linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] sctp: socket.c validate sprstat_policy
@ 2018-10-27 20:20 Tomas Bortoli
  2018-10-27 20:43 ` Tomas Bortoli
  0 siblings, 1 reply; 6+ messages in thread
From: Tomas Bortoli @ 2018-10-27 20:20 UTC (permalink / raw)
  To: vyasevich, nhorman, marcelo.leitner
  Cc: davem, linux-sctp, netdev, linux-kernel, Tomas Bortoli

It is possible to perform out-of-bound reads on
sctp_getsockopt_pr_streamstatus() and on
sctp_getsockopt_pr_assocstatus() by passing from userspace a
sprstat_policy that overflows the abandoned_sent/abandoned_unsent
fixed length arrays. The over-read data are directly copied/leaked
to userspace.

Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+5da0d0a72a9e7d791748@syzkaller.appspotmail.com
---
v2 - added forgot ||

 net/sctp/socket.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index fc0386e8ff23..5290b8bd40c8 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -7083,7 +7083,8 @@ static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len,
 	}
 
 	policy = params.sprstat_policy;
-	if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
+	if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||
+	    __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
 		goto out;
 
 	asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
@@ -7142,7 +7143,8 @@ static int sctp_getsockopt_pr_streamstatus(struct sock *sk, int len,
 	}
 
 	policy = params.sprstat_policy;
-	if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
+	if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||
+	    __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
 		goto out;
 
 	asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread
* Re: [PATCH] sctp: socket.c validate sprstat_policy
  2018-10-27 20:20 [PATCH] sctp: socket.c validate sprstat_policy Tomas Bortoli
@ 2018-10-27 20:43 ` Tomas Bortoli
  2018-10-28  0:03   ` David Miller
  0 siblings, 1 reply; 6+ messages in thread
From: Tomas Bortoli @ 2018-10-27 20:43 UTC (permalink / raw)
  To: vyasevich, nhorman, marcelo.leitner
  Cc: davem, linux-sctp, netdev, linux-kernel

On 10/27/18 10:20 PM, Tomas Bortoli wrote:
> It is possible to perform out-of-bound reads on
> sctp_getsockopt_pr_streamstatus() and on
> sctp_getsockopt_pr_assocstatus() by passing from userspace a
> sprstat_policy that overflows the abandoned_sent/abandoned_unsent
> fixed length arrays. The over-read data are directly copied/leaked
> to userspace.
> 
> Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
> Reported-by: syzbot+5da0d0a72a9e7d791748@syzkaller.appspotmail.com
> ---
> v2 - added forgot ||
> 
>  net/sctp/socket.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index fc0386e8ff23..5290b8bd40c8 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -7083,7 +7083,8 @@ static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len,
>  	}
>  
>  	policy = params.sprstat_policy;
> -	if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
> +	if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||
> +	    __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
>  		goto out;
>  
>  	asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
> @@ -7142,7 +7143,8 @@ static int sctp_getsockopt_pr_streamstatus(struct sock *sk, int len,
>  	}
>  
>  	policy = params.sprstat_policy;
> -	if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
> +	if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||
> +	    __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
>  		goto out;
>  
>  	asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
> 

I just realized we also have to check for less than 0 indexes..


^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] sctp: socket.c validate sprstat_policy
  2018-10-27 20:43 ` Tomas Bortoli
@ 2018-10-28  0:03   ` David Miller
  0 siblings, 0 replies; 6+ messages in thread
From: David Miller @ 2018-10-28  0:03 UTC (permalink / raw)
  To: tomasbortoli
  Cc: vyasevich, nhorman, marcelo.leitner, linux-sctp, netdev, linux-kernel

From: Tomas Bortoli <tomasbortoli@gmail.com>
Date: Sat, 27 Oct 2018 22:43:43 +0200

> I just realized we also have to check for less than 0 indexes..

How about the fact that your original submission didn't even compile?

I hope you realized that first.

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] sctp: socket.c validate sprstat_policy
  2018-10-27 19:58 Tomas Bortoli
  2018-10-27 20:50 ` kbuild test robot
@ 2018-10-27 20:53 ` kbuild test robot
  1 sibling, 0 replies; 6+ messages in thread
From: kbuild test robot @ 2018-10-27 20:53 UTC (permalink / raw)
  To: Tomas Bortoli
  Cc: kbuild-all, vyasevich, nhorman, marcelo.leitner, davem,
	linux-sctp, netdev, linux-kernel, syzkaller, Tomas Bortoli

[-- Attachment #1: Type: text/plain, Size: 2809 bytes --]

