diff mbox series

[net,v2] sctp: fix a potential buffer overflow in sctp_sched_set_sched()

Message ID 20230502130316.2680585-1-Ilia.Gavrilov@infotecs.ru (mailing list archive)
State Changes Requested
Delegated to: Netdev Maintainers
Headers show
Series [net,v2] sctp: fix a potential buffer overflow in sctp_sched_set_sched() | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 8 this patch: 8
netdev/cc_maintainers success CCed 9 of 9 maintainers
netdev/build_clang success Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 8 this patch: 8
netdev/checkpatch warning WARNING: From:/Signed-off-by: email name mismatch: 'From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>' != 'Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>'
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Gavrilov Ilia May 2, 2023, 1:03 p.m. UTC
The 'sched' index value must be checked before accessing an element
of the 'sctp_sched_ops' array. Otherwise, it can lead to buffer overflow.

Note that it's harmless since the 'sched' parameter is checked before
calling 'sctp_sched_set_sched'.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.

Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
---
V2:
 - Change the order of local variables 
 - Specify the target tree in the subject
 net/sctp/stream_sched.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Comments

Xin Long May 2, 2023, 2:23 p.m. UTC | #1
On Tue, May 2, 2023 at 9:03 AM Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> wrote:
>
> The 'sched' index value must be checked before accessing an element
> of the 'sctp_sched_ops' array. Otherwise, it can lead to buffer overflow.
>
> Note that it's harmless since the 'sched' parameter is checked before
> calling 'sctp_sched_set_sched'.
>
> Found by InfoTeCS on behalf of Linux Verification Center
> (linuxtesting.org) with SVACE.
>
> Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
> Reviewed-by: Simon Horman <simon.horman@corigine.com>
> Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
> ---
> V2:
>  - Change the order of local variables
>  - Specify the target tree in the subject
>  net/sctp/stream_sched.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
> index 330067002deb..4d076a9b8592 100644
> --- a/net/sctp/stream_sched.c
> +++ b/net/sctp/stream_sched.c
> @@ -146,18 +146,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream)
>  int sctp_sched_set_sched(struct sctp_association *asoc,
>                          enum sctp_sched_type sched)
>  {
> -       struct sctp_sched_ops *n = sctp_sched_ops[sched];
>         struct sctp_sched_ops *old = asoc->outqueue.sched;
>         struct sctp_datamsg *msg = NULL;
> +       struct sctp_sched_ops *n;
>         struct sctp_chunk *ch;
>         int i, ret = 0;
>
> -       if (old == n)
> -               return ret;
> -
>         if (sched > SCTP_SS_MAX)
>                 return -EINVAL;
>
> +       n = sctp_sched_ops[sched];
> +       if (old == n)
> +               return ret;
> +
>         if (old)
>                 sctp_sched_free_sched(&asoc->stream);
>
> --
> 2.30.2

Reviewed-by: Xin Long <lucien.xin@gmail.com>
Marcelo Ricardo Leitner May 2, 2023, 3:56 p.m. UTC | #2
On Tue, May 02, 2023 at 01:03:24PM +0000, Gavrilov Ilia wrote:
> The 'sched' index value must be checked before accessing an element
> of the 'sctp_sched_ops' array. Otherwise, it can lead to buffer overflow.

Buffer overflow? Or you mean, read beyond the buffer and possibly a
bad pointer dereference? Because the buffer itself is not written to.

