[PATCH net v3] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

[PATCH net v3] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

[Sam Sun]

In function bond_option_arp_ip_targets_set(), if newval->string is an
empty string, newval->string+1 will point to the byte after the
string, causing an out-of-bound read.

BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418
Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107
CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc1/0x5e0 mm/kasan/report.c:475
 kasan_report+0xbe/0xf0 mm/kasan/report.c:588
 strlen+0x7d/0xa0 lib/string.c:418
 __fortify_strlen include/linux/fortify-string.h:210 [inline]
 in4_pton+0xa3/0x3f0 net/core/utils.c:130
 bond_option_arp_ip_targets_set+0xc2/0x910
drivers/net/bonding/bond_options.c:1201
 __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767
 __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792
 bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817
 bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156
 dev_attr_store+0x54/0x80 drivers/base/core.c:2366
 sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136
 kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334
 call_write_iter include/linux/fs.h:2020 [inline]
 new_sync_write fs/read_write.c:491 [inline]
 vfs_write+0x96a/0xd80 fs/read_write.c:584
 ksys_write+0x122/0x250 fs/read_write.c:637
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
---[ end trace ]---

Fix it by adding a check of string length before using it.

v2
According to Jay and Hangbin's opinion, remove target address in
netdev_err message since target is not initialized in error path and
will not provide useful information.

v3
According to Hangbin's opinion, change Fixes tag from 4fb0ef585eb2
("bonding: convert arp_ip_target to use the new option API") to
f9de11a16594 ("bonding: add ip checks when store ip target").

Fixes: f9de11a16594 ("bonding: add ip checks when store ip target")
Signed-off-by: Yue Sun <samsun1006219@gmail.com>
---
 drivers/net/bonding/bond_options.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/bonding/bond_options.c
b/drivers/net/bonding/bond_options.c
index 4cdbc7e084f4..8f3fb91897b3 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -1214,9 +1214,9 @@ static int bond_option_arp_ip_targets_set(struct
bonding *bond,
     __be32 target;

     if (newval->string) {
-        if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) {
-            netdev_err(bond->dev, "invalid ARP target %pI4 specified\n",
-                   &target);
+        if (!(strlen(newval->string)) ||
+            !in4_pton(newval->string + 1, -1, (u8 *)&target, -1, NULL)) {
+            netdev_err(bond->dev, "invalid ARP target I4 specified\n");
             return ret;
         }
         if (newval->string[0] == '+')
-- 
2.34.1

Re: [PATCH net v3] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

[Simon Horman]

On Tue, Apr 16, 2024 at 08:09:44PM +0800, Sam Sun wrote:
> In function bond_option_arp_ip_targets_set(), if newval->string is an
> empty string, newval->string+1 will point to the byte after the
> string, causing an out-of-bound read.
> 
> BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418
> Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107
> CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
>  print_address_description mm/kasan/report.c:364 [inline]
>  print_report+0xc1/0x5e0 mm/kasan/report.c:475
>  kasan_report+0xbe/0xf0 mm/kasan/report.c:588
>  strlen+0x7d/0xa0 lib/string.c:418
>  __fortify_strlen include/linux/fortify-string.h:210 [inline]
>  in4_pton+0xa3/0x3f0 net/core/utils.c:130
>  bond_option_arp_ip_targets_set+0xc2/0x910
> drivers/net/bonding/bond_options.c:1201
>  __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767
>  __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792
>  bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817
>  bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156
>  dev_attr_store+0x54/0x80 drivers/base/core.c:2366
>  sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136
>  kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334
>  call_write_iter include/linux/fs.h:2020 [inline]
>  new_sync_write fs/read_write.c:491 [inline]
>  vfs_write+0x96a/0xd80 fs/read_write.c:584
>  ksys_write+0x122/0x250 fs/read_write.c:637
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> ---[ end trace ]---
> 
> Fix it by adding a check of string length before using it.
> 
> v2
> According to Jay and Hangbin's opinion, remove target address in
> netdev_err message since target is not initialized in error path and
> will not provide useful information.
> 
> v3
> According to Hangbin's opinion, change Fixes tag from 4fb0ef585eb2
> ("bonding: convert arp_ip_target to use the new option API") to
> f9de11a16594 ("bonding: add ip checks when store ip target").
> 
> Fixes: f9de11a16594 ("bonding: add ip checks when store ip target")
> Signed-off-by: Yue Sun <samsun1006219@gmail.com>
> ---

Hi Sam Sun,

Some comments about the formatting of this submission:

* The list of chances, (v2, v3, ...) should be below rather than
  above the scissors ("---"), so it is not included when the patch
  is applied.

* Looking at git history, the patch prefix should probably be "bonding:"

	Subject: [PATCH net v3] bonding: ...

* The diff seems to be a bit mangled, f.e. tabs seem to
  have been translated into spaces. So it does not apply.
  Which breaks automated testing. And for this reason
  I am asking you to repost this patch.

  git send-email, and b4, are two tools that can typically be used
  to send patches in a way that this doesn't occur.

--- 
pw-bot: changes-requested

Re: [PATCH net v3] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

[Sam Sun]

On Tue, Apr 16, 2024 at 10:24 PM Simon Horman <horms@kernel.org> wrote:
>
> On Tue, Apr 16, 2024 at 08:09:44PM +0800, Sam Sun wrote:
> > In function bond_option_arp_ip_targets_set(), if newval->string is an
> > empty string, newval->string+1 will point to the byte after the
> > string, causing an out-of-bound read.
> >
> > BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418
> > Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107
> > CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1
> > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> > Call Trace:
> >  <TASK>
> >  __dump_stack lib/dump_stack.c:88 [inline]
> >  dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
> >  print_address_description mm/kasan/report.c:364 [inline]
> >  print_report+0xc1/0x5e0 mm/kasan/report.c:475
> >  kasan_report+0xbe/0xf0 mm/kasan/report.c:588
> >  strlen+0x7d/0xa0 lib/string.c:418
> >  __fortify_strlen include/linux/fortify-string.h:210 [inline]
> >  in4_pton+0xa3/0x3f0 net/core/utils.c:130
> >  bond_option_arp_ip_targets_set+0xc2/0x910
> > drivers/net/bonding/bond_options.c:1201
> >  __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767
> >  __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792
> >  bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817
> >  bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156
> >  dev_attr_store+0x54/0x80 drivers/base/core.c:2366
> >  sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136
> >  kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334
> >  call_write_iter include/linux/fs.h:2020 [inline]
> >  new_sync_write fs/read_write.c:491 [inline]
> >  vfs_write+0x96a/0xd80 fs/read_write.c:584
> >  ksys_write+0x122/0x250 fs/read_write.c:637
> >  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> >  do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
> >  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> > ---[ end trace ]---
> >
> > Fix it by adding a check of string length before using it.
> >
> > v2
> > According to Jay and Hangbin's opinion, remove target address in
> > netdev_err message since target is not initialized in error path and
> > will not provide useful information.
> >
> > v3
> > According to Hangbin's opinion, change Fixes tag from 4fb0ef585eb2
> > ("bonding: convert arp_ip_target to use the new option API") to
> > f9de11a16594 ("bonding: add ip checks when store ip target").
> >
> > Fixes: f9de11a16594 ("bonding: add ip checks when store ip target")
> > Signed-off-by: Yue Sun <samsun1006219@gmail.com>
> > ---
>
> Hi Sam Sun,
>
> Some comments about the formatting of this submission:
>
> * The list of chances, (v2, v3, ...) should be below rather than
>   above the scissors ("---"), so it is not included when the patch
>   is applied.
>
> * Looking at git history, the patch prefix should probably be "bonding:"
>
>         Subject: [PATCH net v3] bonding: ...
>
> * The diff seems to be a bit mangled, f.e. tabs seem to
>   have been translated into spaces. So it does not apply.
>   Which breaks automated testing. And for this reason
>   I am asking you to repost this patch.
>
>   git send-email, and b4, are two tools that can typically be used
>   to send patches in a way that this doesn't occur.
>
> ---
> pw-bot: changes-requested

I sincerely apologize for not using git send-email. I tried to set up
the environment but it did not work. For some reason, I needed to use
a proxy to connect with my gmail account, but the proxy service
provider banned using their proxy to send email through smtp. Maybe I
need to rent a VPS and set up a working environment there, but it
would take time and I don't know for sure whether the VPS provider
would allow me to send email through smtp either.

Could you or anyone please help me submit this patch? Sorry for
causing this trouble.

