[PATCH 4.19 11/41] netfilter: nf_conntrack_h323: Add protection for bmp length out of range

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Lena Wang <lena.wang@mediatek.com>,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 11/41] netfilter: nf_conntrack_h323: Add protection for bmp length out of range
Date: Wed, 13 Mar 2024 13:04:05 -0400	[thread overview]
Message-ID: <20240313170435.616724-12-sashal@kernel.org> (raw)
In-Reply-To: <20240313170435.616724-1-sashal@kernel.org>

From: Lena Wang <lena.wang@mediatek.com>

[ Upstream commit 767146637efc528b5e3d31297df115e85a2fd362 ]

UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts
that are out of bounds for their data type.

vmlinux   get_bitmap(b=75) + 712
<net/netfilter/nf_conntrack_h323_asn1.c:0>
vmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956
<net/netfilter/nf_conntrack_h323_asn1.c:592>
vmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216
<net/netfilter/nf_conntrack_h323_asn1.c:814>
vmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812
<net/netfilter/nf_conntrack_h323_asn1.c:576>
vmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216
<net/netfilter/nf_conntrack_h323_asn1.c:814>
vmlinux   DecodeRasMessage() + 304
<net/netfilter/nf_conntrack_h323_asn1.c:833>
vmlinux   ras_help() + 684
<net/netfilter/nf_conntrack_h323_main.c:1728>
vmlinux   nf_confirm() + 188
<net/netfilter/nf_conntrack_proto.c:137>

Due to abnormal data in skb->data, the extension bitmap length
exceeds 32 when decoding ras message then uses the length to make
a shift operation. It will change into negative after several loop.
UBSAN load could detect a negative shift as an undefined behaviour
and reports exception.
So we add the protection to avoid the length exceeding 32. Or else
it will return out of range error and stop decoding.

Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper")
Signed-off-by: Lena Wang <lena.wang@mediatek.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nf_conntrack_h323_asn1.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c
index 4c2ef42e189cb..82dae553a5fc7 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -536,6 +536,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
 	/* Get fields bitmap */
 	if (nf_h323_error_boundary(bs, 0, f->sz))
 		return H323_ERROR_BOUND;
+	if (f->sz > 32)
+		return H323_ERROR_RANGE;
 	bmp = get_bitmap(bs, f->sz);
 	if (base)
 		*(unsigned int *)base = bmp;
@@ -592,6 +594,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
 	bmp2_len = get_bits(bs, 7) + 1;
 	if (nf_h323_error_boundary(bs, 0, bmp2_len))
 		return H323_ERROR_BOUND;
+	if (bmp2_len > 32)
+		return H323_ERROR_RANGE;
 	bmp2 = get_bitmap(bs, bmp2_len);
 	bmp |= bmp2 >> f->sz;
 	if (base)
-- 
2.43.0

next prev parent reply	other threads:[~2024-03-13 17:04 UTC|newest]

Thread overview: 49+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-13 17:03 [PATCH 4.19 00/41] 4.19.310-rc1 review Sasha Levin
2024-03-13 17:03 ` [PATCH 4.19 01/41] net: usb: lan78xx: Remove lots of set but unused 'ret' variables Sasha Levin
2024-03-13 17:03 ` [PATCH 4.19 02/41] lan78xx: Fix white space and style issues Sasha Levin
2024-03-13 17:03 ` [PATCH 4.19 03/41] lan78xx: Add missing return code checks Sasha Levin
2024-03-13 17:03 ` [PATCH 4.19 04/41] lan78xx: Fix partial packet errors on suspend/resume Sasha Levin
2024-03-13 17:03 ` [PATCH 4.19 05/41] lan78xx: Fix race conditions in suspend/resume handling Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 06/41] net: lan78xx: fix runtime PM count underflow on link stop Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 07/41] net: move definition of pcpu_lstats to header file Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 08/41] geneve: make sure to pull inner header in geneve_rx() Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 09/41] net/ipv6: avoid possible UAF in ip6_route_mpath_notify() Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 10/41] net/rds: fix WARNING in rds_conn_connect_if_down Sasha Levin
2024-03-13 17:04 ` Sasha Levin [this message]
2024-03-13 17:04 ` [PATCH 4.19 12/41] netrom: Fix a data-race around sysctl_netrom_default_path_quality Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 13/41] netrom: Fix a data-race around sysctl_netrom_obsolescence_count_initialiser Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 14/41] netrom: Fix data-races around sysctl_netrom_network_ttl_initialiser Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 15/41] netrom: Fix a data-race around sysctl_netrom_transport_timeout Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 16/41] netrom: Fix a data-race around sysctl_netrom_transport_maximum_tries Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 17/41] netrom: Fix a data-race around sysctl_netrom_transport_acknowledge_delay Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 18/41] netrom: Fix a data-race around sysctl_netrom_transport_busy_delay Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 19/41] netrom: Fix a data-race around sysctl_netrom_transport_requested_window_size Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 20/41] netrom: Fix a data-race around sysctl_netrom_transport_no_activity_timeout Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 21/41] netrom: Fix a data-race around sysctl_netrom_routing_control Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 22/41] netrom: Fix a data-race around sysctl_netrom_link_fails_count Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 23/41] netrom: Fix data-races around sysctl_net_busy_read Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 24/41] btrfs: ref-verify: free ref cache before clearing mount opt Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 25/41] tools/selftest/vm: allow choosing mem size and page size in map_hugetlb Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 26/41] selftests: mm: fix map_hugetlb failure on 64K page size systems Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 27/41] um: allow not setting extra rpaths in the linux binary Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 28/41] Input: i8042 - fix strange behavior of touchpad on Clevo NS70PU Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 29/41] hv_netvsc: Make netvsc/VF binding check both MAC and serial number Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 30/41] hv_netvsc: use netif_is_bond_master() instead of open code Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 31/41] hv_netvsc: Register VF in netvsc_probe if NET_DEVICE_REGISTER missed Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 32/41] y2038: rusage: use __kernel_old_timeval Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 33/41] getrusage: add the "signal_struct *sig" local variable Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 34/41] getrusage: move thread_group_cputime_adjusted() outside of lock_task_sighand() Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 35/41] getrusage: use __for_each_thread() Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 36/41] getrusage: use sig->stats_lock rather than lock_task_sighand() Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 37/41] exit: Fix typo in comment: s/sub-theads/sub-threads Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 38/41] exit: wait_task_zombie: kill the no longer necessary spin_lock_irq(siglock) Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 39/41] selftests/vm: fix display of page size in map_hugetlb Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 40/41] selftests/vm: fix map_hugetlb length used for testing read and write Sasha Levin
2024-03-13 17:04 ` [PATCH 4.19 41/41] Linux 4.19.310-rc1 Sasha Levin
2024-03-13 20:06 ` [PATCH 4.19 00/41] 4.19.310-rc1 review Pavel Machek
2024-03-15  8:21 ` Naresh Kamboju
2024-03-16 20:57 ` Guenter Roeck
2024-03-19 14:24   ` Guenter Roeck
2024-03-30  9:19     ` Greg KH
2024-04-11  9:12       ` Greg KH
2024-04-29 21:44         ` [PATCH 4.19] Revert "y2038: rusage: use __kernel_old_timeval" Ben Hutchings

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4c2ef42e189c dfblob:82dae553a5fc )
 OR (
bs:"[PATCH 4.19 11/41] netfilter: nf_conntrack_h323: Add protection for bmp length out of range" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240313170435.616724-12-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=lena.wang@mediatek.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox