| Message ID | 1705715319-19199-1-git-send-email-sharath.srinivasan@oracle.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
| Series | net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv | expand |
On Fri, Jan 19, 2024 at 05:48:39PM -0800, Sharath Srinivasan wrote: > Syzcaller UBSAN crash occurs in rds_cmsg_recv(), > which reads inc->i_rx_lat_trace[j + 1] with index 4 (3 + 1), > but with array size of 4 (RDS_RX_MAX_TRACES). > Here 'j' is assigned from rs->rs_rx_trace[i] and in-turn from > trace.rx_trace_pos[i] in rds_recv_track_latency(), > with both arrays sized 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). So fix the > off-by-one bounds check in rds_recv_track_latency() to prevent > a potential crash in rds_cmsg_recv(). > > Found by syzcaller: > ================================================================= > UBSAN: array-index-out-of-bounds in net/rds/recv.c:585:39 > index 4 is out of range for type 'u64 [4]' > CPU: 1 PID: 8058 Comm: syz-executor228 Not tainted 6.6.0-gd2f51b3516da #1 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), > BIOS 1.15.0-1 04/01/2014 > Call Trace: > <TASK> > __dump_stack lib/dump_stack.c:88 [inline] > dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106 > ubsan_epilogue lib/ubsan.c:217 [inline] > __ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348 > rds_cmsg_recv+0x60d/0x700 net/rds/recv.c:585 > rds_recvmsg+0x3fb/0x1610 net/rds/recv.c:716 > sock_recvmsg_nosec net/socket.c:1044 [inline] > sock_recvmsg+0xe2/0x160 net/socket.c:1066 > __sys_recvfrom+0x1b6/0x2f0 net/socket.c:2246 > __do_sys_recvfrom net/socket.c:2264 [inline] > __se_sys_recvfrom net/socket.c:2260 [inline] > __x64_sys_recvfrom+0xe0/0x1b0 net/socket.c:2260 > do_syscall_x64 arch/x86/entry/common.c:51 [inline] > do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 > entry_SYSCALL_64_after_hwframe+0x63/0x6b > ================================================================== > > Fixes: 3289025aedc0 ("RDS: add receive message trace used by application") > Reported-by: Chenyuan Yang <chenyuan0y@gmail.com> > Closes: https://lore.kernel.org/linux-rdma/CALGdzuoVdq-wtQ4Az9iottBqC5cv9ZhcE5q8N7LfYFvkRsOVcw@mail.gmail.com/ > Signed-off-by: Sharath Srinivasan <sharath.srinivasan@oracle.com> Thanks, looking over the code in question I agree with your analysis, that the problem was introduced in the cited commit, and that this is an appropriate fix. Reviewed-by: Simon Horman <horms@kernel.org>
Hello: This patch was applied to netdev/net.git (main) by David S. Miller <davem@davemloft.net>: On Fri, 19 Jan 2024 17:48:39 -0800 you wrote: > Syzcaller UBSAN crash occurs in rds_cmsg_recv(), > which reads inc->i_rx_lat_trace[j + 1] with index 4 (3 + 1), > but with array size of 4 (RDS_RX_MAX_TRACES). > Here 'j' is assigned from rs->rs_rx_trace[i] and in-turn from > trace.rx_trace_pos[i] in rds_recv_track_latency(), > with both arrays sized 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). So fix the > off-by-one bounds check in rds_recv_track_latency() to prevent > a potential crash in rds_cmsg_recv(). > > [...] Here is the summary with links: - net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv https://git.kernel.org/netdev/net/c/13e788deb734 You are awesome, thank you!
diff --git a/net/rds/af_rds.c b/net/rds/af_rds.c index 01c4cdfef45d..8435a20968ef 100644 --- a/net/rds/af_rds.c +++ b/net/rds/af_rds.c @@ -419,7 +419,7 @@ static int rds_recv_track_latency(struct rds_sock *rs, sockptr_t optval, rs->rs_rx_traces = trace.rx_traces; for (i = 0; i < rs->rs_rx_traces; i++) { - if (trace.rx_trace_pos[i] > RDS_MSG_RX_DGRAM_TRACE_MAX) { + if (trace.rx_trace_pos[i] >= RDS_MSG_RX_DGRAM_TRACE_MAX) { rs->rs_rx_traces = 0; return -EFAULT; }
Syzcaller UBSAN crash occurs in rds_cmsg_recv(), which reads inc->i_rx_lat_trace[j + 1] with index 4 (3 + 1), but with array size of 4 (RDS_RX_MAX_TRACES). Here 'j' is assigned from rs->rs_rx_trace[i] and in-turn from trace.rx_trace_pos[i] in rds_recv_track_latency(), with both arrays sized 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). So fix the off-by-one bounds check in rds_recv_track_latency() to prevent a potential crash in rds_cmsg_recv(). Found by syzcaller: ================================================================= UBSAN: array-index-out-of-bounds in net/rds/recv.c:585:39 index 4 is out of range for type 'u64 [4]' CPU: 1 PID: 8058 Comm: syz-executor228 Not tainted 6.6.0-gd2f51b3516da #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348 rds_cmsg_recv+0x60d/0x700 net/rds/recv.c:585 rds_recvmsg+0x3fb/0x1610 net/rds/recv.c:716 sock_recvmsg_nosec net/socket.c:1044 [inline] sock_recvmsg+0xe2/0x160 net/socket.c:1066 __sys_recvfrom+0x1b6/0x2f0 net/socket.c:2246 __do_sys_recvfrom net/socket.c:2264 [inline] __se_sys_recvfrom net/socket.c:2260 [inline] __x64_sys_recvfrom+0xe0/0x1b0 net/socket.c:2260 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 entry_SYSCALL_64_after_hwframe+0x63/0x6b ================================================================== Fixes: 3289025aedc0 ("RDS: add receive message trace used by application") Reported-by: Chenyuan Yang <chenyuan0y@gmail.com> Closes: https://lore.kernel.org/linux-rdma/CALGdzuoVdq-wtQ4Az9iottBqC5cv9ZhcE5q8N7LfYFvkRsOVcw@mail.gmail.com/ Signed-off-by: Sharath Srinivasan <sharath.srinivasan@oracle.com> --- net/rds/af_rds.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)