Best Regards,
Yue

Re: [PATCH net v3] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

[Hangbin Liu]

On Wed, Apr 17, 2024 at 02:34:49PM +0800, Sam Sun wrote:
> On Tue, Apr 16, 2024 at 10:24 PM Simon Horman <horms@kernel.org> wrote:
> >
> > On Tue, Apr 16, 2024 at 08:09:44PM +0800, Sam Sun wrote:
> > > In function bond_option_arp_ip_targets_set(), if newval->string is an
> > > empty string, newval->string+1 will point to the byte after the
> > > string, causing an out-of-bound read.
> > >
> > > BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418
> > > Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107
> > > CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1
> > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> > > Call Trace:
> > >  <TASK>
> > >  __dump_stack lib/dump_stack.c:88 [inline]
> > >  dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
> > >  print_address_description mm/kasan/report.c:364 [inline]
> > >  print_report+0xc1/0x5e0 mm/kasan/report.c:475
> > >  kasan_report+0xbe/0xf0 mm/kasan/report.c:588
> > >  strlen+0x7d/0xa0 lib/string.c:418
> > >  __fortify_strlen include/linux/fortify-string.h:210 [inline]
> > >  in4_pton+0xa3/0x3f0 net/core/utils.c:130
> > >  bond_option_arp_ip_targets_set+0xc2/0x910
> > > drivers/net/bonding/bond_options.c:1201
> > >  __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767
> > >  __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792
> > >  bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817
> > >  bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156
> > >  dev_attr_store+0x54/0x80 drivers/base/core.c:2366
> > >  sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136
> > >  kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334
> > >  call_write_iter include/linux/fs.h:2020 [inline]
> > >  new_sync_write fs/read_write.c:491 [inline]
> > >  vfs_write+0x96a/0xd80 fs/read_write.c:584
> > >  ksys_write+0x122/0x250 fs/read_write.c:637
> > >  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > >  do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
> > >  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> > > ---[ end trace ]---
> > >
> > > Fix it by adding a check of string length before using it.
> > >
> > > v2
> > > According to Jay and Hangbin's opinion, remove target address in
> > > netdev_err message since target is not initialized in error path and
> > > will not provide useful information.
> > >
> > > v3
> > > According to Hangbin's opinion, change Fixes tag from 4fb0ef585eb2
> > > ("bonding: convert arp_ip_target to use the new option API") to
> > > f9de11a16594 ("bonding: add ip checks when store ip target").
> > >
> > > Fixes: f9de11a16594 ("bonding: add ip checks when store ip target")
> > > Signed-off-by: Yue Sun <samsun1006219@gmail.com>
> > > ---
> >
> > Hi Sam Sun,
> >
> > Some comments about the formatting of this submission:
> >
> > * The list of chances, (v2, v3, ...) should be below rather than
> >   above the scissors ("---"), so it is not included when the patch
> >   is applied.
> >
> > * Looking at git history, the patch prefix should probably be "bonding:"
> >
> >         Subject: [PATCH net v3] bonding: ...
> >
> > * The diff seems to be a bit mangled, f.e. tabs seem to
> >   have been translated into spaces. So it does not apply.
> >   Which breaks automated testing. And for this reason
> >   I am asking you to repost this patch.
> >
> >   git send-email, and b4, are two tools that can typically be used
> >   to send patches in a way that this doesn't occur.
> >
> > ---
> > pw-bot: changes-requested
> 
> I sincerely apologize for not using git send-email. I tried to set up
> the environment but it did not work. For some reason, I needed to use
> a proxy to connect with my gmail account, but the proxy service
> provider banned using their proxy to send email through smtp. Maybe I
> need to rent a VPS and set up a working environment there, but it
> would take time and I don't know for sure whether the VPS provider
> would allow me to send email through smtp either.
> 
> Could you or anyone please help me submit this patch? Sorry for
> causing this trouble.

Maybe you can try use another proxy service. If it not works, I can
help you post the patch.

Thanks
Hangbin

Re: [PATCH net v3] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

[Sam Sun]

