| Message ID | 20210114185229.1742255-1-eric.dumazet@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | bcd0cf19ef8258ac31b9a20248b05c15a1f4b4b0 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net] net_sched: avoid shift-out-of-bounds in tcindex_set_parms() | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Clearly marked for net |
| netdev/subject_prefix | success | Link |
| netdev/cc_maintainers | warning | 3 maintainers not CCed: jiri@resnulli.us jhs@mojatatu.com xiyou.wangcong@gmail.com |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 0 this patch: 0 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | warning | WARNING: Possible repeated word: 'Google' |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 0 this patch: 0 |
| netdev/header_inline | success | Link |
| netdev/stable | success | Stable not CCed |
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Thu, 14 Jan 2021 10:52:29 -0800 you wrote: > From: Eric Dumazet <edumazet@google.com> > > tc_index being 16bit wide, we need to check that TCA_TCINDEX_SHIFT > attribute is not silly. > > UBSAN: shift-out-of-bounds in net/sched/cls_tcindex.c:260:29 > shift exponent 255 is too large for 32-bit type 'int' > CPU: 0 PID: 8516 Comm: syz-executor228 Not tainted 5.10.0-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:79 [inline] > dump_stack+0x107/0x163 lib/dump_stack.c:120 > ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 > __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 > valid_perfect_hash net/sched/cls_tcindex.c:260 [inline] > tcindex_set_parms.cold+0x1b/0x215 net/sched/cls_tcindex.c:425 > tcindex_change+0x232/0x340 net/sched/cls_tcindex.c:546 > tc_new_tfilter+0x13fb/0x21b0 net/sched/cls_api.c:2127 > rtnetlink_rcv_msg+0x8b6/0xb80 net/core/rtnetlink.c:5555 > netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 > netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] > netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 > netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919 > sock_sendmsg_nosec net/socket.c:652 [inline] > sock_sendmsg+0xcf/0x120 net/socket.c:672 > ____sys_sendmsg+0x6e8/0x810 net/socket.c:2336 > ___sys_sendmsg+0xf3/0x170 net/socket.c:2390 > __sys_sendmsg+0xe5/0x1b0 net/socket.c:2423 > do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > [...] Here is the summary with links: - [net] net_sched: avoid shift-out-of-bounds in tcindex_set_parms() https://git.kernel.org/netdev/net/c/bcd0cf19ef82 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/net/sched/cls_tcindex.c b/net/sched/cls_tcindex.c index 78bec347b8b66f660e620dd715d0eb68f9bcd2d3..c4007b9cd16d6a200d943e3e0536d6b20022ba77 100644 --- a/net/sched/cls_tcindex.c +++ b/net/sched/cls_tcindex.c @@ -366,9 +366,13 @@ tcindex_set_parms(struct net *net, struct tcf_proto *tp, unsigned long base, if (tb[TCA_TCINDEX_MASK]) cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]); - if (tb[TCA_TCINDEX_SHIFT]) + if (tb[TCA_TCINDEX_SHIFT]) { cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]); - + if (cp->shift > 16) { + err = -EINVAL; + goto errout; + } + } if (!cp->hash) { /* Hash not specified, use perfect hash if the upper limit * of the hashing index is below the threshold.