> 
> Note that it's harmless since the 'sched' parameter is checked before
> calling 'sctp_sched_set_sched'.
> 
> Found by InfoTeCS on behalf of Linux Verification Center
> (linuxtesting.org) with SVACE.
> 
> Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
> Reviewed-by: Simon Horman <simon.horman@corigine.com>
> Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
> ---
> V2:
>  - Change the order of local variables 
>  - Specify the target tree in the subject
>  net/sctp/stream_sched.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
> index 330067002deb..4d076a9b8592 100644
> --- a/net/sctp/stream_sched.c
> +++ b/net/sctp/stream_sched.c
> @@ -146,18 +146,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream)
>  int sctp_sched_set_sched(struct sctp_association *asoc,
>  			 enum sctp_sched_type sched)
>  {
> -	struct sctp_sched_ops *n = sctp_sched_ops[sched];
>  	struct sctp_sched_ops *old = asoc->outqueue.sched;
>  	struct sctp_datamsg *msg = NULL;
> +	struct sctp_sched_ops *n;
>  	struct sctp_chunk *ch;
>  	int i, ret = 0;
>  
> -	if (old == n)
> -		return ret;
> -
>  	if (sched > SCTP_SS_MAX)
>  		return -EINVAL;
>  
> +	n = sctp_sched_ops[sched];
> +	if (old == n)
> +		return ret;
> +
>  	if (old)
>  		sctp_sched_free_sched(&asoc->stream);
>  
> -- 
> 2.30.2
Kuniyuki Iwashima May 2, 2023, 5:05 p.m. UTC | #3
From:   Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Date:   Tue, 2 May 2023 13:03:24 +0000
> The 'sched' index value must be checked before accessing an element
> of the 'sctp_sched_ops' array. Otherwise, it can lead to buffer overflow.

OOB access ?
But it's not true because it does not happen in the first place.

> 
> Note that it's harmless since the 'sched' parameter is checked before
> calling 'sctp_sched_set_sched'.
> 
> Found by InfoTeCS on behalf of Linux Verification Center
> (linuxtesting.org) with SVACE.
> 
> Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
> Reviewed-by: Simon Horman <simon.horman@corigine.com>
> Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
> ---
> V2:
>  - Change the order of local variables 
>  - Specify the target tree in the subject
>  net/sctp/stream_sched.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
> 
> diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
> index 330067002deb..4d076a9b8592 100644
> --- a/net/sctp/stream_sched.c
> +++ b/net/sctp/stream_sched.c
> @@ -146,18 +146,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream)
>  int sctp_sched_set_sched(struct sctp_association *asoc,
>  			 enum sctp_sched_type sched)
>  {
> -	struct sctp_sched_ops *n = sctp_sched_ops[sched];
>  	struct sctp_sched_ops *old = asoc->outqueue.sched;
>  	struct sctp_datamsg *msg = NULL;
> +	struct sctp_sched_ops *n;
>  	struct sctp_chunk *ch;
>  	int i, ret = 0;
>  
> -	if (old == n)
> -		return ret;
> -
>  	if (sched > SCTP_SS_MAX)
>  		return -EINVAL;

I'd just remove this check instead because the same test is done
in the caller side, sctp_setsockopt_scheduler(), and this errno
is never returned.

This unnecessary test confuses a reader like sched could be over
SCTP_SS_MAX here.

Since the OOB access does not happen, I think this patch should
go to net-next without the Fixes tag after the merge window.

Thanks,
Kuniyuki


>  
> +	n = sctp_sched_ops[sched];
> +	if (old == n)
> +		return ret;
> +
>  	if (old)
>  		sctp_sched_free_sched(&asoc->stream);
>  
> -- 
> 2.30.2
Marcelo Ricardo Leitner May 2, 2023, 5:49 p.m. UTC | #4
On Tue, May 02, 2023 at 10:05:16AM -0700, Kuniyuki Iwashima wrote:
> From:   Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
> Date:   Tue, 2 May 2023 13:03:24 +0000
> > The 'sched' index value must be checked before accessing an element
> > of the 'sctp_sched_ops' array. Otherwise, it can lead to buffer overflow.
> 
> OOB access ?

My thought as well.

