> --- net/tls/tls_sw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c index e37b4d2e2acd..68dbe821f61d 100644 --- a/net/tls/tls_sw.c +++ b/net/tls/tls_sw.c @@ -1016,6 +1016,8 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg, msg_pl = &rec->msg_plaintext; msg_en = &rec->msg_encrypted; + if (msg_pl->sg.end >= MAX_MSG_FRAGS) + return -EINVAL; orig_size = msg_pl->sg.size; full_record = false; -- 2.43.0
Powered by blists - more mailing lists