[PATCH 6.6 36/60] netfilter: nf_conntrack_h323: Add protection for bmp length out of range

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Lena Wang <lena.wang@mediatek.com>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.6 36/60] netfilter: nf_conntrack_h323: Add protection for bmp length out of range
Date: Wed, 13 Mar 2024 12:36:43 -0400	[thread overview]
Message-ID: <20240313163707.615000-37-sashal@kernel.org> (raw)
In-Reply-To: <20240313163707.615000-1-sashal@kernel.org>

From: Lena Wang <lena.wang@mediatek.com>

[ Upstream commit 767146637efc528b5e3d31297df115e85a2fd362 ]

UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts
that are out of bounds for their data type.

vmlinux   get_bitmap(b=75) + 712
<net/netfilter/nf_conntrack_h323_asn1.c:0>
vmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956
<net/netfilter/nf_conntrack_h323_asn1.c:592>
vmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216
<net/netfilter/nf_conntrack_h323_asn1.c:814>
vmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812
<net/netfilter/nf_conntrack_h323_asn1.c:576>
vmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216
<net/netfilter/nf_conntrack_h323_asn1.c:814>
vmlinux   DecodeRasMessage() + 304
<net/netfilter/nf_conntrack_h323_asn1.c:833>
vmlinux   ras_help() + 684
<net/netfilter/nf_conntrack_h323_main.c:1728>
vmlinux   nf_confirm() + 188
<net/netfilter/nf_conntrack_proto.c:137>

Due to abnormal data in skb->data, the extension bitmap length
exceeds 32 when decoding ras message then uses the length to make
a shift operation. It will change into negative after several loop.
UBSAN load could detect a negative shift as an undefined behaviour
and reports exception.
So we add the protection to avoid the length exceeding 32. Or else
it will return out of range error and stop decoding.

Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
Signed-off-by: Lena Wang <lena.wang@mediatek.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nf_conntrack_h323_asn1.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index e697a824b0018..540d97715bd23 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -533,6 +533,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
 	/* Get fields bitmap */
 	if (nf_h323_error_boundary(bs, 0, f->sz))
 		return H323_ERROR_BOUND;
+	if (f->sz > 32)
+		return H323_ERROR_RANGE;
 	bmp = get_bitmap(bs, f->sz);
 	if (base)
 		*(unsigned int *)base = bmp;
@@ -589,6 +591,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
 	bmp2_len = get_bits(bs, 7) + 1;
 	if (nf_h323_error_boundary(bs, 0, bmp2_len))
 		return H323_ERROR_BOUND;
+	if (bmp2_len > 32)
+		return H323_ERROR_RANGE;
 	bmp2 = get_bitmap(bs, bmp2_len);
 	bmp |= bmp2 >> f->sz;
 	if (base)
-- 
2.43.0

next prev parent reply	other threads:[~2024-03-13 16:37 UTC|newest]