> But it's not true because it does not happen in the first place.
> 
> > 
> > Note that it's harmless since the 'sched' parameter is checked before
> > calling 'sctp_sched_set_sched'.
> > 
> > Found by InfoTeCS on behalf of Linux Verification Center
> > (linuxtesting.org) with SVACE.
> > 
> > Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
> > Reviewed-by: Simon Horman <simon.horman@corigine.com>
> > Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
> > ---
> > V2:
> >  - Change the order of local variables 
> >  - Specify the target tree in the subject
> >  net/sctp/stream_sched.c | 9 +++++----
> >  1 file changed, 5 insertions(+), 4 deletions(-)
> > 
> > diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
> > index 330067002deb..4d076a9b8592 100644
> > --- a/net/sctp/stream_sched.c
> > +++ b/net/sctp/stream_sched.c
> > @@ -146,18 +146,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream)
> >  int sctp_sched_set_sched(struct sctp_association *asoc,
> >  			 enum sctp_sched_type sched)
> >  {
> > -	struct sctp_sched_ops *n = sctp_sched_ops[sched];
> >  	struct sctp_sched_ops *old = asoc->outqueue.sched;
> >  	struct sctp_datamsg *msg = NULL;
> > +	struct sctp_sched_ops *n;
> >  	struct sctp_chunk *ch;
> >  	int i, ret = 0;
> >  
> > -	if (old == n)
> > -		return ret;
> > -
> >  	if (sched > SCTP_SS_MAX)
> >  		return -EINVAL;
> 
> I'd just remove this check instead because the same test is done
> in the caller side, sctp_setsockopt_scheduler(), and this errno
> is never returned.
> 
> This unnecessary test confuses a reader like sched could be over
> SCTP_SS_MAX here.

It's actualy better to keep the test here and remove it from the
callers: they don't need to know the specifics, and further new calls
will be protected already.

> 
> Since the OOB access does not happen, I think this patch should
> go to net-next without the Fixes tag after the merge window.

Yup.

> 
> Thanks,
> Kuniyuki
> 
> 
> >  
> > +	n = sctp_sched_ops[sched];
> > +	if (old == n)
> > +		return ret;
> > +
> >  	if (old)
> >  		sctp_sched_free_sched(&asoc->stream);
> >  
> > -- 
> > 2.30.2
Gavrilov Ilia May 3, 2023, 9:08 a.m. UTC | #5
С уважением,
Илья Гаврилов
Ведущий программист
Отдел разработки
АО "ИнфоТеКС" в г. Санкт-Петербург
127287, г. Москва, Старый Петровско-Разумовский проезд, дом 1/23, стр. 1
T: +7 495 737-61-92 ( доб. 4921)
Ф: +7 495 737-72-78


Ilia.Gavrilov@infotecs.ru
www.infotecs.ru


On 5/2/23 20:49, Marcelo Ricardo Leitner wrote:
> On Tue, May 02, 2023 at 10:05:16AM -0700, Kuniyuki Iwashima wrote:
>> From:   Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
>> Date:   Tue, 2 May 2023 13:03:24 +0000
>>> The 'sched' index value must be checked before accessing an element
>>> of the 'sctp_sched_ops' array. Otherwise, it can lead to buffer overflow.
>>
>> OOB access ?
>
> My thought as well.
>

I'm sorry. Yes, I meant out-of-bounds access.

>> But it's not true because it does not happen in the first place.
>>
>>>
>>> Note that it's harmless since the 'sched' parameter is checked before
>>> calling 'sctp_sched_set_sched'.
>>>
>>> Found by InfoTeCS on behalf of Linux Verification Center
>>> (linuxtesting.org) with SVACE.
>>>
>>> Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
>>> Reviewed-by: Simon Horman <simon.horman@corigine.com>
>>> Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
>>> ---
>>> V2:
>>>   - Change the order of local variables
>>>   - Specify the target tree in the subject
>>>   net/sctp/stream_sched.c | 9 +++++----
>>>   1 file changed, 5 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
>>> index 330067002deb..4d076a9b8592 100644
>>> --- a/net/sctp/stream_sched.c
>>> +++ b/net/sctp/stream_sched.c
>>> @@ -146,18 +146,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream)
>>>   int sctp_sched_set_sched(struct sctp_association *asoc,
>>>    enum sctp_sched_type sched)
>>>   {
>>> -struct sctp_sched_ops *n = sctp_sched_ops[sched];
>>>   struct sctp_sched_ops *old = asoc->outqueue.sched;
>>>   struct sctp_datamsg *msg = NULL;
>>> +struct sctp_sched_ops *n;
>>>   struct sctp_chunk *ch;
>>>   int i, ret = 0;
>>>
>>> -if (old == n)
>>> -return ret;
>>> -
>>>   if (sched > SCTP_SS_MAX)
>>>   return -EINVAL;
>>
>> I'd just remove this check instead because the same test is done
>> in the caller side, sctp_setsockopt_scheduler(), and this errno
>> is never returned.
>>
>> This unnecessary test confuses a reader like sched could be over
>> SCTP_SS_MAX here.
>
> It's actualy better to keep the test here and remove it from the
> callers: they don't need to know the specifics, and further new calls
> will be protected already.
>

