* Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
@ 2021-08-17 11:52 butt3rflyh4ck
2021-08-18 7:33 ` butt3rflyh4ck
0 siblings, 1 reply; 4+ messages in thread
From: butt3rflyh4ck @ 2021-08-17 11:52 UTC (permalink / raw)
To: mani, David S. Miller, Jakub Kicinski; +Cc: linux-arm-msm, netdev
Hi, there is another out-of-bound read in qrtr_endpoint_post in
net/qrtr/qrtr.c in 5.14.0-rc6+ and reproduced.
#analyze
In qrtr_endpoint_post, it would post incoming data from the user, the
‘len’ is the size of data, the problem is in 'size'.
```
case QRTR_PROTO_VER_1:
if (len < sizeof(*v1)) // just judge len < sizeof(*v1)
goto err;
v1 = data;
hdrlen = sizeof(*v1);
[...]
size = le32_to_cpu(v1->size);
break;
```
If the version of qrtr proto is QRTR_PROTO_VER_1, hdrlen is
sizeof(qrtr_hdr_v1) and size is le32_to_cpu(v1->size).
```
if (len < sizeof(*v2)) // just judge len < sizeof(*v2)
goto err;
v2 = data;
hdrlen = sizeof(*v2) + v2->optlen;
[...]
size = le32_to_cpu(v2->size);
break;
```
if version of qrtr proto is QRTR_PROTO_VER_2, hdrlen is
sizeof(qrtr_hdr_v2) and size is le32_to_cpu(v2->size).
the code as below can be bypassed.
```
if (len != ALIGN(size, 4) + hdrlen)
goto err;
```
if we set size zero and make 'len' equal to 'hdrlen', the judgement
is bypassed.
```
if (cb->type == QRTR_TYPE_NEW_SERVER) {
/* Remote node endpoint can bridge other distant nodes */
const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
qrtr_node_assign(node, le32_to_cpu(pkt->server.node)); //[1]
}
```
*pkt = data + hdrlen = data + len, so pkt pointer the end of data.
[1]le32_to_cpu(pkt->server.node) could read out of bound.
#crash log:
[ 2436.657182][ T8433]
==================================================================
[ 2436.658615][ T8433] BUG: KASAN: slab-out-of-bounds in
qrtr_endpoint_post+0x478/0x5b0
[ 2436.659971][ T8433] Read of size 4 at addr ffff88800ef30a2c by task
qrtr_endpoint_p/8433
[ 2436.661476][ T8433]
[ 2436.661964][ T8433] CPU: 1 PID: 8433 Comm: qrtr_endpoint_p Not
tainted 5.14.0-rc6+ #7
[ 2436.663431][ T8433] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.13.0-1ubuntu1 04/01/2014
[ 2436.665220][ T8433] Call Trace:
[ 2436.665870][ T8433] dump_stack_lvl+0x57/0x7d
[ 2436.666748][ T8433] print_address_description.constprop.0.cold+0x93/0x334
[ 2436.668054][ T8433] ? qrtr_endpoint_post+0x478/0x5b0
[ 2436.669072][ T8433] ? qrtr_endpoint_post+0x478/0x5b0
[ 2436.669957][ T8433] kasan_report.cold+0x83/0xdf
[ 2436.670833][ T8433] ? qrtr_endpoint_post+0x478/0x5b0
[ 2436.671780][ T8433] kasan_check_range+0x14e/0x1b0
[ 2436.672707][ T8433] qrtr_endpoint_post+0x478/0x5b0
[ 2436.673646][ T8433] qrtr_tun_write_iter+0x8b/0xe0
[ 2436.674587][ T8433] new_sync_write+0x245/0x360
[ 2436.675462][ T8433] ? new_sync_read+0x350/0x350
[ 2436.676353][ T8433] ? policy_view_capable+0x3b0/0x6d0
[ 2436.677266][ T8433] ? apparmor_task_setrlimit+0x4d0/0x4d0
[ 2436.678251][ T8433] vfs_write+0x344/0x4e0
[ 2436.679024][ T8433] ksys_write+0xc4/0x160
[ 2436.679758][ T8433] ? __ia32_sys_read+0x40/0x40
[ 2436.680605][ T8433] ? syscall_enter_from_user_mode+0x21/0x70
[ 2436.681661][ T8433] do_syscall_64+0x35/0xb0
[ 2436.682445][ T8433] entry_SYSCALL_64_after_hwframe+0x44/0xae
#fix suggestion
'size' should not be zero, it is length of packet, excluding this
header or (excluding this header and optlen).
