Re: [PATCH net v2] netfilter: Add protection for bmp length out of range

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Lena Wang (王娜)" <Lena.Wang@mediatek.com>
Cc: "fw@strlen.de" <fw@strlen.de>,
	"davem@davemloft.net" <davem@davemloft.net>,
	"kadlec@netfilter.org" <kadlec@netfilter.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	"netfilter-devel@vger.kernel.org"
	<netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH net v2] netfilter: Add protection for bmp length out of range
Date: Sat, 2 Mar 2024 10:48:47 +0100	[thread overview]
Message-ID: <ZeL1_-Pdq6Kw0NIO@calendula> (raw)
In-Reply-To: <d2b63acc5cd76db46132eb6ebd106f159fc5132d.camel@mediatek.com>

On Fri, Mar 01, 2024 at 03:12:24PM +0000, Lena Wang (王娜) wrote:
> From: Lena Wang <lena.wang@mediatek.com>
> 
> UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts
> that are out of bounds for their data type.
> 
> vmlinux   get_bitmap(b=75) + 712
> <net/netfilter/nf_conntrack_h323_asn1.c:0>
> vmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018,
> level=134443100) + 1956
> <net/netfilter/nf_conntrack_h323_asn1.c:592>
> vmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216
> <net/netfilter/nf_conntrack_h323_asn1.c:814>
> vmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812
> <net/netfilter/nf_conntrack_h323_asn1.c:576>
> vmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216
> <net/netfilter/nf_conntrack_h323_asn1.c:814>
> vmlinux   DecodeRasMessage() + 304
> <net/netfilter/nf_conntrack_h323_asn1.c:833>
> vmlinux   ras_help() + 684
> <net/netfilter/nf_conntrack_h323_main.c:1728>
> vmlinux   nf_confirm() + 188
> <net/netfilter/nf_conntrack_proto.c:137>
> 
> Due to abnormal data in skb->data, the extension bitmap length
> exceeds 32 when decoding ras message. Then get_bitmap uses the
> length to make a shift operation. It will change into negative
> after several loop.
> 
> UBSAN load can detect a negative shift as an undefined behaviour
> and reports an exception.
> 
> So we should add the protection to avoid the length exceeding 32.
> If it exceeds it will return out of range error and stop decoding
> ras message.
> 
> Signed-off-by: Lena Wang <lena.wang@mediatek.com>
> ---
> v2:
>   - add length protecton for another get_bitmap call.
>   - update commit message to trim stacktrace.
> ---
> ---
>  net/netfilter/nf_conntrack_h323_asn1.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
> b/net/netfilter/nf_conntrack_h323_asn1.c
> index e697a824b001..540d97715bd2 100644
> --- a/net/netfilter/nf_conntrack_h323_asn1.c
> +++ b/net/netfilter/nf_conntrack_h323_asn1.c
> @@ -533,6 +533,8 @@ static int decode_seq(struct bitstr *bs, const
> struct field_t *f,
>  	/* Get fields bitmap */
>  	if (nf_h323_error_boundary(bs, 0, f->sz))
>  		return H323_ERROR_BOUND;
> +	if (f->sz > 32)
> +		return H323_ERROR_RANGE;

Could you possibly place this in get_bitmap()? IIRC these are the only
two calls to this function.

Thanks.

>  	bmp = get_bitmap(bs, f->sz);
>  	if (base)
>  		*(unsigned int *)base = bmp;
> @@ -589,6 +591,8 @@ static int decode_seq(struct bitstr *bs, const
> struct field_t *f,
>  	bmp2_len = get_bits(bs, 7) + 1;
>  	if (nf_h323_error_boundary(bs, 0, bmp2_len))
>  		return H323_ERROR_BOUND;
> +	if (bmp2_len > 32)
> +		return H323_ERROR_RANGE;
>  	bmp2 = get_bitmap(bs, bmp2_len);
>  	bmp |= bmp2 >> f->sz;
>  	if (base)
> -- 
> 2.18.0

next prev parent reply	other threads:[~2024-03-02  9:49 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-01 15:12 [PATCH net v2] netfilter: Add protection for bmp length out of range Lena Wang (王娜)
2024-03-01 15:29 ` Jiri Pirko
2024-03-02  9:48 ` Pablo Neira Ayuso [this message]
2024-03-02 11:52   ` Florian Westphal
2024-03-04 12:41     ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZeL1_-Pdq6Kw0NIO@calendula \
    --to=pablo@netfilter.org \
    --cc=Lena.Wang@mediatek.com \
    --cc=davem@davemloft.net \
    --cc=fw@strlen.de \
    --cc=kadlec@netfilter.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.