From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79647C433EF for ; Thu, 14 Oct 2021 15:02:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 62FA9608FE for ; Thu, 14 Oct 2021 15:02:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233116AbhJNPET (ORCPT ); Thu, 14 Oct 2021 11:04:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:43300 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231867AbhJNPC6 (ORCPT ); Thu, 14 Oct 2021 11:02:58 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id CE7ED61212; Thu, 14 Oct 2021 14:59:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1634223584; bh=tqiKyr37ICcCIa+ia8LLlMSrN+ekonHueUB6OZpEBTE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=D/Bt+as4MgsanzFST4pdnp32pHFfZ4zgO1wBecTnp5g3SUx9z1MaVD1k/O+Mrcsrv LMer1/FgCb2EPxsZLRC1dyy7PweG4tJmXF+XC1aJ8lR7Bkd8MEIW/rBPGCCD4s7mU1 2SOyLiOFk1k6AtvL06ObMePNtb1dzmI0fjaqtB18= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Abaci , Michael Wang , "David S. Miller" , Sasha Levin Subject: [PATCH 5.10 13/22] net: prevent user from passing illegal stab size Date: Thu, 14 Oct 2021 16:54:19 +0200 Message-Id: <20211014145208.419020014@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211014145207.979449962@linuxfoundation.org> References: <20211014145207.979449962@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: 王贇 [ Upstream commit b193e15ac69d56f35e1d8e2b5d16cbd47764d053 ] We observed below report when playing with netlink sock: UBSAN: shift-out-of-bounds in net/sched/sch_api.c:580:10 shift exponent 249 is too large for 32-bit type CPU: 0 PID: 685 Comm: a.out Not tainted Call Trace: dump_stack_lvl+0x8d/0xcf ubsan_epilogue+0xa/0x4e __ubsan_handle_shift_out_of_bounds+0x161/0x182 __qdisc_calculate_pkt_len+0xf0/0x190 __dev_queue_xmit+0x2ed/0x15b0 it seems like kernel won't check the stab log value passing from user, and will use the insane value later to calculate pkt_len. This patch just add a check on the size/cell_log to avoid insane calculation. Reported-by: Abaci Signed-off-by: Michael Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- include/net/pkt_sched.h | 1 + net/sched/sch_api.c | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/include/net/pkt_sched.h b/include/net/pkt_sched.h index 2be90a54a404..7e58b4470570 100644 --- a/include/net/pkt_sched.h +++ b/include/net/pkt_sched.h @@ -11,6 +11,7 @@ #include #define DEFAULT_TX_QUEUE_LEN 1000 +#define STAB_SIZE_LOG_MAX 30 struct qdisc_walker { int stop; diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c index 54a8c363bcdd..7b24582a8a16 100644 --- a/net/sched/sch_api.c +++ b/net/sched/sch_api.c @@ -513,6 +513,12 @@ static struct qdisc_size_table *qdisc_get_stab(struct nlattr *opt, return stab; } + if (s->size_log > STAB_SIZE_LOG_MAX || + s->cell_log > STAB_SIZE_LOG_MAX) { + NL_SET_ERR_MSG(extack, "Invalid logarithmic size of size table"); + return ERR_PTR(-EINVAL); + } + stab = kmalloc(sizeof(*stab) + tsize * sizeof(u16), GFP_KERNEL); if (!stab) return ERR_PTR(-ENOMEM); -- 2.33.0