| Message ID | 20210614120650.2731-1-paskripkin@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | ad9d24c9429e2159d1e279dc3a83191ccb4daf1d |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | net: qrtr: fix OOB Read in qrtr_endpoint_post | expand |
| Context | Check | Description |
|---|---|---|
| netdev/cover_letter | success | Link |
| netdev/fixes_present | success | Link |
| netdev/patch_count | success | Link |
| netdev/tree_selection | success | Guessed tree name to be net-next |
| netdev/subject_prefix | warning | Target tree name not specified in the subject |
| netdev/cc_maintainers | warning | 1 maintainers not CCed: kuba@kernel.org |
| netdev/source_inline | success | Was 0 now: 0 |
| netdev/verify_signedoff | success | Link |
| netdev/module_param | success | Was 0 now: 0 |
| netdev/build_32bit | success | Errors and warnings before: 3 this patch: 3 |
| netdev/kdoc | success | Errors and warnings before: 0 this patch: 0 |
| netdev/verify_fixes | success | Link |
| netdev/checkpatch | success | total: 0 errors, 0 warnings, 0 checks, 8 lines checked |
| netdev/build_allmodconfig_warn | success | Errors and warnings before: 3 this patch: 3 |
| netdev/header_inline | success | Link |
On Mon 14 Jun 07:06 CDT 2021, Pavel Skripkin wrote: > Syzbot reported slab-out-of-bounds Read in > qrtr_endpoint_post. The problem was in wrong > _size_ type: > > if (len != ALIGN(size, 4) + hdrlen) > goto err; > > If size from qrtr_hdr is 4294967293 (0xfffffffd), the result of > ALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293 > in header this check won't fail and > > skb_put_data(skb, data + hdrlen, size); > > will read out of bound from data, which is hdrlen allocated block. > > Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets") > Reported-and-tested-by: syzbot+1917d778024161609247@syzkaller.appspotmail.com > Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Regards, Bjorn > --- > net/qrtr/qrtr.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c > index c0477bec09bd..f2efaa4225f9 100644 > --- a/net/qrtr/qrtr.c > +++ b/net/qrtr/qrtr.c > @@ -436,7 +436,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) > struct qrtr_sock *ipc; > struct sk_buff *skb; > struct qrtr_cb *cb; > - unsigned int size; > + size_t size; > unsigned int ver; > size_t hdrlen; > > -- > 2.32.0 >
Hello: This patch was applied to netdev/net.git (refs/heads/master): On Mon, 14 Jun 2021 15:06:50 +0300 you wrote: > Syzbot reported slab-out-of-bounds Read in > qrtr_endpoint_post. The problem was in wrong > _size_ type: > > if (len != ALIGN(size, 4) + hdrlen) > goto err; > > [...] Here is the summary with links: - net: qrtr: fix OOB Read in qrtr_endpoint_post https://git.kernel.org/netdev/net/c/ad9d24c9429e You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html
diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c index c0477bec09bd..f2efaa4225f9 100644 --- a/net/qrtr/qrtr.c +++ b/net/qrtr/qrtr.c @@ -436,7 +436,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) struct qrtr_sock *ipc; struct sk_buff *skb; struct qrtr_cb *cb; - unsigned int size; + size_t size; unsigned int ver; size_t hdrlen;
Syzbot reported slab-out-of-bounds Read in qrtr_endpoint_post. The problem was in wrong _size_ type: if (len != ALIGN(size, 4) + hdrlen) goto err; If size from qrtr_hdr is 4294967293 (0xfffffffd), the result of ALIGN(size, 4) will be 0. In case of len == hdrlen and size == 4294967293 in header this check won't fail and skb_put_data(skb, data + hdrlen, size); will read out of bound from data, which is hdrlen allocated block. Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets") Reported-and-tested-by: syzbot+1917d778024161609247@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin <paskripkin@gmail.com> --- net/qrtr/qrtr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)