From patchwork Tue Mar 5 11:38:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?TGVuYSBXYW5nICjnjovlqJwp?= X-Patchwork-Id: 13582242 X-Patchwork-Delegate: kuba@kernel.org Received: from mailgw02.mediatek.com (unknown [210.61.82.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2304756B65; Tue, 5 Mar 2024 11:39:03 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=210.61.82.184 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709638747; cv=fail; b=Y/KPfK/0z4R6fWUoZ1v8nEXfpTW0VoJQXRw3rJirjG9MyoBdzWhKpMeYDEuLVvRpLoRI4tKq0FNLcB281pa+eG87HqVzGp0h+lOpZ8i4cquCOhHHQEJT4pjAPnaOxFPEcT/eVqVITtIcsoGRCaR4GwSN52cnFLee8zKPHflbIXg= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709638747; c=relaxed/simple; bh=GhmyErUtKQjrkCv7COBc2gBPAYQsRYE0OpNH1vfo0f8=; h=From:To:CC:Subject:Date:Message-ID:Content-Type:MIME-Version; b=G+VtSi3pFlJ0RJtrbXzJMdyWHq5u0z7b7IRrqrJpM3LO9bDIuJcqMz+67Pj+NqTD3V/SuS2VYq5qgc6uQDHzQvLPbfhb4NfdMHOHzqRfmmwyeQpop35HlJbawkkTAUdT9KjTDnbF0NBtV0I/tXHKCpOJdmd2yL7M9crdxY427TA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com; spf=pass smtp.mailfrom=mediatek.com; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b=UKXprX7Z; dkim=pass (1024-bit key) header.d=mediateko365.onmicrosoft.com header.i=@mediateko365.onmicrosoft.com header.b=I152sv8Q; arc=fail smtp.client-ip=210.61.82.184 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mediatek.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b="UKXprX7Z"; dkim=pass (1024-bit key) header.d=mediateko365.onmicrosoft.com header.i=@mediateko365.onmicrosoft.com header.b="I152sv8Q" X-UUID: f47a5478dae411ee935d6952f98a51a9-20240305 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=MIME-Version:Content-Transfer-Encoding:Content-ID:Content-Type:Message-ID:Date:Subject:CC:To:From; bh=GhmyErUtKQjrkCv7COBc2gBPAYQsRYE0OpNH1vfo0f8=; b=UKXprX7ZNSOCV7iQ8Hn8TpEVyc/K3Eb1MHA0ywMmdcQjAb7vu0hu+kfnUvYAE7POybCj2AwtrMvBydqvIoOzdmjZbcDLSPP54BrV/c06NvKTjbo+PdpjpnxZFvIL3PN9+ProeZAH25hB1j9ZDGrFuEgiltdhQetgUUXPcGbsp4E=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.37,REQID:099cecb6-a5c2-46fe-aec7-6f820df4ddf7,IP:0,U RL:0,TC:0,Content:0,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION: release,TS:0 X-CID-META: VersionHash:6f543d0,CLOUDID:744b2381-4f93-4875-95e7-8c66ea833d57,B ulkID:nil,BulkQuantity:0,Recheck:0,SF:102,TC:nil,Content:0,EDM:-3,IP:nil,U RL:11|1,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,AV:0,LES :1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_ULN X-UUID: f47a5478dae411ee935d6952f98a51a9-20240305 Received: from mtkmbs14n1.mediatek.inc [(172.21.101.75)] by mailgw02.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 565357655; Tue, 05 Mar 2024 19:38:58 +0800 Received: from mtkmbs10n2.mediatek.inc (172.21.101.183) by MTKMBS14N1.mediatek.inc (172.21.101.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Tue, 5 Mar 2024 19:38:56 +0800 Received: from HK2PR02CU002.outbound.protection.outlook.com (172.21.101.237) by mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Tue, 5 Mar 2024 19:38:56 +0800 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bJNVjgbYc7nfbRl0qvZveAzhbN/pcltjaoB7KtwmDCeji1HEcjmmTC9KxaSLAR1fvu2y8E2vbPAKXnXTsl8Pms5xe+AfBnpsaSwYcBelUxlA3PZf2TxrcZ5VtFGTdRd42H+EUSc0VS6JJbQJcSgIcKZICjko6/TqmNRe1Gf/zomyNcSiDb4dqt7cZ/PdE5SpcatJe1cQMBZ9tkWapdxoEjR8AEBbyXsW0Fx+sXeNyfAB4qTwdlNtXFIX+O9tlT2SVAqxS6U9oM92uM2Whiq6H69jtRjpOFe9oI8VKDcLcF6AyVej7WLPs+wZ+tphOZ1OWw3Rm6Qz3WXgkxpj2n1TXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GhmyErUtKQjrkCv7COBc2gBPAYQsRYE0OpNH1vfo0f8=; b=m+i985ecti1woX03YMAdNmiP2R/kyu55y8s9+uIQyJOVA9wqBvDQ6Me9K9oBLEN6OBYR9olxEvzqEDCvIw2zUGacw0NT4yqJzUZhWFOD1DJC/XFJPfw+TMM4nGJkShscGdNdpIEcSlVFyRmTyzrFY8BYUhMdMUWZSu7XP6bGTeMaiGf+9DGZdkw9Yb+8GMVD6ChR1hOsh4XcEkyIqrPsxZgBkH8ZB9mejlYQ5Bu0zw6x6X7aPHMzopoZmkMxN9iJHOOApMR5p363I0C2QA9PQBzDk/6EyJZeP+oAeHIFfFnbzAw0+7JPvwvWiFE0NolzBq0hDq0KpKOYjwb1tTFNTQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mediatek.com; dmarc=pass action=none header.from=mediatek.com; dkim=pass header.d=mediatek.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mediateko365.onmicrosoft.com; s=selector2-mediateko365-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GhmyErUtKQjrkCv7COBc2gBPAYQsRYE0OpNH1vfo0f8=; b=I152sv8QhrZSVXryIzmEizBwP6ZetdDSzy0k9K+OlzVcL3d6hEHsEFv91yTn1KuDky8Zw4kzsrRe4h/YWB5ODRt5WmWBaACIl5gIb/tHLVxkRzsOENuh8rC8jQF287pTb6l/eI68GuYetKpHqLVUtGlHtp+zmPj3i2PDOZ/WekQ= Received: from SEZPR03MB6466.apcprd03.prod.outlook.com (2603:1096:101:4a::8) by TYZPR03MB8241.apcprd03.prod.outlook.com (2603:1096:405:1f::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7339.38; Tue, 5 Mar 2024 11:38:55 +0000 Received: from SEZPR03MB6466.apcprd03.prod.outlook.com ([fe80::3b7d:ad2c:b2cf:def7]) by SEZPR03MB6466.apcprd03.prod.outlook.com ([fe80::3b7d:ad2c:b2cf:def7%6]) with mapi id 15.20.7362.019; Tue, 5 Mar 2024 11:38:55 +0000 From: =?utf-8?b?TGVuYSBXYW5nICjnjovlqJwp?= To: "fw@strlen.de" , "davem@davemloft.net" , "pablo@netfilter.org" , "kadlec@netfilter.org" , "jiri@resnulli.us" CC: "linux-kernel@vger.kernel.org" , "netdev@vger.kernel.org" , "netfilter-devel@vger.kernel.org" Subject: [PATCH net v3] netfilter: Add protection for bmp length out of range Thread-Topic: [PATCH net v3] netfilter: Add protection for bmp length out of range Thread-Index: AQHabvG0DZxC9eczF0uTSH6BuJVdSw== Date: Tue, 5 Mar 2024 11:38:55 +0000 Message-ID: <571b3e3f7191b5f67792d1090fc537bf4045c522.camel@mediatek.com> Accept-Language: zh-CN, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mediatek.