From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marcelo Ricardo Leitner Date: Fri, 20 Jan 2017 13:22:02 +0000 Subject: Re: [PATCH] net: sctp: fix array overrun read on sctp_timer_tbl Message-Id: <20170120132202.GS3781@localhost.localdomain> List-Id: References: <20170120130157.20034-1-colin.king@canonical.com> <20170120131000.GR3781@localhost.localdomain> <4ba6d2eb-972d-4e2e-7876-7ecf3e29a438@canonical.com> In-Reply-To: <4ba6d2eb-972d-4e2e-7876-7ecf3e29a438@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Colin Ian King Cc: Vlad Yasevich , Neil Horman , "David S . Miller" , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, lucien.xin@gmail.com On Fri, Jan 20, 2017 at 01:15:18PM +0000, Colin Ian King wrote: > On 20/01/17 13:10, Marcelo Ricardo Leitner wrote: > > On Fri, Jan 20, 2017 at 01:01:57PM +0000, Colin King wrote: > >> From: Colin Ian King > >> > >> The comparison on the timeout can lead to an array overrun > >> read on sctp_timer_tbl because of an off-by-one error. Fix > >> this by using < instead of <= and also compare to the array > >> size rather than SCTP_EVENT_TIMEOUT_MAX. > >> > >> Fixes CoverityScan CID#1397639 ("Out-of-bounds read") > >> > >> Signed-off-by: Colin Ian King > >> --- > >> net/sctp/debug.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/net/sctp/debug.c b/net/sctp/debug.c > >> index 95d7b15..e371a0d 100644 > >> --- a/net/sctp/debug.c > >> +++ b/net/sctp/debug.c > >> @@ -166,7 +166,7 @@ static const char *const sctp_timer_tbl[] = { > >> /* Lookup timer debug name. */ > >> const char *sctp_tname(const sctp_subtype_t id) > >> { > >> - if (id.timeout <= SCTP_EVENT_TIMEOUT_MAX) > >> + if (id.timeout < ARRAY_SIZE(sctp_timer_tbl)) > >> return sctp_timer_tbl[id.timeout]; > > > > The issue exists but this is not the right fix. > > Issue was introduced by 7b9438de0cd4 ("sctp: add stream reconf timer") > > as it introduced a new timer but didn't add the timer name here, so the > > fix should (also) include: > > > > diff --git a/net/sctp/debug.c b/net/sctp/debug.c > > index 95d7b15dad21..c5f4ed5242ac 100644 > > --- a/net/sctp/debug.c > > +++ b/net/sctp/debug.c > > @@ -159,6 +159,7 @@ static const char *const sctp_timer_tbl[] = { > > "TIMEOUT_T4_RTO", > > "TIMEOUT_T5_SHUTDOWN_GUARD", > > "TIMEOUT_HEARTBEAT", > > + "TIMEOUT_RECONF", > > "TIMEOUT_SACK", > > "TIMEOUT_AUTOCLOSE", > > }; > > Ah, OK, I can add that timeout into the the table, but perhaps it's > still prudent to check the index against the table size as well. > Yes, and/or a: BUILD_BUG_ON(SCTP_EVENT_TIMEOUT_MAX + 1 != ARRAY_SIZE(sctp_timer_tbl)) As then we would be sure to have the list right :-) Otherwise we may not do wrong reads but may report the wrong timer name. > > > > Thanks, > > Marcelo > > > >> return "unknown_timer"; > >> } > >> -- > >> 2.10.2 > >> > >> -- > >> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > >> the body of a message to majordomo@vger.kernel.org > >> More majordomo info at http://vger.kernel.org/majordomo-info.html > >> > > -- > To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752187AbdATNWJ (ORCPT ); Fri, 20 Jan 2017 08:22:09 -0500 Received: from mx1.redhat.com ([209.132.183.28]:38946 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750893AbdATNWH (ORCPT ); Fri, 