From: Manivannan Sadhasivam <mani@kernel.org>
To: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
linux-arm-msm@vger.kernel.org, netdev@vger.kernel.org
Subject: Re: Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
Date: Thu, 19 Aug 2021 22:27:31 +0530 [thread overview]
Message-ID: <20210819165731.GD200135@thinkpad> (raw)
In-Reply-To: <CAFcO6XOGjHzys4GywczXyePiPcEXw7P=gBPwYU5nv0f-a=eFig@mail.gmail.com>
Hi,
On Wed, Aug 18, 2021 at 03:33:38PM +0800, butt3rflyh4ck wrote:
> Here I make a patch for this issue.
[...]
> From 18d9f83f17375785beadbe6a0d0ee59503f65925 Mon Sep 17 00:00:00 2001
> From: butt3rflyh4ck <butterflyhhuangxx@gmail.com>
> Date: Wed, 18 Aug 2021 14:19:38 +0800
> Subject: [PATCH] net: qrtr: fix another OOB Read in qrtr_endpoint_post
>
> This check was incomplete, did not consider size is 0:
>
> if (len != ALIGN(size, 4) + hdrlen)
> goto err;
>
> if size from qrtr_hdr is 0, the result of ALIGN(size, 4)
> will be 0, In case of len == hdrlen and size == 0
> in header this check won't fail and
>
> if (cb->type == QRTR_TYPE_NEW_SERVER) {
> /* Remote node endpoint can bridge other distant nodes */
> const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
>
> qrtr_node_assign(node, le32_to_cpu(pkt->server.node));
> }
>
> will also read out of bound from data, which is hdrlen allocated block.
>
> Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
> Fixes: ad9d24c9429e ("net: qrtr: fix OOB Read in qrtr_endpoint_post")
> Signed-off-by: butt3rflyh4ck <butterflyhhuangxx@gmail.com>
Thanks for the bug report and the fix. Could you please send the fix as a proper
patch as per: Documentation/process/submitting-patches.rst
Thanks,
Mani
> ---
> net/qrtr/qrtr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
> index 171b7f3be6ef..0c30908628ba 100644
> --- a/net/qrtr/qrtr.c
> +++ b/net/qrtr/qrtr.c
> @@ -493,7 +493,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
> goto err;
> }
>
> - if (len != ALIGN(size, 4) + hdrlen)
> + if (!size || len != ALIGN(size, 4) + hdrlen)
> goto err;
>
> if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA &&
> --
> 2.25.1
>
next prev parent reply other threads:[~2021-08-19 16:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-17 11:52 Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c butt3rflyh4ck
2021-08-18 7:33 ` butt3rflyh4ck
2021-08-19 16:57 ` Manivannan Sadhasivam [this message]
2021-08-19 17:09 ` butt3rflyh4ck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210819165731.GD200135@thinkpad \
--to=mani@kernel.org \
--cc=butterflyhuangxx@gmail.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.