From: Dan Carpenter <dan.carpenter@oracle.com>
To: "David S. Miller" <davem@davemloft.net>,
Bjorn Andersson <bjorn.andersson@linaro.org>,
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Cc: Jakub Kicinski <kuba@kernel.org>,
Wang Wenhu <wenhu.wang@vivo.com>, Wen Gong <wgong@codeaurora.org>,
Carl Huang <cjhuang@codeaurora.org>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: [PATCH net] net: qrtr: Fix an out of bounds read qrtr_endpoint_post()
Date: Tue, 30 Jun 2020 14:46:15 +0300 [thread overview]
Message-ID: <20200630114615.GA21891@mwanda> (raw)
In-Reply-To: <20200628104623.GA3357@Mani-XPS-13-9360>
This code assumes that the user passed in enough data for a
qrtr_hdr_v1 or qrtr_hdr_v2 struct, but it's not necessarily true. If
the buffer is too small then it will read beyond the end.
Reported-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Reported-by: syzbot+b8fe393f999a291a9ea6@syzkaller.appspotmail.com
Fixes: 194ccc88297a ("net: qrtr: Support decoding incoming v2 packets")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
net/qrtr/qrtr.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
index 2d8d6131bc5f..7eccbbf6f8ad 100644
--- a/net/qrtr/qrtr.c
+++ b/net/qrtr/qrtr.c
@@ -427,7 +427,7 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
unsigned int ver;
size_t hdrlen;
- if (len & 3)
+ if (len == 0 || len & 3)
return -EINVAL;
skb = netdev_alloc_skb(NULL, len);
@@ -441,6 +441,8 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
switch (ver) {
case QRTR_PROTO_VER_1:
+ if (len < sizeof(*v1))
+ goto err;
v1 = data;
hdrlen = sizeof(*v1);
@@ -454,6 +456,8 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len)
size = le32_to_cpu(v1->size);
break;
case QRTR_PROTO_VER_2:
+ if (len < sizeof(*v2))
+ goto err;
v2 = data;
hdrlen = sizeof(*v2) + v2->optlen;
--
2.27.0
next prev parent reply other threads:[~2020-06-30 11:48 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-27 8:50 KASAN: slab-out-of-bounds Read in qrtr_endpoint_post syzbot
2020-06-27 20:57 ` syzbot
2020-06-28 10:46 ` Manivannan Sadhasivam
2020-06-30 11:46 ` Dan Carpenter [this message]
2020-07-01 1:36 ` [PATCH net] net: qrtr: Fix an out of bounds read qrtr_endpoint_post() David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200630114615.GA21891@mwanda \
--to=dan.carpenter@oracle.com \
--cc=bjorn.andersson@linaro.org \
--cc=cjhuang@codeaurora.org \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=manivannan.sadhasivam@linaro.org \
--cc=netdev@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
--cc=wenhu.wang@vivo.com \
--cc=wgong@codeaurora.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.