* [PATCH] hdlc_ppp: add range checks in ppp_cp_parse_cr()
[not found] <20200908153200.GB4165114@kroah.com>
@ 2020-09-08 17:53 ` Dan Carpenter
[not found] ` <CAMnVd19nWToENW3X7v_PZN4snoXAoLgqKqn=dezXnd=z89zL7Q@mail.gmail.com>
0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2020-09-08 17:53 UTC (permalink / raw)
To: Krzysztof Halasa, nan chen
Cc: Jakub Kicinski, security, Greg KH, David S. Miller, netdev
There were two bugs here:
1) If opt[1] is zero then this results in a forever loop. If the value
is less than 2 then it is invalid.
2) We assume that "len" is more than sizeof(valid_accm) or 6 which can
result in memory corruption.
Reported-by: ChenNan Of Chaitin Security Research Lab <whutchennan@gmail.com>
Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
This was sent to the security list, but we normally just handle
networking driver bugs through the regular netdev list.
drivers/net/wan/hdlc_ppp.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wan/hdlc_ppp.c b/drivers/net/wan/hdlc_ppp.c
index 48ced3912576..4e906b79a85f 100644
--- a/drivers/net/wan/hdlc_ppp.c
+++ b/drivers/net/wan/hdlc_ppp.c
@@ -383,11 +383,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
}
for (opt = data; len; len -= opt[1], opt += opt[1]) {
- if (len < 2 || len < opt[1]) {
- dev->stats.rx_errors++;
- kfree(out);
- return; /* bad packet, drop silently */
- }
+ if (len < 2 || opt[1] < 2 || len < opt[1])
+ goto err_out;
if (pid == PID_LCP)
switch (opt[0]) {
@@ -395,6 +392,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
continue; /* MRU always OK and > 1500 bytes? */
case LCP_OPTION_ACCM: /* async control character map */
+ if (len < sizeof(valid_accm))
+ goto err_out;
if (!memcmp(opt, valid_accm,
sizeof(valid_accm)))
continue;
@@ -406,6 +405,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
}
break;
case LCP_OPTION_MAGIC:
+ if (len < 6)
+ goto err_out;
if (opt[1] != 6 || (!opt[2] && !opt[3] &&
!opt[4] && !opt[5]))
break; /* reject invalid magic number */
@@ -424,6 +425,11 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data);
kfree(out);
+ return;
+
+err_out:
+ dev->stats.rx_errors++;
+ kfree(out);
}
static int ppp_rx(struct sk_buff *skb)
--
2.28.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] hdlc_ppp: add range checks in ppp_cp_parse_cr()
[not found] ` <CAMnVd19nWToENW3X7v_PZN4snoXAoLgqKqn=dezXnd=z89zL7Q@mail.gmail.com>
@ 2020-09-09 7:19 ` Dan Carpenter
2020-09-09 9:46 ` [PATCH v2 net] " Dan Carpenter
1 sibling, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2020-09-09 7:19 UTC (permalink / raw)
To: nan chen
Cc: Krzysztof Halasa, Jakub Kicinski, security, Greg KH,
David S. Miller, netdev
On Wed, Sep 09, 2020 at 05:37:37AM +0800, nan chen wrote:
> Looks like the judgment of len <sizeof(valid_accm) has a problem.
> The judgment cannot avoid the memory overflow of the memcpy below.
> case LCP_OPTION_ACCM: /* async control character
> map */
> + if (len < sizeof(valid_accm))
> + goto err_out;
> Assume that the initial value of len is 10.Then the length of 'out' memory
> is 10.
> And assume the value of opt[1] in each loop is 2.
> Then it will loop 3 times.
> 3 times memcpy will cause the 'out' memory to be overwritten by 18 bytes (
> > 10 bytes). This will be memory overflow.
>
> I think the correct way is to judge the value of opt[1] like this:
> . case LCP_OPTION_ACCM: /* async control character
> map */
> + if (opt[1] < sizeof(valid_accm))
> + goto err_out;
>
Yeah. You're right. The "nak_len" count would grow faster than it
should leading to memory corruption. I'll resend.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2 net] hdlc_ppp: add range checks in ppp_cp_parse_cr()
[not found] ` <CAMnVd19nWToENW3X7v_PZN4snoXAoLgqKqn=dezXnd=z89zL7Q@mail.gmail.com>
2020-09-09 7:19 ` Dan Carpenter
@ 2020-09-09 9:46 ` Dan Carpenter
2020-09-10 20:00 ` David Miller
1 sibling, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2020-09-09 9:46 UTC (permalink / raw)
To: Krzysztof Halasa
Cc: David S. Miller, Jakub Kicinski, netdev, security, nan chen, Greg KH
There are a couple bugs here:
1) If opt[1] is zero then this results in a forever loop. If the value
is less than 2 then it is invalid.
