From: Kevin Dawson <hal@kd.net.au>
To: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Pavel Skripkin <paskripkin@gmail.com>,
ajk@comnets.uni-bremen.de, davem@davemloft.net, kuba@kernel.org,
linux-hams@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
syzbot+fc8cd9a673d4577fb2e4@syzkaller.appspotmail.com
Subject: Re: [PATCH] net: 6pack: fix slab-out-of-bounds in decode_data
Date: Sat, 14 Aug 2021 10:23:56 +1000 [thread overview]
Message-ID: <20210814002345.GA19994@auricle.kd> (raw)
In-Reply-To: <20210813145834.GC1931@kadam>
On Fri, Aug 13, 2021 at 05:58:34PM +0300, Dan Carpenter wrote:
> On Fri, Aug 13, 2021 at 02:28:55PM +0300, Pavel Skripkin wrote:
> > Syzbot reported slab-out-of bounds write in decode_data().
> > The problem was in missing validation checks.
> >
> > Syzbot's reproducer generated malicious input, which caused
> > decode_data() to be called a lot in sixpack_decode(). Since
> > rx_count_cooked is only 400 bytes and noone reported before,
> > that 400 bytes is not enough, let's just check if input is malicious
> > and complain about buffer overrun.
> >
> > ...
> >
> > diff --git a/drivers/net/hamradio/6pack.c b/drivers/net/hamradio/6pack.c
> > index fcf3af76b6d7..f4ffc2a80ab7 100644
> > --- a/drivers/net/hamradio/6pack.c
> > +++ b/drivers/net/hamradio/6pack.c
> > @@ -827,6 +827,12 @@ static void decode_data(struct sixpack *sp, unsigned char inbyte)
> > return;
> > }
> >
> > + if (sp->rx_count_cooked + 3 >= sizeof(sp->cooked_buf)) {
>
> It should be + 2 instead of + 3.
>
> We write three bytes. idx, idx + 1, idx + 2. Otherwise, good fix!
I would suggest that the statement be:
if (sp->rx_count_cooked + 3 > sizeof(sp->cooked_buf)) {
or even, because it's a buffer overrun test:
if (sp->rx_count_cooked > sizeof(sp->cooked_buf) - 3) {
This is because if there are three bytes being written, that is the number that should be obvious in the test.
I haven't looked at the surrounding code and there may be some other consideration why the "+ 2 >=" rather than "+ 3 >" (and from the description of "idx, idx + 1, idx + 2", I suspect it's visual consistency), so if that is important, feel free to adjust as required.
Thanks,
Kevin
next prev parent reply other threads:[~2021-08-14 0:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-13 11:28 [PATCH] net: 6pack: fix slab-out-of-bounds in decode_data Pavel Skripkin
2021-08-13 14:58 ` Dan Carpenter
2021-08-13 15:09 ` Pavel Skripkin
2021-08-13 15:14 ` [PATCH v2] " Pavel Skripkin
2021-08-13 21:09 ` Dan Carpenter
2021-08-13 21:32 ` Pavel Skripkin
2021-08-16 10:10 ` patchwork-bot+netdevbpf
2021-08-14 0:23 ` Kevin Dawson [this message]
2021-08-14 14:17 ` [PATCH] " Pavel Skripkin
2021-08-16 7:13 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210814002345.GA19994@auricle.kd \
--to=hal@kd.net.au \
--cc=ajk@comnets.uni-bremen.de \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=linux-hams@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=paskripkin@gmail.com \
--cc=syzbot+fc8cd9a673d4577fb2e4@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.