From patchwork Fri Mar 1 15:12:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?TGVuYSBXYW5nICjnjovlqJwp?= X-Patchwork-Id: 13578592 X-Patchwork-Delegate: kuba@kernel.org Received: from mailgw01.mediatek.com (unknown [60.244.123.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 88125622; Fri, 1 Mar 2024 15:12:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=60.244.123.138 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709305954; cv=fail; b=Rij/BqIRGmoabyH1uOZT+5sHgg5MKmnQla6oeyE8/vd8mfcrquBRcnFmqynjNlkAK4ENiic6IzaXhj0QAq5s6vqMYOy+nbx54Y2CmO4zChM71lYb/xCq3oWcKCT94RJGxN30MHQGl7KIzSzhtoaqUopzzgczNA5cWG2UQmzlqm8= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709305954; c=relaxed/simple; bh=IZUR4MyqRKiOvrqP/zVjb0oSt5npYT/jGrlpJcuxHvo=; h=From:To:CC:Subject:Date:Message-ID:Content-Type:MIME-Version; b=sPD5TsMCjbyzKKerxrJyiEKbC+esVTFWNbU7YLoI9uKfc/nHBDO4AXI6oDib/W1X0cb6UOtw5CqqH1B8NGC/yyg3hJ7Uv8+2syzWTbqTfJHpHTCSZfHxt3UDuuphJWLla7uEDLGDZux0yQDij9pZguw4ESDJEheNPs3quuH82pM= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com; spf=pass smtp.mailfrom=mediatek.com; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b=dnoVt7ID; dkim=pass (1024-bit key) header.d=mediateko365.onmicrosoft.com header.i=@mediateko365.onmicrosoft.com header.b=a8uwyFdn; arc=fail smtp.client-ip=60.244.123.138 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mediatek.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b="dnoVt7ID"; dkim=pass (1024-bit key) header.d=mediateko365.onmicrosoft.com header.i=@mediateko365.onmicrosoft.com header.b="a8uwyFdn" X-UUID: 1df943b8d7de11eeb8927bc1f75efef4-20240301 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=MIME-Version:Content-Transfer-Encoding:Content-ID:Content-Type:Message-ID:Date:Subject:CC:To:From; bh=IZUR4MyqRKiOvrqP/zVjb0oSt5npYT/jGrlpJcuxHvo=; b=dnoVt7IDFApCGwqs84NdJ5qZ71Q2YyMSZ5EXLSu3hYiXtfqot3CNdOLjClPrcRDIGbaVVaU9LbGjh8v20HXeRK/38mdCWrKCk+NA/yJjfQU+ONg4brhaVQUpCCiBRJ64tyWzl8uFpFVS2IKxMl+uu+We1ZARS+uknjDcSzY4wXk=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.37,REQID:a2fb74b0-9f62-40eb-a297-db7a7f984288,IP:0,U RL:0,TC:0,Content:0,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION: release,TS:0 X-CID-META: VersionHash:6f543d0,CLOUDID:7f6be88f-e2c0-40b0-a8fe-7c7e47299109,B ulkID:nil,BulkQuantity:0,Recheck:0,SF:102,TC:nil,Content:0,EDM:-3,IP:nil,U RL:11|1,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,AV:0,LES :1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_ULN X-UUID: 1df943b8d7de11eeb8927bc1f75efef4-20240301 Received: from mtkmbs10n2.mediatek.inc [(172.21.101.183)] by mailgw01.