Thread overview: 72+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-13 16:36 [PATCH 6.6 00/60] 6.6.22-rc1 review Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 01/60] dt-bindings: dma: fsl-edma: Add fsl-edma.h to prevent hardcoding in dts Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 02/60] dmaengine: fsl-edma: utilize common dt-binding header file Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 03/60] dmaengine: fsl-edma: correct max_segment_size setting Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 04/60] ceph: switch to corrected encoding of max_xattr_size in mdsmap Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 05/60] mm: migrate: remove PageTransHuge check in numamigrate_isolate_page() Sasha Levin
2024-03-13 17:29   ` Hugh Dickins
2024-03-13 16:36 ` [PATCH 6.6 06/60] mm: migrate: remove THP mapcount " Sasha Levin
2024-03-13 17:31   ` Hugh Dickins
2024-03-13 16:36 ` [PATCH 6.6 07/60] mm: migrate: convert numamigrate_isolate_page() to numamigrate_isolate_folio() Sasha Levin
2024-03-13 17:32   ` Hugh Dickins
2024-03-13 18:32     ` Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 08/60] mm/vmscan: fix a bug calling wakeup_kswapd() with a wrong zone index Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 09/60] xfrm: Pass UDP encapsulation in TX packet offload Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 10/60] net: lan78xx: fix runtime PM count underflow on link stop Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 11/60] ixgbe: {dis, en}able irqs in ixgbe_txrx_ring_{dis, en}able Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 12/60] i40e: disable NAPI right after disabling irqs when handling xsk_pool Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 13/60] ice: reorder disabling IRQ and NAPI in ice_qp_dis Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 14/60] Revert "net/mlx5: Block entering switchdev mode with ns inconsistency" Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 15/60] Revert "net/mlx5e: Check the number of elements before walk TC rhashtable" Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 16/60] net/mlx5: E-switch, Change flow rule destination checking Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 17/60] net/mlx5: Check capability for fw_reset Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 18/60] net/mlx5e: Change the warning when ignore_flow_level is not supported Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 19/60] net/mlx5e: Fix MACsec state loss upon state update in offload path Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 20/60] net/mlx5e: Use a memory barrier to enforce PTP WQ xmit submission tracking occurs after populating the metadata_map Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 21/60] net/mlx5e: Switch to using _bh variant of of spinlock API in port timestamping NAPI poll context Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 22/60] tracing/net_sched: Fix tracepoints that save qdisc_dev() as a string Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 23/60] geneve: make sure to pull inner header in geneve_rx() Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 24/60] net: sparx5: Fix use after free inside sparx5_del_mact_entry Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 25/60] ice: virtchnl: stop pretending to support RSS over AQ or registers Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 26/60] net: ice: Fix potential NULL pointer dereference in ice_bridge_setlink() Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 27/60] igc: avoid returning frame twice in XDP_REDIRECT Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 28/60] net/ipv6: avoid possible UAF in ip6_route_mpath_notify() Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 29/60] bpf: check bpf_func_state->callback_depth when pruning states Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 30/60] xdp, bonding: Fix feature flags when there are no slave devs anymore Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 31/60] selftests/bpf: Fix up xdp bonding test wrt feature flags Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 32/60] cpumap: Zero-initialise xdp_rxq_info struct before running XDP program Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 33/60] net: dsa: microchip: fix register write order in ksz8_ind_write8() Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 34/60] net/rds: fix WARNING in rds_conn_connect_if_down Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 35/60] netfilter: nft_ct: fix l3num expectations with inet pseudo family Sasha Levin
2024-03-13 16:36 ` Sasha Levin [this message]
2024-03-13 16:36 ` [PATCH 6.6 37/60] erofs: apply proper VMA alignment for memory mapped files on THP Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 38/60] netrom: Fix a data-race around sysctl_netrom_default_path_quality Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 39/60] netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 40/60] netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 41/60] netrom: Fix a data-race around sysctl_netrom_transport_timeout Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 42/60] netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 43/60] netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 44/60] netrom: Fix a data-race around sysctl_netrom_transport_busy_delay Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 45/60] netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 46/60] netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 47/60] netrom: Fix a data-race around sysctl_netrom_routing_control Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 48/60] netrom: Fix a data-race around sysctl_netrom_link_fails_count Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 49/60] netrom: Fix data-races around sysctl_net_busy_read Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 50/60] net: pds_core: Fix possible double free in error handling path Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 51/60] KVM: s390: add stat counter for shadow gmap events Sasha Levin
2024-03-13 16:36 ` [PATCH 6.6 52/60] KVM: s390: vsie: fix race during shadow creation Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 53/60] readahead: avoid multiple marked readahead pages Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 54/60] selftests: mptcp: decrease BW in simult flows Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 55/60] exit: wait_task_zombie: kill the no longer necessary spin_lock_irq(siglock) Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 56/60] x86/mmio: Disable KVM mitigation when X86_FEATURE_CLEAR_CPU_BUF is set Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 57/60] Documentation/hw-vuln: Add documentation for RFDS Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 58/60] x86/rfds: Mitigate Register File Data Sampling (RFDS) Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 59/60] KVM/x86: Export RFDS_NO and RFDS_CLEAR to guests Sasha Levin
2024-03-13 16:37 ` [PATCH 6.6 60/60] Linux 6.6.22-rc1 Sasha Levin
2024-03-14  8:02 ` [PATCH 6.6 00/60] 6.6.22-rc1 review Bagas Sanjaya
2024-03-14 10:08 ` Naresh Kamboju
2024-03-14 11:56 ` Takeshi Ogasawara
2024-03-14 20:55 ` Florian Fainelli
2024-03-15 15:44 ` Mark Brown
2024-03-15 16:01 ` Ron Economos
2024-03-15 17:36 ` Harshit Mogalapalli

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e697a824b001 dfblob:540d97715bd2 )
 OR (
bs:"[PATCH 6.6 36/60] netfilter: nf_conntrack_h323: Add protection for bmp length out of range" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240313163707.615000-37-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=lena.wang@mediatek.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox