Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3331245imu;
        Sun, 11 Nov 2018 12:32:23 -0800 (PST)
X-Google-Smtp-Source: AJdET5fGwr6a062kijAebBu8zhNyS9+ZVUn7gJbGRuk4jMMwzt2lHrs3/hpCDGq3oQxvwEn6BBha
X-Received: by 2002:a17:902:4c08:: with SMTP id a8-v6mr17335816ple.211.1541968343332;
        Sun, 11 Nov 2018 12:32:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1541968343; cv=none;
        d=google.com; s=arc-20160816;
        b=eeLitn5Ic1m51kuvj66QOSKAUzaKro7GGxWJcReOfvTTKp3GKzpDGXdcCQmiBvyQ0Y
         9DTQK3Mw9sqaTEUDO0TYavupunSq4Tj1NCVjlWPcgru4/YG5jSX+7Srm5rK/8rnGABVn
         Lu18L+SyyLvnhyBtqNtAAUOfdrKfGo9p2oo+xoTS3T4Lw1R4HLOhRK/CSgA1Xkf1mTYi
         Ke12iY3gfp+lKstaQj2PFCY0WUMkPEFh5LtZaDokaxVzfmRyc8JoW4JC2pI47uVwbzN3
         U1Dp5Mynzsd08ZBUT95J7+vl3TduslxS5xmKYUVBLAj7IY+QaFULrvjIDWVQBCCrQeKK
         yC+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=AT2TYbdS0Ey/d09KkyNQ+A72BdxqDLGrHAjDf75kNao=;
        b=Gcyney9FM7gPH0+S6PunaNsKknIpo+7lJnDlykig6NLKQ//ideLgojOFCf9Z/apDps
         q3scO9lgx5UA7itvfppGlBmeqjT4O39kA4VpOR3KXtHfayTIjlNapLK7iZbH0cs+f+xl
         1gMno2ud/fY7InL5lIBBJdh7VJggYWKGBoV51YUfkaPQgANcUQs3gULKIf22kHoQ8LXx
         Vavkg7OCOu1aA1ZRrVC3ePQuUFrcFg1y77tQEwmLfueh2AQ/fYQnsJ6uF8OZqjuaxKWI
         2x+PsxUwn2WtLmR8hmX28QK/WaRbQBcLH67OuRIjtgKpCzdHti7OqYOjgDv7HlF4yrto
         xUjQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p64-v6si16499785pfg.45.2018.11.11.12.32.07;
        Sun, 11 Nov 2018 12:32:23 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731104AbeKLGVP (ORCPT <rfc822;hubert.jasudowicz@gmail.com>
        + 99 others); Mon, 12 Nov 2018 01:21:15 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:50306 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1730379AbeKLFsS (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Nov 2018 00:48:18 -0500
Received: from [192.168.4.242] (helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1gLvsc-0000lK-Ad; Sun, 11 Nov 2018 19:58:46 +0000
Received: from ben by deadeye with local (Exim 4.91)
        (envelope-from <ben@decadent.org.uk>)
        id 1gLvsZ-0001p2-3B; Sun, 11 Nov 2018 19:58:43 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org,
        "Herbert Xu" <herbert@gondor.apana.org.au>,
        "Dmitry Safonov" <dima@arista.com>, netdev@vger.kernel.org,
        "David S. Miller" <davem@davemloft.net>,
        "Steffen Klassert" <steffen.klassert@secunet.com>
Date:   Sun, 11 Nov 2018 19:49:05 +0000
Message-ID: <lsq.1541965745.747958107@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
Subject: [PATCH 3.16 310/366] netlink: Don't shift on 64 for ngroups
In-Reply-To: <lsq.1541965744.387173642@decadent.org.uk>
X-SA-Exim-Connect-IP: 192.168.4.242
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.61-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Dmitry Safonov <dima@arista.com>

commit 91874ecf32e41b5d86a4cb9d60e0bee50d828058 upstream.

It's legal to have 64 groups for netlink_sock.

As user-supplied nladdr->nl_groups is __u32, it's possible to subscribe
only to first 32 groups.

The check for correctness of .bind() userspace supplied parameter
is done by applying mask made from ngroups shift. Which broke Android
as they have 64 groups and the shift for mask resulted in an overflow.

Fixes: 61f4b23769f0 ("netlink: Don't shift with UB on nlk->ngroups")
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: netdev@vger.kernel.org
Reported-and-Tested-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/netlink/af_netlink.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -930,8 +930,8 @@ static int netlink_bind(struct socket *s
 
 	if (nlk->ngroups == 0)
 		groups = 0;
-	else
-		groups &= (1ULL << nlk->ngroups) - 1;
+	else if (nlk->ngroups < 8*sizeof(groups))
+		groups &= (1UL << nlk->ngroups) - 1;
 
 	if (nlk->portid)
 		if (nladdr->nl_pid != nlk->portid)