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 1912379308; Fri, 01 Mar 2024 23:12:28 +0800 Received: from mtkmbs10n1.mediatek.inc (172.21.101.34) by mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Fri, 1 Mar 2024 23:12:26 +0800 Received: from APC01-TYZ-obe.outbound.protection.outlook.com (172.21.101.237) by mtkmbs10n1.mediatek.inc (172.21.101.34) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Fri, 1 Mar 2024 23:12:26 +0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kTnoCllAr8vBZt0CtHR/2SmCJRDWFJ5iFC1pMk1Og0+13aHnH+MsUw0fninpF0r6FOXTiQIPluk5/qyU/Lo2Kd+LJk3gO0alKJG+RUbbk7+h435kzxpw/Qqfg62FR4EzQRb8YxJxAcjhOTCKXFhYjcXKcdrhNfP4+aFCSlGxx53F8/lCqeMBYq9kBGf/6frKLeKKLKlXOz+udwG/MBTH9EB18mRldztP2iKPKydJ/D90jzua2vbgBkvkktaRHflhUyRg66M4bNGbCIotEg8pMPpo0Vi2QjP9GEsYVCOckJIPlo4noJQ3/6ANgiL857vbfYnQlJAgKMcIf/+DUr044A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IZUR4MyqRKiOvrqP/zVjb0oSt5npYT/jGrlpJcuxHvo=; b=JCveFP9VP3uzQDPduMkA5+lkoE4xsKf1d6cbbYq8bUvsr/VFGulyQ3tYKGUqdhRI6pKFytSHGqphzKPmUITxVdK/BurDPZ4nDyFloIVuSQq2s0/ppSWg3nqHsraJRCtfvHDbmyNtMXdPoFyZ8ERzRm9jsoQivRVmyA/ZPqo+pJpzlqBVtMpPS8bVTvAyR2VzLdNInqr9z8mPKprNS1T1zT+OFU3ZiMII3PAyVYZXSo13w000ZHdp8UEee0JkRAXiL8yHPusDIXQVp4gcgSa/NrczNVy1aZX97YsjAY/lw+7z95hqbYvIRlXu2v0wHOycgEL1/GtJJA0zdtrvizBYxw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mediatek.com; dmarc=pass action=none header.from=mediatek.com; dkim=pass header.d=mediatek.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mediateko365.onmicrosoft.com; s=selector2-mediateko365-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IZUR4MyqRKiOvrqP/zVjb0oSt5npYT/jGrlpJcuxHvo=; b=a8uwyFdnKEEPslr21daQrh/MTEGuhb/Kw/rXewJjuN6thlIefYla/TpcgAwWEyreZYW2jg+L6cu0eqnNniI5uqPFAs4+3bU2C6N6a0FDCMhtXH0q2hnknEbyJ+tDUPkXP68rDusgHffr3TOkpFHcJ2peoaROjVjI1cozFqzPKB0= Received: from SEZPR03MB6466.apcprd03.prod.outlook.com (2603:1096:101:4a::8) by JH0PR03MB8667.apcprd03.prod.outlook.com (2603:1096:990:91::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.36; Fri, 1 Mar 2024 15:12:24 +0000 Received: from SEZPR03MB6466.apcprd03.prod.outlook.com ([fe80::3b7d:ad2c:b2cf:def7]) by SEZPR03MB6466.apcprd03.prod.outlook.com ([fe80::3b7d:ad2c:b2cf:def7%6]) with mapi id 15.20.7339.033; Fri, 1 Mar 2024 15:12:24 +0000 From: =?utf-8?b?TGVuYSBXYW5nICjnjovlqJwp?= To: "fw@strlen.de" , "davem@davemloft.net" , "pablo@netfilter.org" , "kadlec@netfilter.org" CC: "linux-kernel@vger.kernel.org" , "netdev@vger.kernel.org" , "netfilter-devel@vger.kernel.org" Subject: [PATCH net v2] netfilter: Add protection for bmp length out of range Thread-Topic: [PATCH net v2] netfilter: Add protection for bmp length out of range Thread-Index: AQHaa+rdzH5Tz/8ipEqlkF6sbjThfg== Date: Fri, 1 Mar 2024 15:12:24 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mediatek.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SEZPR03MB6466:EE_|JH0PR03MB8667:EE_ x-ms-office365-filtering-correlation-id: 22fe3f85-c2f9-4397-bb0c-08dc3a02001f x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: gCmwC7CmLsiXBdCBRKzdR4WjJIndjvELigEhKISsxNuTA1A2vMtVWxSPDTOYAQLUmCDLckl4SMNAJpoUDyiyz9BOyYvoxki8IDTk4CJvcx+1IvQaRBS4PdINKRikhEv92wIE/GyQ1UypRKBLw/UuvWrjTFQEpfNGTmcG+LxYfxhGvKrwtA9RPodzf+Pn/0+oaDyJXktTGHwp1PEx5Yf7WVJlkM+2Ln3HZRMj82kIEpvPTMQb+vmHPUrdrZWt48D7+x7w3Cj7+Bm/TIRtbO/r4wakeJiX/Il/mhn49pot32dp+c+19gHuTGM2zGfEJOMF9Ada0bHnaHc13vfd5f5IqT1pjtq6iBO1VtUrAA2pYiqY/e3fKmIeeKj8PJMnKFtktCQ8VJkeql+KvZMeGtkTXBNnMocBxSy1UhPbPwf6sC0BmdnMF6vQ6E+zAIMoYQhjsGqTN+PIOv8amiObdpOTrSC39y+yUXz7idW99go0a60nQgobUgJoHVsP+bMmYSXX6VCArjheUR0U0V84khGqZOdwj0NCNaomg93LKit0/Mneasmhy7zbHXu2y2LUsw+q/Tx/TlQV3poZUHByxrYxQQV6XOm6NcPqHjaSOzcIoobpCNEu0BuCRCm/tC8S00ZWm2F9p4Zej7WFavCTv6EON9tTrcDoYtQMAI451Jt7uI9p0tohDBNfosavcmNSv8SGa6wzbx3D3dfkzu+GW23fsdPCoDE7OmkcA9QjVfpPWAw= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SEZPR03MB6466.apcprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(38070700009);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?mUk9UdJog7urjmYcJRQY8hGWsk46?= =?utf-8?q?DnfFTU20liEaKoN8yzj2C44gsQP8/co/RVA9GMyUiFa67GDlXQi2QXUorLqQgDMjc?= =?utf-8?q?Z/kqjfr1LivJ7X/mif2MjqPKnQ9IwswBigJlnry0jaYOKIIdtn1Rol7226T6GCMEq?= =?utf-8?q?Azwg4uKq1UeVQSAJmwglF4COEy7XleMHVqYG2pzKEAs/78Bq8/be1MEr/+ovhMhn1?= =?utf-8?q?IL+GJZPApO7SUUk5Mnri+TfOnIvn0sHbGxmyGCpQnUR+v8TMV/e/JaJG5nOXg3DBW?= =?utf-8?q?X4+KlpWN2CyLulAn0wZOTRecvXQth+bDbg39Xliu7T5WNIgfYUKqFVU/WP/9JaiNo?= =?utf-8?q?7f9wcxDsZYEkIPZg1sWaEAp89P5C4kbq+NI8yzDZ55v0cGN1mGzApxCA8hHaoWyzV?= =?utf-8?q?o7R39VoARgBwatDWQh4J9Q+QtUhEiOO+zpYj23cCGhQBJwPm/AlB8Mb/J53RBxAUx?= =?utf-8?q?CebId9r6Dnxy1wUkR29cyPaw9rhGh/IU4E05orHqCHIzaHUyuNz/HWLhibWhJE2GB?= =?utf-8?q?uJ6e7IXuQPnvrhvznLPenpXUV7vtsDSBiinBW7cn3J32xOHet4WzUMs7X6XIiEXGW?= =?utf-8?q?ULmpd13g2j8lM4LKEr3ZlesXAkzIy6lR31W/6sFs7wWbZBICeEq9qXpkw246khoaC?= =?utf-8?q?8xY7b3aQZ+cePj41l4n+raMu/Ws7wJisGQbQ/dZ4/nywnXVBFHOTqsvgxmCISVqA/?= =?utf-8?q?gm/9A+zXWsNc55EVXIv1RwWtH77Byy3xLUbEjO5agevIq7G1yg9Ju2CoP3TAJYlkT?= =?utf-8?q?jPUzje/t/v87L19ZcaWqmUtod2PWjilt5SUVhP0nLsMOFkoyEgnnU5ZrJtjwT9Ijy?= =?utf-8?q?YL2nwyxT7MHFZxWJJecgssifHx+QfaaIIwtXqZvDo+B1p/C4Vni43dv03rUoRMhnE?= =?utf-8?q?Uq9RWs4CQKcz1zo2Ofp2cx7UmgwoUmlnDQjvGUzcXDp3JIOa6jdoVfq1TV3BtnnTg?= =?utf-8?q?j1BKYErlzkE4ARsijNrCY2GtzAIe/rnkblNuLg9LXFOPCuYoksRXbCeaapqF2+FI9?= =?utf-8?q?H1J08duB+KNmdaykIXGYbdPBAVxqTYJRib53IP6yUdYrAN92kulZ1Sr88cUHnOfiE?= =?utf-8?q?WrC/93hzJMY+CiUiC0ttVFUMiIFoGPoDfrXgLB73en2+lJMLxKSO4tWqqiwVoEDSe?= =?utf-8?q?uKC7pph4c5L5BHIATCQ5HhSwnWDYhG5Mxpy6h8snIfIrHR63YLboXBvfVgTEso2k1?= =?utf-8?q?O073mRqU/NcJyKdK+Uxu0mp8pO8wE/i38MzTUGXwmIDaroq6wIKONLIBbA00oi2TZ?= =?utf-8?q?JNfjWotW31xBNn19xqqXaq28b0zDwfCGLPHNS+KrgrP3M4bLIKqfa3ovpEQbTJXYq?= =?utf-8?q?N1nL2a4aP/tKQlSvnu+PkBk0KeoiqzR3wgoXalICB4aNivB52LBVB+h12Pxy/5c4M?= =?utf-8?q?CY2JfnK3I+NeToqVd3Nki3wvDblMRn3bGc5YcSr73rope5XmevC3gOKn80wuf/U54?= =?utf-8?q?cimXlUY3BMXTYcbKANcYlFA50S61lqIQ0x0livIrfMI16giiACYgCIv5xhgHsX53n?= =?utf-8?q?M38eRTiDzeknH/cKJrnDjtMLheczepSEag=3D=3D?= Content-ID: <58EC96C7AF4993409323F1161E908462@apcprd03.prod.outlook.