From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Pavel Skripkin <paskripkin@gmail.com>,
syzbot+fc8cd9a673d4577fb2e4@syzkaller.appspotmail.com,
Dan Carpenter <dan.carpenter@oracle.com>,
"David S . Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.4 23/31] net: 6pack: fix slab-out-of-bounds in decode_data
Date: Tue, 24 Aug 2021 13:07:35 -0400 [thread overview]
Message-ID: <20210824170743.710957-24-sashal@kernel.org> (raw)
In-Reply-To: <20210824170743.710957-1-sashal@kernel.org>
From: Pavel Skripkin <paskripkin@gmail.com>
[ Upstream commit 19d1532a187669ce86d5a2696eb7275310070793 ]
Syzbot reported slab-out-of bounds write in decode_data().
The problem was in missing validation checks.
Syzbot's reproducer generated malicious input, which caused
decode_data() to be called a lot in sixpack_decode(). Since
rx_count_cooked is only 400 bytes and noone reported before,
that 400 bytes is not enough, let's just check if input is malicious
and complain about buffer overrun.
Fail log:
==================================================================
BUG: KASAN: slab-out-of-bounds in drivers/net/hamradio/6pack.c:843
Write of size 1 at addr ffff888087c5544e by task kworker/u4:0/7
CPU: 0 PID: 7 Comm: kworker/u4:0 Not tainted 5.6.0-rc3-syzkaller #0
...
Workqueue: events_unbound flush_to_ldisc
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x32 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:641
__asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:137
decode_data.part.0+0x23b/0x270 drivers/net/hamradio/6pack.c:843
decode_data drivers/net/hamradio/6pack.c:965 [inline]
sixpack_decode drivers/net/hamradio/6pack.c:968 [inline]
Reported-and-tested-by: syzbot+fc8cd9a673d4577fb2e4@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/hamradio/6pack.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
index 732c68ed166a..cce901add654 100644
--- a/drivers/net/hamradio/6pack.c
+++ b/drivers/net/hamradio/6pack.c
@@ -874,6 +874,12 @@ static void decode_data(struct sixpack *sp, unsigned char inbyte)
return;
}
+ if (sp->rx_count_cooked + 2 >= sizeof(sp->cooked_buf)) {
+ pr_err("6pack: cooked buffer overrun, data loss\n");
+ sp->rx_count = 0;
+ return;
+ }
+
buf = sp->raw_buf;
sp->cooked_buf[sp->rx_count_cooked++] =
buf[0] | ((buf[1] << 2) & 0xc0);
--
2.30.2
next prev parent reply other threads:[~2021-08-24 17:40 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-24 17:07 [PATCH 4.4 00/31] 4.4.282-rc1 review Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 01/31] ASoC: intel: atom: Fix reference to PCM buffer address Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 02/31] i2c: dev: zero out array used for i2c reads from userspace Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 03/31] net: Fix memory leak in ieee802154_raw_deliver Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 04/31] xen/events: Fix race in set_evtchn_to_irq Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 05/31] x86/tools: Fix objdump version check again Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 06/31] PCI/MSI: Enable and mask MSI-X early Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 07/31] PCI/MSI: Do not set invalid bits in MSI mask Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 08/31] PCI/MSI: Correct misleading comments Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 09/31] PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 10/31] PCI/MSI: Protect msi_desc::masked for multi-MSI Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 11/31] PCI/MSI: Mask all unused MSI-X entries Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 12/31] PCI/MSI: Enforce that MSI-X table entry is masked for update Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 13/31] PCI/MSI: Enforce MSI[X] entry updates to be visible Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 14/31] vmlinux.lds.h: Handle clang's module.{c,d}tor sections Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 15/31] KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 16/31] dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 17/31] ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218 Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 18/31] dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 19/31] scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 20/31] scsi: core: Avoid printing an error if target_alloc() returns -ENXIO Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 21/31] Bluetooth: hidp: use correct wait queue when removing ctrl_wait Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 22/31] dccp: add do-while-0 stubs for dccp_pr_debug macros Sasha Levin
2021-08-24 17:07 ` Sasha Levin
2021-08-24 17:07 ` Sasha Levin [this message]
2021-08-24 17:07 ` [PATCH 4.4 24/31] net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 25/31] mmc: dw_mmc: Wait for data transfer after response errors Sasha Levin
2021-08-26 11:59 ` Nobuhiro Iwamatsu
2021-08-26 12:31 ` Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 26/31] mmc: dw_mmc: call the dw_mci_prep_stop_abort() by default Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 27/31] mmc: dw_mmc: Fix hang on data CRC error Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 28/31] ALSA: hda - fix the 'Capture Switch' value change notifications Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 29/31] ipack: tpci200: fix many double free issues in tpci200_pci_probe Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 30/31] ASoC: intel: atom: Fix breakage for PCM buffer address setup Sasha Levin
2021-08-24 17:07 ` [PATCH 4.4 31/31] Linux 4.4.282-rc1 Sasha Levin
2021-08-25 7:33 ` [PATCH 4.4 00/31] 4.4.282-rc1 review Pavel Machek
2021-08-25 14:24 ` Jon Hunter
2021-08-25 20:27 ` Guenter Roeck
2021-08-25 21:18 ` Daniel Díaz
2021-08-25 22:38 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210824170743.710957-24-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=paskripkin@gmail.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+fc8cd9a673d4577fb2e4@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.