Regards,
butt3rflyh4ck.
--
Active Defense Lab of Venustech
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
2021-08-17 11:52 Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c butt3rflyh4ck
@ 2021-08-18 7:33 ` butt3rflyh4ck
2021-08-19 16:57 ` Manivannan Sadhasivam
0 siblings, 1 reply; 4+ messages in thread
From: butt3rflyh4ck @ 2021-08-18 7:33 UTC (permalink / raw)
To: mani, David S. Miller, Jakub Kicinski; +Cc: linux-arm-msm, netdev
[-- Attachment #1: Type: text/plain, Size: 3581 bytes --]
Here I make a patch for this issue.
Regards,
butt3rflyh4ck.
On Tue, Aug 17, 2021 at 7:52 PM butt3rflyh4ck
<butterflyhuangxx@gmail.com> wrote:
>
> Hi, there is another out-of-bound read in qrtr_endpoint_post in
> net/qrtr/qrtr.c in 5.14.0-rc6+ and reproduced.
>
> #analyze
> In qrtr_endpoint_post, it would post incoming data from the user, the
> ‘len’ is the size of data, the problem is in 'size'.
> ```
> case QRTR_PROTO_VER_1:
> if (len < sizeof(*v1)) // just judge len < sizeof(*v1)
> goto err;
> v1 = data;
> hdrlen = sizeof(*v1);
> [...]
> size = le32_to_cpu(v1->size);
> break;
> ```
> If the version of qrtr proto is QRTR_PROTO_VER_1, hdrlen is
> sizeof(qrtr_hdr_v1) and size is le32_to_cpu(v1->size).
> ```
> if (len < sizeof(*v2)) // just judge len < sizeof(*v2)
> goto err;
> v2 = data;
> hdrlen = sizeof(*v2) + v2->optlen;
> [...]
> size = le32_to_cpu(v2->size);
> break;
> ```
> if version of qrtr proto is QRTR_PROTO_VER_2, hdrlen is
> sizeof(qrtr_hdr_v2) and size is le32_to_cpu(v2->size).
>
> the code as below can be bypassed.
> ```
> if (len != ALIGN(size, 4) + hdrlen)
> goto err;
> ```
> if we set size zero and make 'len' equal to 'hdrlen', the judgement
> is bypassed.
>
> ```
> if (cb->type == QRTR_TYPE_NEW_SERVER) {
> /* Remote node endpoint can bridge other distant nodes */
> const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
>
> qrtr_node_assign(node, le32_to_cpu(pkt->server.node)); //[1]
> }
> ```
> *pkt = data + hdrlen = data + len, so pkt pointer the end of data.
> [1]le32_to_cpu(pkt->server.node) could read out of bound.
>
> #crash log:
> [ 2436.657182][ T8433]
> ==================================================================
> [ 2436.658615][ T8433] BUG: KASAN: slab-out-of-bounds in
> qrtr_endpoint_post+0x478/0x5b0
> [ 2436.659971][ T8433] Read of size 4 at addr ffff88800ef30a2c by task
> qrtr_endpoint_p/8433
> [ 2436.661476][ T8433]
> [ 2436.661964][ T8433] CPU: 1 PID: 8433 Comm: qrtr_endpoint_p Not
> tainted 5.14.0-rc6+ #7
> [ 2436.663431][ T8433] Hardware name: QEMU Standard PC (i440FX + PIIX,
> 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
> [ 2436.665220][ T8433] Call Trace:
> [ 2436.665870][ T8433] dump_stack_lvl+0x57/0x7d
> [ 2436.666748][ T8433] print_address_description.constprop.0.cold+0x93/0x334
> [ 2436.668054][ T8433] ? qrtr_endpoint_post+0x478/0x5b0
> [ 2436.669072][ T8433] ? qrtr_endpoint_post+0x478/0x5b0
> [ 2436.669957][ T8433] kasan_report.cold+0x83/0xdf
> [ 2436.670833][ T8433] ? qrtr_endpoint_post+0x478/0x5b0
> [ 2436.671780][ T8433] kasan_check_range+0x14e/0x1b0
> [ 2436.672707][ T8433] qrtr_endpoint_post+0x478/0x5b0
> [ 2436.673646][ T8433] qrtr_tun_write_iter+0x8b/0xe0
> [ 2436.674587][ T8433] new_sync_write+0x245/0x360
> [ 2436.675462][ T8433] ? new_sync_read+0x350/0x350
> [ 2436.676353][ T8433] ? policy_view_capable+0x3b0/0x6d0
> [ 2436.677266][ T8433] ? apparmor_task_setrlimit+0x4d0/0x4d0
> [ 2436.678251][ T8433] vfs_write+0x344/0x4e0
> [ 2436.679024][ T8433] ksys_write+0xc4/0x160
> [ 2436.679758][ T8433] ? __ia32_sys_read+0x40/0x40
> [ 2436.680605][ T8433] ? syscall_enter_from_user_mode+0x21/0x70
> [ 2436.681661][ T8433] do_syscall_64+0x35/0xb0
> [ 2436.682445][ T8433] entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> #fix suggestion
> 'size' should not be zero, it is length of packet, excluding this
> header or (excluding this header and optlen).