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SEZPR03MB6466.apcprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 22fe3f85-c2f9-4397-bb0c-08dc3a02001f X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2024 15:12:24.5603 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a7687ede-7a6b-4ef6-bace-642f677fbe31 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: +49DUi/B2zXFowf9QvbEATGncTfLvbfNDGL2Kn9gZuvDL33UeiAL9rnbrUj2ZNxmpRL6QjitzibCQLHqygOW+Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: JH0PR03MB8667 X-TM-AS-Product-Ver: SMEX-14.0.0.3152-9.1.1006-23728.005 X-TM-AS-Result: No-10--5.079800-8.000000 X-TMASE-MatchedRID: cWqVi5YGo5wIAPmAuSvJ8Yzb2GR6Ttd3X5TqQagR07dLBxm1Vv3RsJ93 TfvULFt2/5f0y/6L/68GwOiwlwYHMkeBpfM21lfTmsge4JmkzOX/wK4D5v9hhLIPyqeQTeKk0nE XIG9RfVfgRfDXjOa2sgN6C4LgNZr9EJHpQ2Y9lUQD2WXLXdz+Ae3+iQEtoSj4hj0Um3z4RXl18v vd24eboroaAxIVVU84kZOl7WKIImrS77Co4bNJXQtuKBGekqUpbGVEmIfjf3te9apuqjZI/X8It 2Uf4xrQeAvJK1GayvDGMaxYwdXC1VGkx04md/ow X-TM-AS-User-Approved-Sender: No X-TM-AS-User-Blocked-Sender: No X-TMASE-Result: 10--5.079800-8.000000 X-TMASE-Version: SMEX-14.0.0.3152-9.1.1006-23728.005 X-TM-SNTS-SMTP: 27A67240241F6D061C0090B4B511A7A6468764F22637FE828506653D67D770242000:8 X-Patchwork-Delegate: kuba@kernel.org From: Lena Wang UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts that are out of bounds for their data type. vmlinux get_bitmap(b=75) + 712 vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956 vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216 vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812 vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216 vmlinux DecodeRasMessage() + 304 vmlinux ras_help() + 684 vmlinux nf_confirm() + 188 Due to abnormal data in skb->data, the extension bitmap length exceeds 32 when decoding ras message. Then get_bitmap uses the length to make a shift operation. It will change into negative after several loop. UBSAN load can detect a negative shift as an undefined behaviour and reports an exception. So we should add the protection to avoid the length exceeding 32. If it exceeds it will return out of range error and stop decoding ras message. Signed-off-by: Lena Wang --- v2: - add length protecton for another get_bitmap call. - update commit message to trim stacktrace. --- --- net/netfilter/nf_conntrack_h323_asn1.c | 4 ++++ 1 file changed, 4 insertions(+) *(unsigned int *)base = bmp; @@ -589,6 +591,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, bmp2_len = get_bits(bs, 7) + 1; if (nf_h323_error_boundary(bs, 0, bmp2_len)) return H323_ERROR_BOUND; + if (bmp2_len > 32) + return H323_ERROR_RANGE; bmp2 = get_bitmap(bs, bmp2_len); bmp |= bmp2 >> f->sz; if (base) diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c index e697a824b001..540d97715bd2 100644 --- a/net/netfilter/nf_conntrack_h323_asn1.c +++ b/net/netfilter/nf_conntrack_h323_asn1.c @@ -533,6 +533,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, /* Get fields bitmap */ if (nf_h323_error_boundary(bs, 0, f->sz)) return H323_ERROR_BOUND; + if (f->sz > 32) + return H323_ERROR_RANGE; bmp = get_bitmap(bs, f->sz); if (base)