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SEZPR03MB6466:EE_|TYZPR03MB8241:EE_ x-ms-office365-filtering-correlation-id: 17b3de55-8e0b-479f-aa56-08dc3d08d6ec x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: qp1Xzx6p4lXfsc/E4BjV8u/jLI0Rbje3/Xt7V0MZaZ+F4FgP/tAJDyjazW5hQe52EVfy1h2LV6FSugnx2XMwLPS2W+lN+adzuRhKoj4R5+zrQLslqahhYGv6/SiTfrG0EzTrZOCXJuuyFBG2rijC4V7HoCAeO+OeVG3cpr/7WeINxROYBNjMF7ZZWf+QafufDHSg5N55w/6QqEL3UqsUgw9UymuemmH6+1Gag7RbfZ2LGxYLrS/bTzn1O7B0qSuvbCJSlKYGYNQGZdjkLUUpROivkd6zMcysztD7hIUqPngRxWflnNE0te2hR4TW1OTTRs/dNNK6qVsswSl6hFaH+LbMeFqlQgZN1hykNOIJZZIuVV/jjqOIBWqQHYmimU1MjXt19S3HIw/QSBm+Y++gLBvsd0xHxQNDEjZ6cCIu+A02+9tLGmfuP+XI0+DZ644/lXPxkDgIoIJxnox+JSU4xB9/QA9gcqjzaoPkzEzxXX1CmF7bBAd/0SV8t879Gb3jwpwpHgqGkVMZJW98zfzNhbKg74AZtxHRqH+bs087KPf8Dpx6CS67fEZ8bTUm+hCFmsygNu33BO+BA8qNATWqCj/8b9p7/z3yIPgDXXz5wXngw6H8AxmVmO/J2Ob5DF+Jq+XxbMs57tap4wgxyGNN/UzTqRLOm8MxCIhV7r2VUdsl8gk2gye7AZtfQB+5l3NM4sF83EQ6X1tsOd3IBLjDJyGCirPoWXO1+FSjwOdcGTA= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SEZPR03MB6466.apcprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(38070700009);DIR:OUT;SFP:1101; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?WVBc/soyfIt1pdDwvOvL01wYAOXK?= =?utf-8?q?s0qgmPv88vfFHmk5Wm1Vmjj791HW4vvUIBwsmKyIeud7F4xlddt5k5fn5LhQiZNn+?= =?utf-8?q?f4fwuzkuUd7iaX0pxb1Nv1wZ5m5bKWwhl4zqJ4q3C7HRKNaBjrU0V1e5WxZLwqB8/?= =?utf-8?q?iaLrj1HzZkc+qYJj62vb01ncd5svE+U62GmjG3SwvvOoyxVkNg1TFKbStW8eWjiJ9?= =?utf-8?q?ORZQ1ZMYoRD3Oo2tnk95EX8HjVCEGyoKQ9NNxYJ5dYGS70RLHlENYF2xI0NEQKDmW?= =?utf-8?q?y6YSYn4iHdlb16EDR3z36BiTbSHrPddGBXUZ94Efx0yNeHn7+iRAORF8E+IjUw0PW?= =?utf-8?q?UZQ4Km/cMh+5NR+pR9NL3HpYdPBH5R/X2dEv9f2xaG/AkIgSK4n0OLizIaiUi7JTV?= =?utf-8?q?E8biGq5gTMeyN8JyuMuhbUv7MBT8p7EGWhr6pV/h4P0kY35jstUfQB9pwpT7HE+jV?= =?utf-8?q?JN7QfCkvnvipbPso2NDtGHfEIMTcdhShW+FEhjNsUF/30OL2ljk4SH4bLsMmW138B?= =?utf-8?q?Ig/paPELZ6I761BmMlW5b2G30THHIknRcnsffwplAC0VFyfvrZmmUT0t0PL7b1DCm?= =?utf-8?q?PFS/X1LO6wseTV7KjPPm38CNvG4EtrTy+cYzRbVd1t+OfvZ38cCfwZ/0rJg/bFGBk?= =?utf-8?q?Cg+NrhgwEvCX0hOIObbUazubRRaO8LjWF/IvwtXGFs4vK9s6El+azoUlgV+oqJoUS?= =?utf-8?q?CPjXSltc1prj86cGl0V4/GrC9C4374MRNwLhy6FyrJ36nwrNVjGfx56kAvUon4Nwa?= =?utf-8?q?40xZRr3N4p6Hg5qnVMLdy+5SbtlOnuPvE6CEA1KmIsWPn338Qb5PcJOKtbixY2STD?= =?utf-8?q?6lk21ORpUghhoT88Z15sDuiiWgCI+5+NGh3q8zHKK9zBW4Xi0JSsoidi/q9mAAEFp?= =?utf-8?q?Pb0p2rBIOqN2bGYFuL3BNonZBOtCNPQH3SvnnYM9yi7MTSyLHL483q50i7aLyBm5Y?= =?utf-8?q?j0wWeGs2KwkMK0SaOhhYeUgR0r6jKvSgSS0DCD4HX6a4cBEKBcSXno7L0eLk9LOZh?= =?utf-8?q?ENqBttYxOZeOSE/389NEUYe+WdKO59h1CiPhy3uOfAyuFhXttNpFqsdD5b5xIGKnE?= =?utf-8?q?0KybK4iL+j/ZF8qOVKTW9sBOIkUVaCI9oqe7Whz5AymD6buk78EUu4UVgppQ/tN+X?= =?utf-8?q?Zgu/gWs7vtO53gqBE5FHta9LALcvNTn1fB4Ueub753RHQiJQGSiat5v5LiGgkpp3X?= =?utf-8?q?JHKVg1Sgh4EgTfqiQi2pwxSZ3DtnNQKP/CzWtohz8zJ1zS7VqvLIiiCKvKTGaCDBY?= =?utf-8?q?+fTUdejkLuicHSwNseAOoVw+UOtkPaBHpCV2XJZIkHCFB3bxpc7c/gfCo28V7To0C?= =?utf-8?q?IXr7CtqzP/bp0B2hHfZAGirXbw2i9NOSoRTgDFHYqyGQy9+CcekBf90UHnhbq2509?= =?utf-8?q?7/H029wW+YgrFyT7dEbgE3Bo/PNHqI7YTj/HXPcx8eU53pbfJ+KydpasRuxY6fYup?= =?utf-8?q?P44gVRI6UqA7F9Nzj3wVJhCF8Wh8sbZJV7A0P5yB3gRPlqBZGzOnQK7qqSn3p7IxE?= =?utf-8?q?YMzK4ntNTecSoE907ANrIU0WV+E41oyp4Q=3D=3D?= Content-ID: <4EC778444DD99240B2C58934C2B3AE2A@apcprd03.prod.outlook.