On Wed, Apr 17, 2024 at 9:31 PM Hangbin Liu <liuhangbin@gmail.com> wrote:
>
> On Wed, Apr 17, 2024 at 02:34:49PM +0800, Sam Sun wrote:
> > On Tue, Apr 16, 2024 at 10:24 PM Simon Horman <horms@kernel.org> wrote:
> > >
> > > On Tue, Apr 16, 2024 at 08:09:44PM +0800, Sam Sun wrote:
> > > > In function bond_option_arp_ip_targets_set(), if newval->string is an
> > > > empty string, newval->string+1 will point to the byte after the
> > > > string, causing an out-of-bound read.
> > > >
> > > > BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418
> > > > Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107
> > > > CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1
> > > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> > > > Call Trace:
> > > >  <TASK>
> > > >  __dump_stack lib/dump_stack.c:88 [inline]
> > > >  dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
> > > >  print_address_description mm/kasan/report.c:364 [inline]
> > > >  print_report+0xc1/0x5e0 mm/kasan/report.c:475
> > > >  kasan_report+0xbe/0xf0 mm/kasan/report.c:588
> > > >  strlen+0x7d/0xa0 lib/string.c:418
> > > >  __fortify_strlen include/linux/fortify-string.h:210 [inline]
> > > >  in4_pton+0xa3/0x3f0 net/core/utils.c:130
> > > >  bond_option_arp_ip_targets_set+0xc2/0x910
> > > > drivers/net/bonding/bond_options.c:1201
> > > >  __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767
> > > >  __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792
> > > >  bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817
> > > >  bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156
> > > >  dev_attr_store+0x54/0x80 drivers/base/core.c:2366
> > > >  sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136
> > > >  kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334
> > > >  call_write_iter include/linux/fs.h:2020 [inline]
> > > >  new_sync_write fs/read_write.c:491 [inline]
> > > >  vfs_write+0x96a/0xd80 fs/read_write.c:584
> > > >  ksys_write+0x122/0x250 fs/read_write.c:637
> > > >  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > > >  do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
> > > >  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> > > > ---[ end trace ]---
> > > >
> > > > Fix it by adding a check of string length before using it.
> > > >
> > > > v2
> > > > According to Jay and Hangbin's opinion, remove target address in
> > > > netdev_err message since target is not initialized in error path and
> > > > will not provide useful information.
> > > >
> > > > v3
> > > > According to Hangbin's opinion, change Fixes tag from 4fb0ef585eb2
> > > > ("bonding: convert arp_ip_target to use the new option API") to
> > > > f9de11a16594 ("bonding: add ip checks when store ip target").
> > > >
> > > > Fixes: f9de11a16594 ("bonding: add ip checks when store ip target")
> > > > Signed-off-by: Yue Sun <samsun1006219@gmail.com>
> > > > ---
> > >
> > > Hi Sam Sun,
> > >
> > > Some comments about the formatting of this submission:
> > >
> > > * The list of chances, (v2, v3, ...) should be below rather than
> > >   above the scissors ("---"), so it is not included when the patch
> > >   is applied.
> > >
> > > * Looking at git history, the patch prefix should probably be "bonding:"
> > >
> > >         Subject: [PATCH net v3] bonding: ...
> > >
> > > * The diff seems to be a bit mangled, f.e. tabs seem to
> > >   have been translated into spaces. So it does not apply.
> > >   Which breaks automated testing. And for this reason
> > >   I am asking you to repost this patch.
> > >
> > >   git send-email, and b4, are two tools that can typically be used
> > >   to send patches in a way that this doesn't occur.
> > >
> > > ---
> > > pw-bot: changes-requested
> >
> > I sincerely apologize for not using git send-email. I tried to set up
> > the environment but it did not work. For some reason, I needed to use
> > a proxy to connect with my gmail account, but the proxy service
> > provider banned using their proxy to send email through smtp. Maybe I
> > need to rent a VPS and set up a working environment there, but it
> > would take time and I don't know for sure whether the VPS provider
> > would allow me to send email through smtp either.
> >
> > Could you or anyone please help me submit this patch? Sorry for
> > causing this trouble.
>
> Maybe you can try use another proxy service. If it not works, I can
> help you post the patch.
>
> Thanks
> Hangbin

I will try to set up git send-email environment as soon as I can, but
I am afraid not for this time. I am sorry that I have to bother you
this time. Appreciate for your help!

Thanks,
Yue

Re: [PATCH net v3] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

[Simon Horman]

On Wed, Apr 17, 2024 at 02:34:49PM +0800, Sam Sun wrote:
> On Tue, Apr 16, 2024 at 10:24 PM Simon Horman <horms@kernel.org> wrote:
> >
> > On Tue, Apr 16, 2024 at 08:09:44PM +0800, Sam Sun wrote:
> > > In function bond_option_arp_ip_targets_set(), if newval->string is an
> > > empty string, newval->string+1 will point to the byte after the
> > > string, causing an out-of-bound read.
> > >
> > > BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418
> > > Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107
> > > CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1
> > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> > > Call Trace:
> > >  <TASK>
> > >  __dump_stack lib/dump_stack.c:88 [inline]
> > >  dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
> > >  print_address_description mm/kasan/report.c:364 [inline]
> > >  print_report+0xc1/0x5e0 mm/kasan/report.c:475
> > >  kasan_report+0xbe/0xf0 mm/kasan/report.c:588
> > >  strlen+0x7d/0xa0 lib/string.c:418
> > >  __fortify_strlen include/linux/fortify-string.h:210 [inline]
> > >  in4_pton+0xa3/0x3f0 net/core/utils.c:130
> > >  bond_option_arp_ip_targets_set+0xc2/0x910
> > > drivers/net/bonding/bond_options.c:1201
> > >  __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767
> > >  __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792
> > >  bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817
> > >  bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156
> > >  dev_attr_store+0x54/0x80 drivers/base/core.c:2366
> > >  sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136
> > >  kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334
> > >  call_write_iter include/linux/fs.h:2020 [inline]
> > >  new_sync_write fs/read_write.c:491 [inline]
> > >  vfs_write+0x96a/0xd80 fs/read_write.c:584
> > >  ksys_write+0x122/0x250 fs/read_write.c:637
> > >  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > >  do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
> > >  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> > > ---[ end trace ]---
> > >
> > > Fix it by adding a check of string length before using it.
> > >
> > > v2
> > > According to Jay and Hangbin's opinion, remove target address in
> > > netdev_err message since target is not initialized in error path and
> > > will not provide useful information.
> > >
> > > v3
> > > According to Hangbin's opinion, change Fixes tag from 4fb0ef585eb2
> > > ("bonding: convert arp_ip_target to use the new option API") to
> > > f9de11a16594 ("bonding: add ip checks when store ip target").
> > >
> > > Fixes: f9de11a16594 ("bonding: add ip checks when store ip target")
> > > Signed-off-by: Yue Sun <samsun1006219@gmail.com>
> > > ---
> >
> > Hi Sam Sun,
> >
> > Some comments about the formatting of this submission:
> >
> > * The list of chances, (v2, v3, ...) should be below rather than
> >   above the scissors ("---"), so it is not included when the patch
> >   is applied.
> >
> > * Looking at git history, the patch prefix should probably be "bonding:"
> >
> >         Subject: [PATCH net v3] bonding: ...
> >
> > * The diff seems to be a bit mangled, f.e. tabs seem to
> >   have been translated into spaces. So it does not apply.
> >   Which breaks automated testing. And for this reason
> >   I am asking you to repost this patch.
> >
> >   git send-email, and b4, are two tools that can typically be used
> >   to send patches in a way that this doesn't occur.
> >
> > ---
> > pw-bot: changes-requested
> 
> I sincerely apologize for not using git send-email. I tried to set up
> the environment but it did not work. For some reason, I needed to use
> a proxy to connect with my gmail account, but the proxy service
> provider banned using their proxy to send email through smtp. Maybe I
> need to rent a VPS and set up a working environment there, but it
> would take time and I don't know for sure whether the VPS provider
> would allow me to send email through smtp either.
> 
> Could you or anyone please help me submit this patch? Sorry for
> causing this trouble.

Sure, happy to help.

I'll look at doing this tomororw (Friday),
unless someone else does so beforehand.

Re: [PATCH net v3] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

[Simon Horman]

On Thu, Apr 18, 2024 at 09:10:23PM +0100, Simon Horman wrote:
> On Wed, Apr 17, 2024 at 02:34:49PM +0800, Sam Sun wrote:
> > On Tue, Apr 16, 2024 at 10:24 PM Simon Horman <horms@kernel.org> wrote:
> > >
> > > On Tue, Apr 16, 2024 at 08:09:44PM +0800, Sam Sun wrote:
> > > > In function bond_option_arp_ip_targets_set(), if newval->string is an
> > > > empty string, newval->string+1 will point to the byte after the
> > > > string, causing an out-of-bound read.
> > > >
> > > > BUG: KASAN: slab-out-of-bounds in strlen+0x7d/0xa0 lib/string.c:418
> > > > Read of size 1 at addr ffff8881119c4781 by task syz-executor665/8107
> > > > CPU: 1 PID: 8107 Comm: syz-executor665 Not tainted 6.7.0-rc7 #1
> > > > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> > > > Call Trace:
> > > >  <TASK>
> > > >  __dump_stack lib/dump_stack.c:88 [inline]
> > > >  dump_stack_lvl+0xd9/0x150 lib/dump_stack.c:106
> > > >  print_address_description mm/kasan/report.c:364 [inline]
> > > >  print_report+0xc1/0x5e0 mm/kasan/report.c:475
> > > >  kasan_report+0xbe/0xf0 mm/kasan/report.c:588
> > > >  strlen+0x7d/0xa0 lib/string.c:418
> > > >  __fortify_strlen include/linux/fortify-string.h:210 [inline]
> > > >  in4_pton+0xa3/0x3f0 net/core/utils.c:130
> > > >  bond_option_arp_ip_targets_set+0xc2/0x910
> > > > drivers/net/bonding/bond_options.c:1201
> > > >  __bond_opt_set+0x2a4/0x1030 drivers/net/bonding/bond_options.c:767
> > > >  __bond_opt_set_notify+0x48/0x150 drivers/net/bonding/bond_options.c:792
> > > >  bond_opt_tryset_rtnl+0xda/0x160 drivers/net/bonding/bond_options.c:817
> > > >  bonding_sysfs_store_option+0xa1/0x120 drivers/net/bonding/bond_sysfs.c:156
> > > >  dev_attr_store+0x54/0x80 drivers/base/core.c:2366
> > > >  sysfs_kf_write+0x114/0x170 fs/sysfs/file.c:136
> > > >  kernfs_fop_write_iter+0x337/0x500 fs/kernfs/file.c:334
> > > >  call_write_iter include/linux/fs.h:2020 [inline]
> > > >  new_sync_write fs/read_write.c:491 [inline]
> > > >  vfs_write+0x96a/0xd80 fs/read_write.c:584
> > > >  ksys_write+0x122/0x250 fs/read_write.c:637
> > > >  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > > >  do_syscall_64+0x40/0x110 arch/x86/entry/common.c:83
> > > >  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> > > > ---[ end trace ]---
> > > >
> > > > Fix it by adding a check of string length before using it.
> > > >
> > > > v2
> > > > According to Jay and Hangbin's opinion, remove target address in
> > > > netdev_err message since target is not initialized in error path and
> > > > will not provide useful information.
> > > >
> > > > v3
> > > > According to Hangbin's opinion, change Fixes tag from 4fb0ef585eb2
> > > > ("bonding: convert arp_ip_target to use the new option API") to
> > > > f9de11a16594 ("bonding: add ip checks when store ip target").
> > > >
> > > > Fixes: f9de11a16594 ("bonding: add ip checks when store ip target")
> > > > Signed-off-by: Yue Sun <samsun1006219@gmail.com>
> > > > ---
> > >
> > > Hi Sam Sun,
> > >
> > > Some comments about the formatting of this submission:
> > >
> > > * The list of chances, (v2, v3, ...) should be below rather than
> > >   above the scissors ("---"), so it is not included when the patch
> > >   is applied.
> > >
> > > * Looking at git history, the patch prefix should probably be "bonding:"
> > >
> > >         Subject: [PATCH net v3] bonding: ...
> > >
> > > * The diff seems to be a bit mangled, f.e. tabs seem to
> > >   have been translated into spaces. So it does not apply.
> > >   Which breaks automated testing. And for this reason
> > >   I am asking you to repost this patch.
> > >
> > >   git send-email, and b4, are two tools that can typically be used
> > >   to send patches in a way that this doesn't occur.
> > >
> > > ---
> > > pw-bot: changes-requested
> > 
> > I sincerely apologize for not using git send-email. I tried to set up
> > the environment but it did not work. For some reason, I needed to use
> > a proxy to connect with my gmail account, but the proxy service
> > provider banned using their proxy to send email through smtp. Maybe I
> > need to rent a VPS and set up a working environment there, but it
> > would take time and I don't know for sure whether the VPS provider
> > would allow me to send email through smtp either.
> > 
> > Could you or anyone please help me submit this patch? Sorry for
> > causing this trouble.
> 
> Sure, happy to help.
> 
> I'll look at doing this tomororw (Friday),
> unless someone else does so beforehand.

I have posted the patch as v4.
The only changes were:
* Correct whitespace problems,
  which I assume were added in transit as discussed above.
* Update the patch prefix to 'bonding:' as described above
* Move the changelog to below the scissors, as described above

- [PATCH net v4] bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()
  https://lore.kernel.org/netdev/20240419-bond-oob-v4-1-69dd1a66db20@kernel.org/