netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH net] sch_netem: fix a divide by zero in tabledist()
@ 2019-09-18 15:05 Eric Dumazet
  2019-09-21  2:15 ` Jakub Kicinski
  0 siblings, 1 reply; 4+ messages in thread
From: Eric Dumazet @ 2019-09-18 15:05 UTC (permalink / raw)
  To: David S . Miller; +Cc: netdev, Eric Dumazet, Eric Dumazet, syzbot

syzbot managed to crash the kernel in tabledist() loading
an empty distribution table.

	t = dist->table[rnd % dist->size];

Simply return an error when such load is attempted.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
---
 net/sched/sch_netem.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c
index b17f2ed970e296adc57bed458ec3cced4fc6705b..f5cb35e550f8df557f2e444cc2fd142cab97789b 100644
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -777,7 +777,7 @@ static int get_dist_table(struct Qdisc *sch, struct disttable **tbl,
 	struct disttable *d;
 	int i;
 
-	if (n > NETEM_DIST_MAX)
+	if (!n || n > NETEM_DIST_MAX)
 		return -EINVAL;
 
 	d = kvmalloc(sizeof(struct disttable) + n * sizeof(s16), GFP_KERNEL);
-- 
2.23.0.237.gc6a4ce50a0-goog


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH net] sch_netem: fix a divide by zero in tabledist()
  2019-09-18 15:05 [PATCH net] sch_netem: fix a divide by zero in tabledist() Eric Dumazet
@ 2019-09-21  2:15 ` Jakub Kicinski
  2019-09-23 15:52   ` Eric Dumazet
  0 siblings, 1 reply; 4+ messages in thread
From: Jakub Kicinski @ 2019-09-21  2:15 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: David S . Miller, netdev, Eric Dumazet, syzbot

On Wed, 18 Sep 2019 08:05:39 -0700, Eric Dumazet wrote:
> syzbot managed to crash the kernel in tabledist() loading
> an empty distribution table.
> 
> 	t = dist->table[rnd % dist->size];
> 
> Simply return an error when such load is attempted.
> 
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Reported-by: syzbot <syzkaller@googlegroups.com>

Applied, queued, thank you!

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH net] sch_netem: fix a divide by zero in tabledist()
  2019-09-21  2:15 ` Jakub Kicinski
@ 2019-09-23 15:52   ` Eric Dumazet
  2019-09-23 15:54     ` Eric Dumazet
  0 siblings, 1 reply; 4+ messages in thread
From: Eric Dumazet @ 2019-09-23 15:52 UTC (permalink / raw)
  To: Jakub Kicinski, Eric Dumazet
  Cc: David S . Miller, netdev, Eric Dumazet, syzbot



On 9/20/19 7:15 PM, Jakub Kicinski wrote:
> On Wed, 18 Sep 2019 08:05:39 -0700, Eric Dumazet wrote:
>> syzbot managed to crash the kernel in tabledist() loading
>> an empty distribution table.
>>
>> 	t = dist->table[rnd % dist->size];
>>
>> Simply return an error when such load is attempted.
>>
>> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
>> Signed-off-by: Eric Dumazet <edumazet@google.com>
>> Reported-by: syzbot <syzkaller@googlegroups.com>
> 
> Applied, queued, thank you!
> 

Note that another divide by zero seems possible in the same function,
if sigma = 0x8000000


2*sigma becomes zero, and we have yet another issue in :

if (dist == NULL)
   return ((rnd % (2 * sigma)) + mu) - sigma;



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH net] sch_netem: fix a divide by zero in tabledist()
  2019-09-23 15:52   ` Eric Dumazet
@ 2019-09-23 15:54     ` Eric Dumazet
  0 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2019-09-23 15:54 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: Jakub Kicinski, David S . Miller, netdev, syzbot

On Mon, Sep 23, 2019 at 8:53 AM Eric Dumazet <eric.dumazet@gmail.com> wrote:
>
>
>
> On 9/20/19 7:15 PM, Jakub Kicinski wrote:
> > On Wed, 18 Sep 2019 08:05:39 -0700, Eric Dumazet wrote:
> >> syzbot managed to crash the kernel in tabledist() loading
> >> an empty distribution table.
> >>
> >>      t = dist->table[rnd % dist->size];
> >>
> >> Simply return an error when such load is attempted.
> >>
> >> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> >> Signed-off-by: Eric Dumazet <edumazet@google.com>
> >> Reported-by: syzbot <syzkaller@googlegroups.com>
> >
> > Applied, queued, thank you!
> >
>
> Note that another divide by zero seems possible in the same function,
> if sigma = 0x8000000

I meant 0x80000000  here (aka 2^31 )

>
>
> 2*sigma becomes zero, and we have yet another issue in :
>
> if (dist == NULL)
>    return ((rnd % (2 * sigma)) + mu) - sigma;
>
>

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-09-23 15:55 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-18 15:05 [PATCH net] sch_netem: fix a divide by zero in tabledist() Eric Dumazet
2019-09-21  2:15 ` Jakub Kicinski
2019-09-23 15:52   ` Eric Dumazet
2019-09-23 15:54     ` Eric Dumazet

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).