2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
result in memory corruption.
In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead
of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
"nak_len" gets out of sync and it can lead to memory corruption in the
next iterations through the loop. In case of LCP_OPTION_MAGIC, the
only valid value for opt[1] is 6, but the code is trying to log invalid
data so we should only discard the data when "len" is less than 6
because that leads to a read overflow.
Reported-by: ChenNan Of Chaitin Security Research Lab <whutchennan@gmail.com>
Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
v2: check opt[1] < 6 instead of len < 6 for the LCP_OPTION_ACCM case.
drivers/net/wan/hdlc_ppp.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wan/hdlc_ppp.c b/drivers/net/wan/hdlc_ppp.c
index 48ced3912576..16f33d1ffbfb 100644
--- a/drivers/net/wan/hdlc_ppp.c
+++ b/drivers/net/wan/hdlc_ppp.c
@@ -383,11 +383,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
}
for (opt = data; len; len -= opt[1], opt += opt[1]) {
- if (len < 2 || len < opt[1]) {
- dev->stats.rx_errors++;
- kfree(out);
- return; /* bad packet, drop silently */
- }
+ if (len < 2 || opt[1] < 2 || len < opt[1])
+ goto err_out;
if (pid == PID_LCP)
switch (opt[0]) {
@@ -395,6 +392,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
continue; /* MRU always OK and > 1500 bytes? */
case LCP_OPTION_ACCM: /* async control character map */
+ if (opt[1] < sizeof(valid_accm))
+ goto err_out;
if (!memcmp(opt, valid_accm,
sizeof(valid_accm)))
continue;
@@ -406,6 +405,8 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
}
break;
case LCP_OPTION_MAGIC:
+ if (len < 6)
+ goto err_out;
if (opt[1] != 6 || (!opt[2] && !opt[3] &&
!opt[4] && !opt[5]))
break; /* reject invalid magic number */
@@ -424,6 +425,11 @@ static void ppp_cp_parse_cr(struct net_device *dev, u16 pid, u8 id,
ppp_cp_event(dev, pid, RCR_GOOD, CP_CONF_ACK, id, req_len, data);
kfree(out);
+ return;
+
+err_out:
+ dev->stats.rx_errors++;
+ kfree(out);
}
static int ppp_rx(struct sk_buff *skb)
--
2.28.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 net] hdlc_ppp: add range checks in ppp_cp_parse_cr()
2020-09-09 9:46 ` [PATCH v2 net] " Dan Carpenter
@ 2020-09-10 20:00 ` David Miller
0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2020-09-10 20:00 UTC (permalink / raw)
To: dan.carpenter; +Cc: khc, kuba, netdev, security, whutchennan, greg
From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 9 Sep 2020 12:46:48 +0300
> There are a couple bugs here:
> 1) If opt[1] is zero then this results in a forever loop. If the value
> is less than 2 then it is invalid.
> 2) It assumes that "len" is more than sizeof(valid_accm) or 6 which can
> result in memory corruption.
>
> In the case of LCP_OPTION_ACCM, then we should check "opt[1]" instead
> of "len" because, if "opt[1]" is less than sizeof(valid_accm) then
> "nak_len" gets out of sync and it can lead to memory corruption in the
> next iterations through the loop. In case of LCP_OPTION_MAGIC, the
> only valid value for opt[1] is 6, but the code is trying to log invalid
> data so we should only discard the data when "len" is less than 6
> because that leads to a read overflow.
>
> Reported-by: ChenNan Of Chaitin Security Research Lab <whutchennan@gmail.com>
> Fixes: e022c2f07ae5 ("WAN: new synchronous PPP implementation for generic HDLC.")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> Reviewed-by: Eric Dumazet <edumazet@google.com>
> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
> v2: check opt[1] < 6 instead of len < 6 for the LCP_OPTION_ACCM case.
Applied and queued up for -stable, thanks Dan.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-09-10 20:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20200908153200.GB4165114@kroah.com>
2020-09-08 17:53 ` [PATCH] hdlc_ppp: add range checks in ppp_cp_parse_cr() Dan Carpenter
[not found] ` <CAMnVd19nWToENW3X7v_PZN4snoXAoLgqKqn=dezXnd=z89zL7Q@mail.gmail.com>
2020-09-09 7:19 ` Dan Carpenter
2020-09-09 9:46 ` [PATCH v2 net] " Dan Carpenter
2020-09-10 20:00 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.