From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 4.19 53/58] net_sched: avoid shift-out-of-bounds in tcindex_set_parms()
Date: Mon, 25 Jan 2021 19:39:54 +0100 [thread overview]
Message-ID: <20210125183158.974465946@linuxfoundation.org> (raw)
In-Reply-To: <20210125183156.702907356@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
commit bcd0cf19ef8258ac31b9a20248b05c15a1f4b4b0 upstream.
tc_index being 16bit wide, we need to check that TCA_TCINDEX_SHIFT
attribute is not silly.
UBSAN: shift-out-of-bounds in net/sched/cls_tcindex.c:260:29
shift exponent 255 is too large for 32-bit type 'int'
CPU: 0 PID: 8516 Comm: syz-executor228 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0x107/0x163 lib/dump_stack.c:120
ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
__ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
valid_perfect_hash net/sched/cls_tcindex.c:260 [inline]
tcindex_set_parms.cold+0x1b/0x215 net/sched/cls_tcindex.c:425
tcindex_change+0x232/0x340 net/sched/cls_tcindex.c:546
tc_new_tfilter+0x13fb/0x21b0 net/sched/cls_api.c:2127
rtnetlink_rcv_msg+0x8b6/0xb80 net/core/rtnetlink.c:5555
netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:672
____sys_sendmsg+0x6e8/0x810 net/socket.c:2336
___sys_sendmsg+0xf3/0x170 net/socket.c:2390
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2423
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20210114185229.1742255-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/cls_tcindex.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/sched/cls_tcindex.c
+++ b/net/sched/cls_tcindex.c
@@ -339,9 +339,13 @@ tcindex_set_parms(struct net *net, struc
if (tb[TCA_TCINDEX_MASK])
cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]);
- if (tb[TCA_TCINDEX_SHIFT])
+ if (tb[TCA_TCINDEX_SHIFT]) {
cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]);
-
+ if (cp->shift > 16) {
+ err = -EINVAL;
+ goto errout;
+ }
+ }
if (!cp->hash) {
/* Hash not specified, use perfect hash if the upper limit
* of the hashing index is below the threshold.
next prev parent reply other threads:[~2021-01-25 18:49 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-25 18:39 [PATCH 4.19 00/58] 4.19.171-rc1 review Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 01/58] i2c: bpmp-tegra: Ignore unknown I2C_M flags Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 02/58] ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 03/58] ALSA: hda/via: Add minimum mute flag Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 04/58] ACPI: scan: Make acpi_bus_get_device() clear return pointer on error Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 05/58] btrfs: fix lockdep splat in btrfs_recover_relocation Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 06/58] mmc: core: dont initialize block size from ext_csd if not present Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 07/58] mmc: sdhci-xenon: fix 1.8v regulator stabilization Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 08/58] dm: avoid filesystem lookup in dm_get_dev_t() Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 09/58] dm integrity: fix a crash if "recalculate" used without "internal_hash" Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 10/58] drm/atomic: put state on error path Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 11/58] ASoC: Intel: haswell: Add missing pm_ops Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 12/58] dm integrity: select CRYPTO_SKCIPHER Greg Kroah-Hartman
2021-01-25 18:58 ` Pavel Machek
2021-01-25 19:14 ` Anthony Iliopoulos
2021-01-26 8:47 ` Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 13/58] scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 14/58] scsi: qedi: Correct max length of CHAP secret Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 15/58] riscv: Fix kernel time_init() Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 16/58] HID: Ignore battery for Elan touchscreen on ASUS UX550 Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 17/58] clk: tegra30: Add hda clock default rates to clock driver Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 18/58] xen: Fix event channel callback via INTX/GSI Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 19/58] drm/nouveau/bios: fix issue shadowing expansion ROMs Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 20/58] drm/nouveau/privring: ack interrupts the same way as RM Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 21/58] drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 22/58] drm/nouveau/mmu: fix vram heap sizing Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 23/58] drm/nouveau/kms/nv50-: fix case where notifier buffer is at offset 0 Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 24/58] scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 25/58] i2c: octeon: check correct size of maximum RECV_LEN packet Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 26/58] platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from allow-list Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 27/58] selftests: net: fib_tests: remove duplicate log test Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 28/58] can: dev: can_restart: fix use after free bug Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 29/58] can: vxcan: vxcan_xmit: " Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 30/58] can: peak_usb: fix use after free bugs Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 31/58] iio: ad5504: Fix setting power-down state Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 32/58] irqchip/mips-cpu: Set IPI domain parent chip Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 33/58] intel_th: pci: Add Alder Lake-P support Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 34/58] stm class: Fix module init return on allocation failure Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 35/58] serial: mvebu-uart: fix tx lost characters at power off Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 36/58] ehci: fix EHCI host controller initialization sequence Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 37/58] USB: ehci: fix an interrupt calltrace error Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 38/58] usb: gadget: aspeed: fix stop dma register setting Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 39/58] usb: udc: core: Use lock when write to soft_connect Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 40/58] usb: bdc: Make bdc pci driver depend on BROKEN Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 41/58] xhci: make sure TRB is fully written before giving it to the controller Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 42/58] xhci: tegra: Delay for disabling LFPS detector Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 43/58] driver core: Extend device_is_dependent() Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 44/58] netfilter: rpfilter: mask ecn bits before fib lookup Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 45/58] sh: dma: fix kconfig dependency for G2_DMA Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 46/58] net: dsa: mv88e6xxx: also read STU state in mv88e6250_g1_vtu_getnext Greg Kroah-Hartman
2021-01-25 19:40 ` Rasmus Villemoes
2021-01-25 19:59 ` Rasmus Villemoes
2021-01-26 8:50 ` Greg Kroah-Hartman
2021-01-26 9:52 ` Rasmus Villemoes
2021-01-25 18:39 ` [PATCH 4.19 47/58] sh_eth: Fix power down vs. is_opened flag ordering Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 48/58] skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 49/58] kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 50/58] kasan: fix incorrect arguments passing in kasan_add_zero_shadow Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 51/58] udp: mask TOS bits in udp_v4_early_demux() Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 52/58] ipv6: create multicast route with RTPROT_KERNEL Greg Kroah-Hartman
2021-01-25 18:39 ` Greg Kroah-Hartman [this message]
2021-01-25 18:39 ` [PATCH 4.19 54/58] net_sched: reject silly cell_log in qdisc_get_rtab() Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 55/58] ipv6: set multicast flag on the multicast route Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 56/58] net: mscc: ocelot: allow offloading of bridge on top of LAG Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 57/58] net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled Greg Kroah-Hartman
2021-01-25 18:39 ` [PATCH 4.19 58/58] net: dsa: b53: fix an off by one in checking "vlan->vid" Greg Kroah-Hartman
2021-01-25 20:47 ` [PATCH 4.19 00/58] 4.19.171-rc1 review Pavel Machek
2021-01-26 8:11 ` Naresh Kamboju
2021-01-26 19:27 ` Guenter Roeck
2021-01-26 23:38 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210125183158.974465946@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).