From patchwork Fri Nov 17 02:33:26 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kefeng Wang X-Patchwork-Id: 119087 Delivered-To: patch@linaro.org Received: by 10.140.22.164 with SMTP id 33csp6334853qgn; Thu, 16 Nov 2017 18:31:40 -0800 (PST) X-Google-Smtp-Source: AGs4zMbGg5CTZ6rQKhChLPFjEXDgTUd3idbdZASlwZwvK4SLkySn/2K3pGgLQjBq6k1f38OH5pWd X-Received: by 10.84.241.15 with SMTP id a15mr3803322pll.103.1510885900430; Thu, 16 Nov 2017 18:31:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1510885900; cv=none; d=google.com; s=arc-20160816; b=CJmQCZmc2pkU73fsOWSSKnHHe7tzA5tGvcAp+ub2wiiN16wvhYem6c9ZPa+jCR4bCz MlDWznhhdqYV3SUIemn4yPIj39Xac5cHCEhw+oL2pNud5BRLmFl+20G92bbLIHcsyfvF x9pf58DbBn4oaHCuuvOmvsa1QENXNY5jzyP1zwZhnfPe07IAA9BTHahSkH0tdJNyB5Jz d7KOJLow+CrXyjIF6+DbIbQ+vSD+Z/HlVsZvAuJVCvOMRe6CNhufzSMXWUVBBCuta1CG UVP0wYGRfeEDBNGfcgcxfrrIPEVuLFLsssGC9D6CA73bmkHifVWh8uU0evTsRwVmp4kg 59qQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:arc-authentication-results; bh=AVja9pH6GNUeEhP0JiBKfE4EFINcpkG50I42wA9TiQo=; b=YCW84CfKbE+Sv/eLkyC876YRwLMB0u9mBm0Qa2QOyCDuu2coP3XlrHaTLMDnuhLYd2 TcVpVDB6fc2l9Vdw6XlAp2EEqy3Ce+WPhwss8NLMf8I1zjJaj851+1O6k1pwNSfJiYsa LhRuemohpzhQTXBV5EyJmU5lMNyTz7KlPW4aY3vnLVKGa0b5JuxiEm9EIbuWvd+38MGy uYyvDb9j1ZQiBMqHJ8xN2OMXoZtV3rDyoU09BcoLiMUavwjW1dvkAOIiNvHj5TCvBDNf u+54msrFSC8GcHUVOYOpBF+UhBuaYKSXjBJ+5ekH8AcbCfUe3ufmzTyMhtTuGdwxr0f0 M2Zw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w19si1866705plq.610.2017.11.16.18.31.27; Thu, 16 Nov 2017 18:31:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=netdev-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932214AbdKQCbX (ORCPT + 7 others); Thu, 16 Nov 2017 21:31:23 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:10999 "EHLO szxga05-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932080AbdKQCbU (ORCPT ); Thu, 16 Nov 2017 21:31:20 -0500 Received: from 172.30.72.59 (EHLO DGGEMS407-HUB.china.huawei.com) ([172.30.72.59]) by dggrg05-dlp.huawei.com (MOS 4.4.6-GA FastPath queued) with ESMTP id DLC63116; Fri, 17 Nov 2017 10:31:09 +0800 (CST) Received: from localhost.localdomain.localdomain (10.175.113.25) by DGGEMS407-HUB.china.huawei.com (10.3.19.207) with Microsoft SMTP Server id 14.3.361.1; Fri, 17 Nov 2017 10:30:58 +0800 From: Kefeng Wang To: , , , CC: Jiri Slaby , Vlad Yasevich , "Neil Horman" , "David S. Miller" , , , Kefeng Wang Subject: [PATCH 7.x ubsan fix 3/6] net: sctp, forbid negative length Date: Fri, 17 Nov 2017 10:33:26 +0800 Message-ID: <1510886009-141575-4-git-send-email-wangkefeng.wang@huawei.com> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1510886009-141575-1-git-send-email-wangkefeng.wang@huawei.com> References: <1510886009-141575-1-git-send-email-wangkefeng.wang@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.113.25] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.5A0E49EF.0020, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2014-11-16 11:51:01, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: ed4e282994984d652d1b168fff0b0b11 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Jiri Slaby mainline inclusion from mainline-4.9 commit a4b8e71b05c27bae6bad3bdecddbc6b68a3ad8cf category: bugfix bugzilla: 3214 DTS: NA CVE: NA ------------------------------------------------- Most of getsockopt handlers in net/sctp/socket.c check len against sizeof some structure like: if (len < sizeof(int)) return -EINVAL; On the first look, the check seems to be correct. But since len is int and sizeof returns size_t, int gets promoted to unsigned size_t too. So the test returns false for negative lengths. Yes, (-1 < sizeof(long)) is false. Fix this in sctp by explicitly checking len < 0 before any getsockopt handler is called. Note that sctp_getsockopt_events already handled the negative case. Since we added the < 0 check elsewhere, this one can be removed. If not checked, this is the result: UBSAN: Undefined behaviour in ../mm/page_alloc.c:2722:19 shift exponent 52 is too large for 32-bit type 'int' CPU: 1 PID: 24535 Comm: syz-executor Not tainted 4.8.1-0-syzkaller #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014 0000000000000000 ffff88006d99f2a8 ffffffffb2f7bdea 0000000041b58ab3 ffffffffb4363c14 ffffffffb2f7bcde ffff88006d99f2d0 ffff88006d99f270 0000000000000000 0000000000000000 0000000000000034 ffffffffb5096422 Call Trace: [] ? __ubsan_handle_shift_out_of_bounds+0x29c/0x300 ... [] ? kmalloc_order+0x24/0x90 [] ? kmalloc_order_trace+0x24/0x220 [] ? __kmalloc+0x330/0x540 [] ? sctp_getsockopt_local_addrs+0x174/0xca0 [sctp] [] ? sctp_getsockopt+0x10d/0x1b0 [sctp] [] ? sock_common_getsockopt+0xb9/0x150 [] ? SyS_getsockopt+0x1a5/0x270 Signed-off-by: Jiri Slaby Cc: Vlad Yasevich Cc: Neil Horman Cc: "David S. Miller" Cc: linux-sctp@vger.kernel.org Cc: netdev@vger.kernel.org Acked-by: Neil Horman Signed-off-by: David S. Miller (cherry picked from commit a4b8e71b05c27bae6bad3bdecddbc6b68a3ad8cf) Signed-off-by: Kefeng Wang --- net/sctp/socket.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) -- 1.8.3.1 diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 425a1a3..3a42f98 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -4589,7 +4589,7 @@ static int sctp_getsockopt_disable_fragments(struct sock *sk, int len, static int sctp_getsockopt_events(struct sock *sk, int len, char __user *optval, int __user *optlen) { - if (len <= 0) + if (len == 0) return -EINVAL; if (len > sizeof(struct sctp_event_subscribe)) len = sizeof(struct sctp_event_subscribe); @@ -6252,6 +6252,9 @@ static int sctp_getsockopt(struct sock *sk, int level, int optname, if (get_user(len, optlen)) return -EFAULT; + if (len < 0) + return -EINVAL; + lock_sock(sk); switch (optname) {