20 Jan 2017 08:22:07 -0500 Date: Fri, 20 Jan 2017 11:22:02 -0200 From: Marcelo Ricardo Leitner To: Colin Ian King Cc: Vlad Yasevich , Neil Horman , "David S . Miller" , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, lucien.xin@gmail.com Subject: Re: [PATCH] net: sctp: fix array overrun read on sctp_timer_tbl Message-ID: <20170120132202.GS3781@localhost.localdomain> References: <20170120130157.20034-1-colin.king@canonical.com> <20170120131000.GR3781@localhost.localdomain> <4ba6d2eb-972d-4e2e-7876-7ecf3e29a438@canonical.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4ba6d2eb-972d-4e2e-7876-7ecf3e29a438@canonical.com> User-Agent: Mutt/1.7.1 (2016-10-04) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Fri, 20 Jan 2017 13:22:08 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 20, 2017 at 01:15:18PM +0000, Colin Ian King wrote: > On 20/01/17 13:10, Marcelo Ricardo Leitner wrote: > > On Fri, Jan 20, 2017 at 01:01:57PM +0000, Colin King wrote: > >> From: Colin Ian King > >> > >> The comparison on the timeout can lead to an array overrun > >> read on sctp_timer_tbl because of an off-by-one error. Fix > >> this by using < instead of <= and also compare to the array > >> size rather than SCTP_EVENT_TIMEOUT_MAX. > >> > >> Fixes CoverityScan CID#1397639 ("Out-of-bounds read") > >> > >> Signed-off-by: Colin Ian King > >> --- > >> net/sctp/debug.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/net/sctp/debug.c b/net/sctp/debug.c > >> index 95d7b15..e371a0d 100644 > >> --- a/net/sctp/debug.c > >> +++ b/net/sctp/debug.c > >> @@ -166,7 +166,7 @@ static const char *const sctp_timer_tbl[] = { > >> /* Lookup timer debug name. */ > >> const char *sctp_tname(const sctp_subtype_t id) > >> { > >> - if (id.timeout <= SCTP_EVENT_TIMEOUT_MAX) > >> + if (id.timeout < ARRAY_SIZE(sctp_timer_tbl)) > >> return sctp_timer_tbl[id.timeout]; > > > > The issue exists but this is not the right fix. > > Issue was introduced by 7b9438de0cd4 ("sctp: add stream reconf timer") > > as it introduced a new timer but didn't add the timer name here, so the > > fix should (also) include: > > > > diff --git a/net/sctp/debug.c b/net/sctp/debug.c > > index 95d7b15dad21..c5f4ed5242ac 100644 > > --- a/net/sctp/debug.c > > +++ b/net/sctp/debug.c > > @@ -159,6 +159,7 @@ static const char *const sctp_timer_tbl[] = { > > "TIMEOUT_T4_RTO", > > "TIMEOUT_T5_SHUTDOWN_GUARD", > > "TIMEOUT_HEARTBEAT", > > + "TIMEOUT_RECONF", > > "TIMEOUT_SACK", > > "TIMEOUT_AUTOCLOSE", > > }; > > Ah, OK, I can add that timeout into the the table, but perhaps it's > still prudent to check the index against the table size as well. > Yes, and/or a: BUILD_BUG_ON(SCTP_EVENT_TIMEOUT_MAX + 1 != ARRAY_SIZE(sctp_timer_tbl)) As then we would be sure to have the list right :-) Otherwise we may not do wrong reads but may report the wrong timer name. > > > > Thanks, > > Marcelo > > > >> return "unknown_timer"; > >> } > >> -- > >> 2.10.2 > >> > >> -- > >> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > >> the body of a message to majordomo@vger.kernel.org > >> More majordomo info at http://vger.kernel.org/majordomo-info.html > >> > > -- > To unsubscribe from this list: send the line "unsubscribe linux-sctp" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >