diff mbox series

[net] pktgen: Avoid out-of-range in get_imix_entries

Message ID 20241006221221.3744995-1-artem.chernyshev@red-soft.ru (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series [net] pktgen: Avoid out-of-range in get_imix_entries | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 6 this patch: 6
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 1 maintainers not CCed: Ilia.Gavrilov@infotecs.ru
netdev/build_clang success Errors and warnings before: 6 this patch: 6
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 5 this patch: 5
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-10-08--00-00 (tests: 773)

Commit Message

Artem Chernyshev Oct. 6, 2024, 10:12 p.m. UTC 
In get_imit_enries() pkt_dev->n_imix_entries = MAX_IMIX_ENTRIES 
leads to oob for pkt_dev->imix_entries array.
```
UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24
index 20 is out of range for type 'imix_pkt [20]'
CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<TASK>
dump_stack_lvl lib/dump_stack.c:117
__ubsan_handle_out_of_bounds lib/ubsan.c:429
get_imix_entries net/core/pktgen.c:874
pktgen_if_write net/core/pktgen.c:1063
pde_write fs/proc/inode.c:334
proc_reg_write fs/proc/inode.c:346
vfs_write fs/read_write.c:593
ksys_write fs/read_write.c:644
do_syscall_64 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130
RIP: 0033:0x7f148408b240
```

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 52a62f8603f9 ("pktgen: Parse internet mix (imix) input")
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
---
 net/core/pktgen.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jakub Kicinski Oct. 9, 2024, 1:23 a.m. UTC | #1 
On Mon,  7 Oct 2024 01:12:20 +0300 Artem Chernyshev wrote:
> In get_imit_enries() pkt_dev->n_imix_entries = MAX_IMIX_ENTRIES 
> leads to oob for pkt_dev->imix_entries array.

I don't think so, at least not exactly. It's legal to fill the array
completely. It's not legal to try to _add_ to an already full array.

AFAICT the fix needs more work.
Artem Chernyshev Oct. 11, 2024, 9:20 a.m. UTC | #2 
Thank you for the review. I will return with V2

Best regards,
Artem

On Tue, Oct 08, 2024 at 06:23:19PM -0700, Jakub Kicinski wrote:
> On Mon,  7 Oct 2024 01:12:20 +0300 Artem Chernyshev wrote:
> > In get_imit_enries() pkt_dev->n_imix_entries = MAX_IMIX_ENTRIES 
> > leads to oob for pkt_dev->imix_entries array.
> 
> I don't think so, at least not exactly. It's legal to fill the array
> completely. It's not legal to try to _add_ to an already full array.
> 
> AFAICT the fix needs more work.
> -- 
> pw-bot: cr
diff mbox series

Patch

diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 34f68ef74b8f..97cf5c797a22 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -881,7 +881,7 @@  static ssize_t get_imix_entries(const char __user *buffer,
 		i++;
 		pkt_dev->n_imix_entries++;
 
-		if (pkt_dev->n_imix_entries > MAX_IMIX_ENTRIES)
+		if (pkt_dev->n_imix_entries >= MAX_IMIX_ENTRIES)
 			return -E2BIG;
 	} while (c == ' ');