* Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c @ 2021-08-17 11:52 butt3rflyh4ck 2021-08-18 7:33 ` butt3rflyh4ck 0 siblings, 1 reply; 4+ messages in thread From: butt3rflyh4ck @ 2021-08-17 11:52 UTC (permalink / raw) To: mani, David S. Miller, Jakub Kicinski; +Cc: linux-arm-msm, netdev Hi, there is another out-of-bound read in qrtr_endpoint_post in net/qrtr/qrtr.c in 5.14.0-rc6+ and reproduced. #analyze In qrtr_endpoint_post, it would post incoming data from the user, the ‘len’ is the size of data, the problem is in 'size'. ``` case QRTR_PROTO_VER_1: if (len < sizeof(*v1)) // just judge len < sizeof(*v1) goto err; v1 = data; hdrlen = sizeof(*v1); [...] size = le32_to_cpu(v1->size); break; ``` If the version of qrtr proto is QRTR_PROTO_VER_1, hdrlen is sizeof(qrtr_hdr_v1) and size is le32_to_cpu(v1->size). ``` if (len < sizeof(*v2)) // just judge len < sizeof(*v2) goto err; v2 = data; hdrlen = sizeof(*v2) + v2->optlen; [...] size = le32_to_cpu(v2->size); break; ``` if version of qrtr proto is QRTR_PROTO_VER_2, hdrlen is sizeof(qrtr_hdr_v2) and size is le32_to_cpu(v2->size). the code as below can be bypassed. ``` if (len != ALIGN(size, 4) + hdrlen) goto err; ``` if we set size zero and make 'len' equal to 'hdrlen', the judgement is bypassed. ``` if (cb->type == QRTR_TYPE_NEW_SERVER) { /* Remote node endpoint can bridge other distant nodes */ const struct qrtr_ctrl_pkt *pkt = data + hdrlen; qrtr_node_assign(node, le32_to_cpu(pkt->server.node)); //[1] } ``` *pkt = data + hdrlen = data + len, so pkt pointer the end of data. [1]le32_to_cpu(pkt->server.node) could read out of bound. #crash log: [ 2436.657182][ T8433] ================================================================== [ 2436.658615][ T8433] BUG: KASAN: slab-out-of-bounds in qrtr_endpoint_post+0x478/0x5b0 [ 2436.659971][ T8433] Read of size 4 at addr ffff88800ef30a2c by task qrtr_endpoint_p/8433 [ 2436.661476][ T8433] [ 2436.661964][ T8433] CPU: 1 PID: 8433 Comm: qrtr_endpoint_p Not tainted 5.14.0-rc6+ #7 [ 2436.663431][ T8433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 [ 2436.665220][ T8433] Call Trace: [ 2436.665870][ T8433] dump_stack_lvl+0x57/0x7d [ 2436.666748][ T8433] print_address_description.constprop.0.cold+0x93/0x334 [ 2436.668054][ T8433] ? qrtr_endpoint_post+0x478/0x5b0 [ 2436.669072][ T8433] ? qrtr_endpoint_post+0x478/0x5b0 [ 2436.669957][ T8433] kasan_report.cold+0x83/0xdf [ 2436.670833][ T8433] ? qrtr_endpoint_post+0x478/0x5b0 [ 2436.671780][ T8433] kasan_check_range+0x14e/0x1b0 [ 2436.672707][ T8433] qrtr_endpoint_post+0x478/0x5b0 [ 2436.673646][ T8433] qrtr_tun_write_iter+0x8b/0xe0 [ 2436.674587][ T8433] new_sync_write+0x245/0x360 [ 2436.675462][ T8433] ? new_sync_read+0x350/0x350 [ 2436.676353][ T8433] ? policy_view_capable+0x3b0/0x6d0 [ 2436.677266][ T8433] ? apparmor_task_setrlimit+0x4d0/0x4d0 [ 2436.678251][ T8433] vfs_write+0x344/0x4e0 [ 2436.679024][ T8433] ksys_write+0xc4/0x160 [ 2436.679758][ T8433] ? __ia32_sys_read+0x40/0x40 [ 2436.680605][ T8433] ? syscall_enter_from_user_mode+0x21/0x70 [ 2436.681661][ T8433] do_syscall_64+0x35/0xb0 [ 2436.682445][ T8433] entry_SYSCALL_64_after_hwframe+0x44/0xae #fix suggestion 'size' should not be zero, it is length of packet, excluding this header or (excluding this header and optlen). Regards, butt3rflyh4ck. -- Active Defense Lab of Venustech ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c 2021-08-17 11:52 Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c butt3rflyh4ck @ 2021-08-18 7:33 ` butt3rflyh4ck 2021-08-19 16:57 ` Manivannan Sadhasivam 0 siblings, 1 reply; 4+ messages in thread From: butt3rflyh4ck @ 2021-08-18 7:33 UTC (permalink / raw) To: mani, David S. Miller, Jakub Kicinski; +Cc: linux-arm-msm, netdev [-- Attachment #1: Type: text/plain, Size: 3581 bytes --] Here I make a patch for this issue. Regards, butt3rflyh4ck. On Tue, Aug 17, 2021 at 7:52 PM butt3rflyh4ck <butterflyhuangxx@gmail.com> wrote: > > Hi, there is another out-of-bound read in qrtr_endpoint_post in > net/qrtr/qrtr.c in 5.14.0-rc6+ and reproduced. > > #analyze > In qrtr_endpoint_post, it would post incoming data from the user, the > ‘len’ is the size of data, the problem is in 'size'. > ``` > case QRTR_PROTO_VER_1: > if (len < sizeof(*v1)) // just judge len < sizeof(*v1) > goto err; > v1 = data; > hdrlen = sizeof(*v1); > [...] > size = le32_to_cpu(v1->size); > break; > ``` > If the version of qrtr proto is QRTR_PROTO_VER_1, hdrlen is > sizeof(qrtr_hdr_v1) and size is le32_to_cpu(v1->size). > ``` > if (len < sizeof(*v2)) // just judge len < sizeof(*v2) > goto err; > v2 = data; > hdrlen = sizeof(*v2) + v2->optlen; > [...] > size = le32_to_cpu(v2->size); > break; > ``` > if version of qrtr proto is QRTR_PROTO_VER_2, hdrlen is > sizeof(qrtr_hdr_v2) and size is le32_to_cpu(v2->size). > > the code as below can be bypassed. > ``` > if (len != ALIGN(size, 4) + hdrlen) > goto err; > ``` > if we set size zero and make 'len' equal to 'hdrlen', the judgement > is bypassed. > > ``` > if (cb->type == QRTR_TYPE_NEW_SERVER) { > /* Remote node endpoint can bridge other distant nodes */ > const struct qrtr_ctrl_pkt *pkt = data + hdrlen; > > qrtr_node_assign(node, le32_to_cpu(pkt->server.node)); //[1] > } > ``` > *pkt = data + hdrlen = data + len, so pkt pointer the end of data. > [1]le32_to_cpu(pkt->server.node) could read out of bound. > > #crash log: > [ 2436.657182][ T8433] > ================================================================== > [ 2436.658615][ T8433] BUG: KASAN: slab-out-of-bounds in > qrtr_endpoint_post+0x478/0x5b0 > [ 2436.659971][ T8433] Read of size 4 at addr ffff88800ef30a2c by task > qrtr_endpoint_p/8433 > [ 2436.661476][ T8433] > [ 2436.661964][ T8433] CPU: 1 PID: 8433 Comm: qrtr_endpoint_p Not > tainted 5.14.0-rc6+ #7 > [ 2436.663431][ T8433] Hardware name: QEMU Standard PC (i440FX + PIIX, > 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 > [ 2436.665220][ T8433] Call Trace: > [ 2436.665870][ T8433] dump_stack_lvl+0x57/0x7d > [ 2436.666748][ T8433] print_address_description.constprop.0.cold+0x93/0x334 > [ 2436.668054][ T8433] ? qrtr_endpoint_post+0x478/0x5b0 > [ 2436.669072][ T8433] ? qrtr_endpoint_post+0x478/0x5b0 > [ 2436.669957][ T8433] kasan_report.cold+0x83/0xdf > [ 2436.670833][ T8433] ? qrtr_endpoint_post+0x478/0x5b0 > [ 2436.671780][ T8433] kasan_check_range+0x14e/0x1b0 > [ 2436.672707][ T8433] qrtr_endpoint_post+0x478/0x5b0 > [ 2436.673646][ T8433] qrtr_tun_write_iter+0x8b/0xe0 > [ 2436.674587][ T8433] new_sync_write+0x245/0x360 > [ 2436.675462][ T8433] ? new_sync_read+0x350/0x350 > [ 2436.676353][ T8433] ? policy_view_capable+0x3b0/0x6d0 > [ 2436.677266][ T8433] ? apparmor_task_setrlimit+0x4d0/0x4d0 > [ 2436.678251][ T8433] vfs_write+0x344/0x4e0 > [ 2436.679024][ T8433] ksys_write+0xc4/0x160 > [ 2436.679758][ T8433] ? __ia32_sys_read+0x40/0x40 > [ 2436.680605][ T8433] ? syscall_enter_from_user_mode+0x21/0x70 > [ 2436.681661][ T8433] do_syscall_64+0x35/0xb0 > [ 2436.682445][ T8433] entry_SYSCALL_64_after_hwframe+0x44/0xae > > #fix suggestion > 'size' should not be zero, it is length of packet, excluding this > header or (excluding this header and optlen). > > > Regards, > butt3rflyh4ck. > -- > Active Defense Lab of Venustech -- Active Defense Lab of Venustech [-- Attachment #2: 0001-net-qrtr-fix-another-OOB-Read-in-qrtr_endpoint_post.patch --] [-- Type: text/x-patch, Size: 1543 bytes --] From 18d9f83f17375785beadbe6a0d0ee59503f65925 Mon Sep 17 00:00:00 2001 From: butt3rflyh4ck <butterflyhhuangxx@gmail.com> Date: Wed, 18 Aug 2021 14:19:38 +0800 Subject: [PATCH] net: qrtr: fix another OOB Read in qrtr_endpoint_post This check was incomplete, did not consider size is 0: if (len != ALIGN(size, 4) + hdrlen) goto err; if size from qrtr_hdr is 0, the result of ALIGN(size, 4) will be 0, In case of len == hdrlen and size == 0 in header this check won't fail and if (cb->type == QRTR_TYPE_NEW_SERVER) { /* Remote node endpoint can bridge other distant nodes */ const struct qrtr_ctrl_pkt *pkt = data + hdrlen; qrtr_node_assign(node, le32_to_cpu(pkt->server.node)); } will also read out of bound from data, which is hdrlen allocated block. Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets") Fixes: ad9d24c9429e ("net: qrtr: fix OOB Read in qrtr_endpoint_post") Signed-off-by: butt3rflyh4ck <butterflyhhuangxx@gmail.com> --- net/qrtr/qrtr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c index 171b7f3be6ef..0c30908628ba 100644 --- a/net/qrtr/qrtr.c +++ b/net/qrtr/qrtr.c @@ -493,7 +493,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) goto err; } - if (len != ALIGN(size, 4) + hdrlen) + if (!size || len != ALIGN(size, 4) + hdrlen) goto err; if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA && -- 2.25.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c 2021-08-18 7:33 ` butt3rflyh4ck @ 2021-08-19 16:57 ` Manivannan Sadhasivam 2021-08-19 17:09 ` butt3rflyh4ck 0 siblings, 1 reply; 4+ messages in thread From: Manivannan Sadhasivam @ 2021-08-19 16:57 UTC (permalink / raw) To: butt3rflyh4ck; +Cc: David S. Miller, Jakub Kicinski, linux-arm-msm, netdev Hi, On Wed, Aug 18, 2021 at 03:33:38PM +0800, butt3rflyh4ck wrote: > Here I make a patch for this issue. [...] > From 18d9f83f17375785beadbe6a0d0ee59503f65925 Mon Sep 17 00:00:00 2001 > From: butt3rflyh4ck <butterflyhhuangxx@gmail.com> > Date: Wed, 18 Aug 2021 14:19:38 +0800 > Subject: [PATCH] net: qrtr: fix another OOB Read in qrtr_endpoint_post > > This check was incomplete, did not consider size is 0: > > if (len != ALIGN(size, 4) + hdrlen) > goto err; > > if size from qrtr_hdr is 0, the result of ALIGN(size, 4) > will be 0, In case of len == hdrlen and size == 0 > in header this check won't fail and > > if (cb->type == QRTR_TYPE_NEW_SERVER) { > /* Remote node endpoint can bridge other distant nodes */ > const struct qrtr_ctrl_pkt *pkt = data + hdrlen; > > qrtr_node_assign(node, le32_to_cpu(pkt->server.node)); > } > > will also read out of bound from data, which is hdrlen allocated block. > > Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets") > Fixes: ad9d24c9429e ("net: qrtr: fix OOB Read in qrtr_endpoint_post") > Signed-off-by: butt3rflyh4ck <butterflyhhuangxx@gmail.com> Thanks for the bug report and the fix. Could you please send the fix as a proper patch as per: Documentation/process/submitting-patches.rst Thanks, Mani > --- > net/qrtr/qrtr.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c > index 171b7f3be6ef..0c30908628ba 100644 > --- a/net/qrtr/qrtr.c > +++ b/net/qrtr/qrtr.c > @@ -493,7 +493,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) > goto err; > } > > - if (len != ALIGN(size, 4) + hdrlen) > + if (!size || len != ALIGN(size, 4) + hdrlen) > goto err; > > if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA && > -- > 2.25.1 > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c 2021-08-19 16:57 ` Manivannan Sadhasivam @ 2021-08-19 17:09 ` butt3rflyh4ck 0 siblings, 0 replies; 4+ messages in thread From: butt3rflyh4ck @ 2021-08-19 17:09 UTC (permalink / raw) To: Manivannan Sadhasivam Cc: David S. Miller, Jakub Kicinski, linux-arm-msm, netdev Ok, no problem, I will send the fix later. Regards, butt3rflyh4ck. On Fri, Aug 20, 2021 at 12:57 AM Manivannan Sadhasivam <mani@kernel.org> wrote: > > Hi, > > On Wed, Aug 18, 2021 at 03:33:38PM +0800, butt3rflyh4ck wrote: > > Here I make a patch for this issue. > > [...] > > > From 18d9f83f17375785beadbe6a0d0ee59503f65925 Mon Sep 17 00:00:00 2001 > > From: butt3rflyh4ck <butterflyhhuangxx@gmail.com> > > Date: Wed, 18 Aug 2021 14:19:38 +0800 > > Subject: [PATCH] net: qrtr: fix another OOB Read in qrtr_endpoint_post > > > > This check was incomplete, did not consider size is 0: > > > > if (len != ALIGN(size, 4) + hdrlen) > > goto err; > > > > if size from qrtr_hdr is 0, the result of ALIGN(size, 4) > > will be 0, In case of len == hdrlen and size == 0 > > in header this check won't fail and > > > > if (cb->type == QRTR_TYPE_NEW_SERVER) { > > /* Remote node endpoint can bridge other distant nodes */ > > const struct qrtr_ctrl_pkt *pkt = data + hdrlen; > > > > qrtr_node_assign(node, le32_to_cpu(pkt->server.node)); > > } > > > > will also read out of bound from data, which is hdrlen allocated block. > > > > Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets") > > Fixes: ad9d24c9429e ("net: qrtr: fix OOB Read in qrtr_endpoint_post") > > Signed-off-by: butt3rflyh4ck <butterflyhhuangxx@gmail.com> > > Thanks for the bug report and the fix. Could you please send the fix as a proper > patch as per: Documentation/process/submitting-patches.rst > > Thanks, > Mani > > > --- > > net/qrtr/qrtr.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c > > index 171b7f3be6ef..0c30908628ba 100644 > > --- a/net/qrtr/qrtr.c > > +++ b/net/qrtr/qrtr.c > > @@ -493,7 +493,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) > > goto err; > > } > > > > - if (len != ALIGN(size, 4) + hdrlen) > > + if (!size || len != ALIGN(size, 4) + hdrlen) > > goto err; > > > > if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA && > > -- > > 2.25.1 > > > -- Active Defense Lab of Venustech ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-08-19 17:09 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-08-17 11:52 Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c butt3rflyh4ck 2021-08-18 7:33 ` butt3rflyh4ck 2021-08-19 16:57 ` Manivannan Sadhasivam 2021-08-19 17:09 ` butt3rflyh4ck
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.