Hi Tomas,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on net-next/master]
[also build test ERROR on v4.19 next-20181019]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Tomas-Bortoli/sctp-socket-c-validate-sprstat_policy/20181028-040051
config: i386-randconfig-x077-201843 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
        # save the attached .config to linux build tree
        make ARCH=i386 

All errors (new ones prefixed by >>):

   net//sctp/socket.c: In function 'sctp_getsockopt_pr_assocstatus':
>> net//sctp/socket.c:7086:25: error: called object is not a function or function pointer
     if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
                    ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

vim +7086 net//sctp/socket.c

  7066	
  7067	static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len,
  7068						  char __user *optval,
  7069						  int __user *optlen)
  7070	{
  7071		struct sctp_prstatus params;
  7072		struct sctp_association *asoc;
  7073		int policy;
  7074		int retval = -EINVAL;
  7075	
  7076		if (len < sizeof(params))
  7077			goto out;
  7078	
  7079		len = sizeof(params);
  7080		if (copy_from_user(&params, optval, len)) {
  7081			retval = -EFAULT;
  7082			goto out;
  7083		}
  7084	
  7085		policy = params.sprstat_policy;
> 7086		if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
  7087		    __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
  7088			goto out;
  7089	
  7090		asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
  7091		if (!asoc)
  7092			goto out;
  7093	
  7094		if (policy & SCTP_PR_SCTP_ALL) {
  7095			params.sprstat_abandoned_unsent = 0;
  7096			params.sprstat_abandoned_sent = 0;
  7097			for (policy = 0; policy <= SCTP_PR_INDEX(MAX); policy++) {
  7098				params.sprstat_abandoned_unsent +=
  7099					asoc->abandoned_unsent[policy];
  7100				params.sprstat_abandoned_sent +=
  7101					asoc->abandoned_sent[policy];
  7102			}
  7103		} else {
  7104			params.sprstat_abandoned_unsent =
  7105				asoc->abandoned_unsent[__SCTP_PR_INDEX(policy)];
  7106			params.sprstat_abandoned_sent =
  7107				asoc->abandoned_sent[__SCTP_PR_INDEX(policy)];
  7108		}
  7109	
  7110		if (put_user(len, optlen)) {
  7111			retval = -EFAULT;
  7112			goto out;
  7113		}
  7114	
  7115		if (copy_to_user(optval, &params, len)) {
  7116			retval = -EFAULT;
  7117			goto out;
  7118		}
  7119	
  7120		retval = 0;
  7121	
  7122	out:
  7123		return retval;
  7124	}
  7125	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 29507 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [PATCH] sctp: socket.c validate sprstat_policy
  2018-10-27 19:58 Tomas Bortoli
@ 2018-10-27 20:50 ` kbuild test robot
  2018-10-27 20:53 ` kbuild test robot
  1 sibling, 0 replies; 6+ messages in thread
From: kbuild test robot @ 2018-10-27 20:50 UTC (permalink / raw)
  To: Tomas Bortoli
  Cc: kbuild-all, vyasevich, nhorman, marcelo.leitner, davem,
	linux-sctp, netdev, linux-kernel, syzkaller, Tomas Bortoli

[-- Attachment #1: Type: text/plain, Size: 4456 bytes --]

Hi Tomas,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on net-next/master]
[also build test WARNING on v4.19 next-20181019]
[if your patch is applied to the wrong git tree, please drop us a note to help improve the system]

url:    https://github.com/0day-ci/linux/commits/Tomas-Bortoli/sctp-socket-c-validate-sprstat_policy/20181028-040051
config: i386-randconfig-x075-201843 (attached as .config)
compiler: gcc-7 (Debian 7.3.0-1) 7.3.0
reproduce:
        # save the attached .config to linux build tree
        make ARCH=i386 

All warnings (new ones prefixed by >>):

   In file included from arch/x86/include/asm/atomic.h:5:0,
                    from include/linux/atomic.h:7,
                    from include/linux/crypto.h:20,
                    from include/crypto/hash.h:16,
                    from net/sctp/socket.c:55:
   net/sctp/socket.c: In function 'sctp_getsockopt_pr_assocstatus':
   net/sctp/socket.c:7086:25: error: called object is not a function or function pointer
     if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
                    ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/compiler.h:58:30: note: in definition of macro '__trace_if'
     if (__builtin_constant_p(!!(cond)) ? !!(cond) :   \
                                 ^~~~
>> net/sctp/socket.c:7086:2: note: in expansion of macro 'if'
     if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
     ^~
   net/sctp/socket.c:7086:25: error: called object is not a function or function pointer
     if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
                    ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/compiler.h:58:42: note: in definition of macro '__trace_if'
     if (__builtin_constant_p(!!(cond)) ? !!(cond) :   \
                                             ^~~~
>> net/sctp/socket.c:7086:2: note: in expansion of macro 'if'
     if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
     ^~
   net/sctp/socket.c:7086:25: error: called object is not a function or function pointer
     if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
                    ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   include/linux/compiler.h:69:16: note: in definition of macro '__trace_if'
      ______r = !!(cond);     \
                   ^~~~
>> net/sctp/socket.c:7086:2: note: in expansion of macro 'if'
     if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
     ^~