I agree that the check should be removed, but I think it's better to
keep the test on the calling side, because params->assoc_value is set as
the default "stream schedule" for the socket and it needs to be checked too.

static int sctp_setsockopt_scheduler(..., struct sctp_assoc_value
*params, ...)
{
...
   if (params->assoc_id == SCTP_FUTURE_ASSOC ||
       params->assoc_id == SCTP_ALL_ASSOC)
       sp->default_ss = params->assoc_value;
...
}

>>
>> Since the OOB access does not happen, I think this patch should
>> go to net-next without the Fixes tag after the merge window.
>
> Yup.
>
>>
>> Thanks,
>> Kuniyuki
>>
>>
>>>
>>> +n = sctp_sched_ops[sched];
>>> +if (old == n)
>>> +return ret;
>>> +
>>>   if (old)
>>>   sctp_sched_free_sched(&asoc->stream);
>>>
>>> --
>>> 2.30.2
Marcelo Ricardo Leitner May 3, 2023, 12:47 p.m. UTC | #6
On Wed, May 03, 2023 at 09:08:17AM +0000, Gavrilov Ilia wrote:
> >> This unnecessary test confuses a reader like sched could be over
> >> SCTP_SS_MAX here.
> >
> > It's actualy better to keep the test here and remove it from the
> > callers: they don't need to know the specifics, and further new calls
> > will be protected already.
> >
> 
> I agree that the check should be removed, but I think it's better to
> keep the test on the calling side, because params->assoc_value is set as
> the default "stream schedule" for the socket and it needs to be checked too.
> 
> static int sctp_setsockopt_scheduler(..., struct sctp_assoc_value
> *params, ...)
> {
> ...
>    if (params->assoc_id == SCTP_FUTURE_ASSOC ||
>        params->assoc_id == SCTP_ALL_ASSOC)
>        sp->default_ss = params->assoc_value;
> ...
> }

Good point. But then, don't remove the check. Instead, just fix that
ordering and make it less confusing.  Otherwise you will be really
making it prone to the OOB if a new call gets added that doesn't
validate the parameter.

Thanks,
Marcelo
diff mbox series

Patch

diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
index 330067002deb..4d076a9b8592 100644
--- a/net/sctp/stream_sched.c
+++ b/net/sctp/stream_sched.c
@@ -146,18 +146,19 @@  static void sctp_sched_free_sched(struct sctp_stream *stream)
 int sctp_sched_set_sched(struct sctp_association *asoc,
 			 enum sctp_sched_type sched)
 {
-	struct sctp_sched_ops *n = sctp_sched_ops[sched];
 	struct sctp_sched_ops *old = asoc->outqueue.sched;
 	struct sctp_datamsg *msg = NULL;
+	struct sctp_sched_ops *n;
 	struct sctp_chunk *ch;
 	int i, ret = 0;
 
-	if (old == n)
-		return ret;
-
 	if (sched > SCTP_SS_MAX)
 		return -EINVAL;
 
+	n = sctp_sched_ops[sched];
+	if (old == n)
+		return ret;
+
 	if (old)
 		sctp_sched_free_sched(&asoc->stream);