>
>
> Regards,
> butt3rflyh4ck.
> --
> Active Defense Lab of Venustech
--
Active Defense Lab of Venustech
[-- Attachment #2: 0001-net-qrtr-fix-another-OOB-Read-in-qrtr_endpoint_post.patch --]
[-- Type: text/x-patch, Size: 1543 bytes --]
From 18d9f83f17375785beadbe6a0d0ee59503f65925 Mon Sep 17 00:00:00 2001
From: butt3rflyh4ck <butterflyhhuangxx@gmail.com>
Date: Wed, 18 Aug 2021 14:19:38 +0800
Subject: [PATCH] net: qrtr: fix another OOB Read in qrtr_endpoint_post
This check was incomplete, did not consider size is 0:
if (len != ALIGN(size, 4) + hdrlen)
goto err;
if size from qrtr_hdr is 0, the result of ALIGN(size, 4)
will be 0, In case of len == hdrlen and size == 0
in header this check won't fail and
if (cb->type == QRTR_TYPE_NEW_SERVER) {
/* Remote node endpoint can bridge other distant nodes */
const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
qrtr_node_assign(node, le32_to_cpu(pkt->server.node));
}
will also read out of bound from data, which is hdrlen allocated block.
Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
Fixes: ad9d24c9429e ("net: qrtr: fix OOB Read in qrtr_endpoint_post")
Signed-off-by: butt3rflyh4ck <butterflyhhuangxx@gmail.com>
---
net/qrtr/qrtr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
index 171b7f3be6ef..0c30908628ba 100644
--- a/net/qrtr/qrtr.c
+++ b/net/qrtr/qrtr.c
@@ -493,7 +493,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
goto err;
}
- if (len != ALIGN(size, 4) + hdrlen)
+ if (!size || len != ALIGN(size, 4) + hdrlen)
goto err;
if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA &&
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
2021-08-18 7:33 ` butt3rflyh4ck
@ 2021-08-19 16:57 ` Manivannan Sadhasivam
2021-08-19 17:09 ` butt3rflyh4ck
0 siblings, 1 reply; 4+ messages in thread
From: Manivannan Sadhasivam @ 2021-08-19 16:57 UTC (permalink / raw)
To: butt3rflyh4ck; +Cc: David S. Miller, Jakub Kicinski, linux-arm-msm, netdev
Hi,
On Wed, Aug 18, 2021 at 03:33:38PM +0800, butt3rflyh4ck wrote:
> Here I make a patch for this issue.
[...]
> From 18d9f83f17375785beadbe6a0d0ee59503f65925 Mon Sep 17 00:00:00 2001
> From: butt3rflyh4ck <butterflyhhuangxx@gmail.com>
> Date: Wed, 18 Aug 2021 14:19:38 +0800
> Subject: [PATCH] net: qrtr: fix another OOB Read in qrtr_endpoint_post
>
> This check was incomplete, did not consider size is 0:
>
> if (len != ALIGN(size, 4) + hdrlen)
> goto err;
>
> if size from qrtr_hdr is 0, the result of ALIGN(size, 4)
> will be 0, In case of len == hdrlen and size == 0
> in header this check won't fail and
>
> if (cb->type == QRTR_TYPE_NEW_SERVER) {
> /* Remote node endpoint can bridge other distant nodes */
> const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
>
> qrtr_node_assign(node, le32_to_cpu(pkt->server.node));
> }
>
> will also read out of bound from data, which is hdrlen allocated block.
