lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ZfA4U0itpWSjsALX@localhost.localdomain>
Date: Tue, 12 Mar 2024 12:11:15 +0100
From: Michal Kubiak <michal.kubiak@...el.com>
To: Eric Dumazet <edumazet@...gle.com>
CC: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski
	<kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, <netdev@...r.kernel.org>,
	<eric.dumazet@...il.com>,
	<syzbot+a340daa06412d6028918@...kaller.appspotmail.com>, Vladimir Oltean
	<vladimir.oltean@....com>
Subject: Re: [PATCH net] net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX
 check

On Mon, Mar 11, 2024 at 08:46:28PM +0000, Eric Dumazet wrote:
> taprio_parse_tc_entry() is not correctly checking
> TCA_TAPRIO_TC_ENTRY_INDEX attribute:
> 
> 	int tc; // Signed value
> 
> 	tc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]);
> 	if (tc >= TC_QOPT_MAX_QUEUE) {
> 		NL_SET_ERR_MSG_MOD(extack, "TC entry index out of range");
> 		return -ERANGE;
> 	}
> 
> syzbot reported that it could fed arbitary negative values:

nitpick: arbitary -> arbitrary (checkpatch)
> 
> UBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18
> shift exponent -2147418108 is negative
> CPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024
> Call Trace:
>  <TASK>
>   __dump_stack lib/dump_stack.c:88 [inline]
>   dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106
>   ubsan_epilogue lib/ubsan.c:217 [inline]
>   __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386
>   taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline]
>   taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline]
>   taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877
>   taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134
>   qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355
>   tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776
>   rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617
>   netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543
>   netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline]
>   netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367
>   netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908
>   sock_sendmsg_nosec net/socket.c:730 [inline]
>   __sock_sendmsg+0x221/0x270 net/socket.c:745
>   ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584
>   ___sys_sendmsg net/socket.c:2638 [inline]
>   __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667
>  do_syscall_64+0xf9/0x240
>  entry_SYSCALL_64_after_hwframe+0x6f/0x77
> RIP: 0033:0x7f1b2dea3759
> Code: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759
> RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004
> RBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000
> R10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340
> R13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340
> 
> Fixes: a54fc09e4cba ("net/sched: taprio: allow user input of per-tc max SDU")
> Reported-and-tested-by: syzbot+a340daa06412d6028918@...kaller.appspotmail.com
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Vladimir Oltean <vladimir.oltean@....com>
> ---
>  net/sched/sch_taprio.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
> index 31a8252bd09c9111090f0147df6deb0ad81577af..ad99409c6325e179319f8ec4053582417a978817 100644
> --- a/net/sched/sch_taprio.c
> +++ b/net/sched/sch_taprio.c
> @@ -1008,7 +1008,8 @@ static const struct nla_policy entry_policy[TCA_TAPRIO_SCHED_ENTRY_MAX + 1] = {
>  };
>  
>  static const struct nla_policy taprio_tc_policy[TCA_TAPRIO_TC_ENTRY_MAX + 1] = {
> -	[TCA_TAPRIO_TC_ENTRY_INDEX]	   = { .type = NLA_U32 },
> +	[TCA_TAPRIO_TC_ENTRY_INDEX]	   = NLA_POLICY_MAX(NLA_U32,
> +							    TC_QOPT_MAX_QUEUE),
>  	[TCA_TAPRIO_TC_ENTRY_MAX_SDU]	   = { .type = NLA_U32 },
>  	[TCA_TAPRIO_TC_ENTRY_FP]	   = NLA_POLICY_RANGE(NLA_U32,
>  							      TC_FP_EXPRESS,
> -- 
> 2.44.0.278.ge034bb2e1d-goog
> 
> 

Looks OK to me. Please just review the checkpatch warnings.

Thanks,
Reviewed-by: Michal Kubiak <michal.kubiak@...el.com>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