vim +/if +7086 net/sctp/socket.c

  7066	
  7067	static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len,
  7068						  char __user *optval,
  7069						  int __user *optlen)
  7070	{
  7071		struct sctp_prstatus params;
  7072		struct sctp_association *asoc;
  7073		int policy;
  7074		int retval = -EINVAL;
  7075	
  7076		if (len < sizeof(params))
  7077			goto out;
  7078	
  7079		len = sizeof(params);
  7080		if (copy_from_user(&params, optval, len)) {
  7081			retval = -EFAULT;
  7082			goto out;
  7083		}
  7084	
  7085		policy = params.sprstat_policy;
> 7086		if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
  7087		    __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
  7088			goto out;
  7089	
  7090		asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
  7091		if (!asoc)
  7092			goto out;
  7093	
  7094		if (policy & SCTP_PR_SCTP_ALL) {
  7095			params.sprstat_abandoned_unsent = 0;
  7096			params.sprstat_abandoned_sent = 0;
  7097			for (policy = 0; policy <= SCTP_PR_INDEX(MAX); policy++) {
  7098				params.sprstat_abandoned_unsent +=
  7099					asoc->abandoned_unsent[policy];
  7100				params.sprstat_abandoned_sent +=
  7101					asoc->abandoned_sent[policy];
  7102			}
  7103		} else {
  7104			params.sprstat_abandoned_unsent =
  7105				asoc->abandoned_unsent[__SCTP_PR_INDEX(policy)];
  7106			params.sprstat_abandoned_sent =
  7107				asoc->abandoned_sent[__SCTP_PR_INDEX(policy)];
  7108		}
  7109	
  7110		if (put_user(len, optlen)) {
  7111			retval = -EFAULT;
  7112			goto out;
  7113		}
  7114	
  7115		if (copy_to_user(optval, &params, len)) {
  7116			retval = -EFAULT;
  7117			goto out;
  7118		}
  7119	
  7120		retval = 0;
  7121	
  7122	out:
  7123		return retval;
  7124	}
  7125	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 33915 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [PATCH] sctp: socket.c validate sprstat_policy
@ 2018-10-27 19:58 Tomas Bortoli
  2018-10-27 20:50 ` kbuild test robot
  2018-10-27 20:53 ` kbuild test robot
  0 siblings, 2 replies; 6+ messages in thread
From: Tomas Bortoli @ 2018-10-27 19:58 UTC (permalink / raw)
  To: vyasevich, nhorman, marcelo.leitner
  Cc: davem, linux-sctp, netdev, linux-kernel, syzkaller, Tomas Bortoli

It is possible to perform out-of-bound reads on
sctp_getsockopt_pr_streamstatus() and on
sctp_getsockopt_pr_assocstatus() by passing from userspace a
sprstat_policy that overflows the abandoned_sent/abandoned_unsent
fixed length arrays. The over-read data are directly copied/leaked
to userspace.

Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+5da0d0a72a9e7d791748@syzkaller.appspotmail.com
---
 net/sctp/socket.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index fc0386e8ff23..5290b8bd40c8 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -7083,7 +7083,8 @@ static int sctp_getsockopt_pr_assocstatus(struct sock *sk, int len,
 	}
 
 	policy = params.sprstat_policy;
-	if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
+	if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL))
+	    __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
 		goto out;
 
 	asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
@@ -7142,7 +7143,8 @@ static int sctp_getsockopt_pr_streamstatus(struct sock *sk, int len,
 	}
 
 	policy = params.sprstat_policy;
-	if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)))
+	if (!policy || (policy & ~(SCTP_PR_SCTP_MASK | SCTP_PR_SCTP_ALL)) ||
+	    __SCTP_PR_INDEX(policy) > SCTP_PR_INDEX(MAX))
 		goto out;
 
 	asoc = sctp_id2assoc(sk, params.sprstat_assoc_id);
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-10-28  0:03 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-10-27 20:20 [PATCH] sctp: socket.c validate sprstat_policy Tomas Bortoli
2018-10-27 20:43 ` Tomas Bortoli
2018-10-28  0:03   ` David Miller
  -- strict thread matches above, loose matches on Subject: below --
2018-10-27 19:58 Tomas Bortoli
2018-10-27 20:50 ` kbuild test robot
2018-10-27 20:53 ` kbuild test robot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).