>
> Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
> Fixes: ad9d24c9429e ("net: qrtr: fix OOB Read in qrtr_endpoint_post")
> Signed-off-by: butt3rflyh4ck <butterflyhhuangxx@gmail.com>
Thanks for the bug report and the fix. Could you please send the fix as a proper
patch as per: Documentation/process/submitting-patches.rst
Thanks,
Mani
> ---
> net/qrtr/qrtr.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
> index 171b7f3be6ef..0c30908628ba 100644
> --- a/net/qrtr/qrtr.c
> +++ b/net/qrtr/qrtr.c
> @@ -493,7 +493,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
> goto err;
> }
>
> - if (len != ALIGN(size, 4) + hdrlen)
> + if (!size || len != ALIGN(size, 4) + hdrlen)
> goto err;
>
> if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA &&
> --
> 2.25.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c
2021-08-19 16:57 ` Manivannan Sadhasivam
@ 2021-08-19 17:09 ` butt3rflyh4ck
0 siblings, 0 replies; 4+ messages in thread
From: butt3rflyh4ck @ 2021-08-19 17:09 UTC (permalink / raw)
To: Manivannan Sadhasivam
Cc: David S. Miller, Jakub Kicinski, linux-arm-msm, netdev
Ok, no problem, I will send the fix later.
Regards,
butt3rflyh4ck.
On Fri, Aug 20, 2021 at 12:57 AM Manivannan Sadhasivam <mani@kernel.org> wrote:
>
> Hi,
>
> On Wed, Aug 18, 2021 at 03:33:38PM +0800, butt3rflyh4ck wrote:
> > Here I make a patch for this issue.
>
> [...]
>
> > From 18d9f83f17375785beadbe6a0d0ee59503f65925 Mon Sep 17 00:00:00 2001
> > From: butt3rflyh4ck <butterflyhhuangxx@gmail.com>
> > Date: Wed, 18 Aug 2021 14:19:38 +0800
> > Subject: [PATCH] net: qrtr: fix another OOB Read in qrtr_endpoint_post
> >
> > This check was incomplete, did not consider size is 0:
> >
> > if (len != ALIGN(size, 4) + hdrlen)
> > goto err;
> >
> > if size from qrtr_hdr is 0, the result of ALIGN(size, 4)
> > will be 0, In case of len == hdrlen and size == 0
> > in header this check won't fail and
> >
> > if (cb->type == QRTR_TYPE_NEW_SERVER) {
> > /* Remote node endpoint can bridge other distant nodes */
> > const struct qrtr_ctrl_pkt *pkt = data + hdrlen;
> >
> > qrtr_node_assign(node, le32_to_cpu(pkt->server.node));
> > }
> >
> > will also read out of bound from data, which is hdrlen allocated block.
> >
> > Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
> > Fixes: ad9d24c9429e ("net: qrtr: fix OOB Read in qrtr_endpoint_post")
> > Signed-off-by: butt3rflyh4ck <butterflyhhuangxx@gmail.com>
>
> Thanks for the bug report and the fix. Could you please send the fix as a proper
> patch as per: Documentation/process/submitting-patches.rst
>
> Thanks,
> Mani
>
> > ---
> > net/qrtr/qrtr.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
> > index 171b7f3be6ef..0c30908628ba 100644
> > --- a/net/qrtr/qrtr.c
> > +++ b/net/qrtr/qrtr.c
> > @@ -493,7 +493,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
> > goto err;
> > }
> >
> > - if (len != ALIGN(size, 4) + hdrlen)
> > + if (!size || len != ALIGN(size, 4) + hdrlen)
> > goto err;
> >
> > if (cb->dst_port != QRTR_PORT_CTRL && cb->type != QRTR_TYPE_DATA &&
> > --
> > 2.25.1
> >
>
--
Active Defense Lab of Venustech
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-08-19 17:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-17 11:52 Another out-of-bound Read in qrtr_endpoint_post in net/qrtr/qrtr.c butt3rflyh4ck
2021-08-18 7:33 ` butt3rflyh4ck
2021-08-19 16:57 ` Manivannan Sadhasivam
2021-08-19 17:09 ` butt3rflyh4ck
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.