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SEZPR03MB6466.apcprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 17b3de55-8e0b-479f-aa56-08dc3d08d6ec X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2024 11:38:55.4509 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a7687ede-7a6b-4ef6-bace-642f677fbe31 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: edDBOdg+G83pfOSXtbjEdDBiIMdiw/FEE6RYkXP+CwekS9ee3GG98MU5IpT4l9lDM66ocucaZc3yr397/HqeeQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYZPR03MB8241 X-TM-AS-Product-Ver: SMEX-14.0.0.3152-9.1.1006-23728.005 X-TM-AS-Result: No-10--5.079800-8.000000 X-TMASE-MatchedRID: cWqVi5YGo5wIAPmAuSvJ8Yzb2GR6Ttd3X5TqQagR07dLBxm1Vv3RsJ93 TfvULFt2/5f0y/6L/68GwOiwlwYHMkeBpfM21lfTmsge4JmkzOX/wK4D5v9hhLIPyqeQTeKk0nE XIG9RfVfgRfDXjOa2sgN6C4LgNZr9EJHpQ2Y9lUQD2WXLXdz+Ae3+iQEtoSj4hj0Um3z4RXl18v vd24eboroaAxIVVU84kZOl7WKIImrS77Co4bNJXQtuKBGekqUpbGVEmIfjf3sFMj8NKMkqKl44y EOFrp9nmQ5RXNVHbGRn02g81P1KqLbzH9ZONZH6 X-TM-AS-User-Approved-Sender: No X-TM-AS-User-Blocked-Sender: No X-TMASE-Result: 10--5.079800-8.000000 X-TMASE-Version: SMEX-14.0.0.3152-9.1.1006-23728.005 X-TM-SNTS-SMTP: A12FA8A0B5AFF5B02558641BC3C19504AB95CCD2DA286652A433AC26057DFEA22000:8 X-Patchwork-Delegate: kuba@kernel.org From: Lena Wang UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts that are out of bounds for their data type. vmlinux get_bitmap(b=75) + 712 vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956 vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216 vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812 vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216 vmlinux DecodeRasMessage() + 304 vmlinux ras_help() + 684 vmlinux nf_confirm() + 188 Due to abnormal data in skb->data, the extension bitmap length exceeds 32 when decoding ras message then uses the length to make a shift operation. It will change into negative after several loop. UBSAN load could detect a negative shift as an undefined behaviour and reports exception. So we add the protection to avoid the length exceeding 32. Or else it will return out of range error and stop decoding. Fixes: 5e35941d9901 ("[NETFILTER]: Add H.323 conntrack/NAT helper") Signed-off-by: Lena Wang --- v3: - add "Fixes:" tag. v2: - add length protecton for another get_bitmap call. - update commit message to trim stacktrace. --- --- net/netfilter/nf_conntrack_h323_asn1.c | 4 ++++ 1 file changed, 4 insertions(+) *(unsigned int *)base = bmp; @@ -589,6 +591,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, bmp2_len = get_bits(bs, 7) + 1; if (nf_h323_error_boundary(bs, 0, bmp2_len)) return H323_ERROR_BOUND; + if (bmp2_len > 32) + return H323_ERROR_RANGE; bmp2 = get_bitmap(bs, bmp2_len); bmp |= bmp2 >> f->sz; if (base) diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c index e697a824b001..540d97715bd2 100644 --- a/net/netfilter/nf_conntrack_h323_asn1.c +++ b/net/netfilter/nf_conntrack_h323_asn1.c @@ -533,6 +533,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, /* Get fields bitmap */ if (nf_h323_error_boundary(bs, 0, f->sz)) return H323_ERROR_BOUND; + if (f->sz > 32) + return H323_ERROR_RANGE; bmp = get_bitmap(bs, f->sz); if (base)