lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <36cf3ee2-38b1-47e5-a42a-363efeb0ace3@stanley.mountain>
Date: Thu, 6 Mar 2025 12:48:51 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Peter Seiderer <ps.report@....net>
Cc: netdev@...r.kernel.org
Subject: [bug report] net: pktgen: fix access outside of user given buffer in
 pktgen_if_write()

Hello Peter Seiderer,

Commit c5cdbf23b84c ("net: pktgen: fix access outside of user given
buffer in pktgen_if_write()") from Feb 27, 2025 (linux-next), leads
to the following Smatch static checker warning:

	net/core/pktgen.c:877 get_imix_entries()
	warn: check that incremented offset 'i' is capped

net/core/pktgen.c
    842 static ssize_t get_imix_entries(const char __user *buffer,
    843                                 size_t maxlen,
    844                                 struct pktgen_dev *pkt_dev)
    845 {
    846         size_t i = 0, max;
    847         ssize_t len;
    848         char c;
    849 
    850         pkt_dev->n_imix_entries = 0;
    851 
    852         do {
    853                 unsigned long weight;
    854                 unsigned long size;
    855 
    856                 if (pkt_dev->n_imix_entries >= MAX_IMIX_ENTRIES)
    857                         return -E2BIG;
    858 
    859                 max = min(10, maxlen - i);
    860                 len = num_arg(&buffer[i], max, &size);
    861                 if (len < 0)
    862                         return len;
    863                 i += len;
    864                 if (i >= maxlen)

Smatch wants this check to be done

    865                         return -EINVAL;
    866                 if (get_user(c, &buffer[i]))
    867                         return -EFAULT;
    868                 /* Check for comma between size_i and weight_i */
    869                 if (c != ',')
    870                         return -EINVAL;
    871                 i++;

again after this i++.

    872 
    873                 if (size < 14 + 20 + 8)
    874                         size = 14 + 20 + 8;
    875 
    876                 max = min(10, maxlen - i);
--> 877                 len = num_arg(&buffer[i], max, &weight);
    878                 if (len < 0)
    879                         return len;
    880                 if (weight <= 0)
    881                         return -EINVAL;
    882 
    883                 pkt_dev->imix_entries[pkt_dev->n_imix_entries].size = size;
    884                 pkt_dev->imix_entries[pkt_dev->n_imix_entries].weight = weight;
    885 
    886                 i += len;
    887                 pkt_dev->n_imix_entries++;
    888 
    889                 if (i >= maxlen)
    890                         break;
    891                 if (get_user(c, &buffer[i]))
    892                         return -EFAULT;
    893                 i++;
    894         } while (c == ' ');
    895 
    896         return i;
    897 }

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