Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp203782ybf; Wed, 26 Feb 2020 11:29:15 -0800 (PST) X-Google-Smtp-Source: APXvYqza1RikmITmiGFUZM5z9DiNm9UlqdbsDpOT/+vz3VwixrA7rN+FbQMSUNr1SK/exIqlWBN5 X-Received: by 2002:aca:b2c5:: with SMTP id b188mr432090oif.163.1582745355745; Wed, 26 Feb 2020 11:29:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582745355; cv=none; d=google.com; s=arc-20160816; b=P2rQsGCP9RBXTJzVNRNGkmWh+4l+J+ih7WBa++8DJmaJrSQLz/a0xuqnQvGl4ONehZ MV325HhmL0INaxllVv4iyV6Eb+LBV4889GTvnUj1eHi3V23mViUnR62JZk6SsKOeYlPn d1F6n1BSF9MR5WDGhohCHPDyHYAX2FKcycnoxc61qr0Qg/b74De01PbXG5WcoflWILHA zLQihfBH6YPuAozxj0FMYlABh7soYoP86W17YnVouPLFOiNH1mNtfq8cHXWYRx17+pSD FYGsMz82gH8n3hlVwTWbwEIGFXmOeuAuH2dT3a143CpC2dahWfVRal7lx7SKc0qf0WUh 5d+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=KBBZB8K0TUs8Sms9qkc7eFoDXr2Ix9du8IlHxek4/e0=; b=0yCaCrmMud2O5heNJ/M184HYXKZq1aP9Km63p9xlC/FU3fhBmlyqnQTz1AZvQtbWoZ tUHhSVnzOTLYiSpE6gFrdH602JKurALQeZeCb3udxKf955qY8j8c2m3eDo1RgYNPDrtx GeC4NUZT5wgnY9+a1/JMA7t9yit8UwNOTwaeOXwZ+g+fue5r8eUfoXvrLEDBxomFJe5L MnPvB9CMBdRSIVZFQepX/QUdn5wTN02U4x0RSZZQgbau0NCbShvGU5ZkjUIkCWw8R50+ rSFFvgomS/ghQIWcMaVKz4wPrimn/UAv6Rvu3OZ/tDhsulDemHtf+WlaODwyh/UuLv9O AdPw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j70si94202oib.219.2020.02.26.11.29.04; Wed, 26 Feb 2020 11:29:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727304AbgBZT2k (ORCPT + 99 others); Wed, 26 Feb 2020 14:28:40 -0500 Received: from shards.monkeyblade.net ([23.128.96.9]:60302 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727035AbgBZT2k (ORCPT ); Wed, 26 Feb 2020 14:28:40 -0500 Received: from localhost (unknown [IPv6:2601:601:9f00:477::3d5]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 6E73815AA762A; Wed, 26 Feb 2020 11:28:39 -0800 (PST) Date: Wed, 26 Feb 2020 11:28:38 -0800 (PST) Message-Id: <20200226.112838.716163849297775455.davem@davemloft.net> To: mkubecek@suse.cz Cc: kuba@kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH net] ethtool: limit bitset size From: David Miller In-Reply-To: <20200224194212.426B4E1E06@unicorn.suse.cz> References: <20200224194212.426B4E1E06@unicorn.suse.cz> X-Mailer: Mew version 6.8 on Emacs 26.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Wed, 26 Feb 2020 11:28:39 -0800 (PST) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Michal Kubecek Date: Mon, 24 Feb 2020 20:42:12 +0100 (CET) > Syzbot reported that ethnl_compact_sanity_checks() can be tricked into > reading past the end of ETHTOOL_A_BITSET_VALUE and ETHTOOL_A_BITSET_MASK > attributes and even the message by passing a value between (u32)(-31) > and (u32)(-1) as ETHTOOL_A_BITSET_SIZE. > > The problem is that DIV_ROUND_UP(attr_nbits, 32) is 0 for such values so > that zero length ETHTOOL_A_BITSET_VALUE will pass the length check but > ethnl_bitmap32_not_zero() check would try to access up to 512 MB of > attribute "payload". > > Prevent this overflow byt limiting the bitset size. Technically, compact > bitset format would allow bitset sizes up to almost 2^18 (so that the > nest size does not exceed U16_MAX) but bitsets used by ethtool are much > shorter. S16_MAX, the largest value which can be directly used as an > upper limit in policy, should be a reasonable compromise. > > Fixes: 10b518d4e6dd ("ethtool: netlink bitset handling") > Reported-by: syzbot+7fd4ed5b4234ab1fdccd@syzkaller.appspotmail.com > Reported-by: syzbot+709b7a64d57978247e44@syzkaller.appspotmail.com > Reported-by: syzbot+983cb8fb2d17a7af549d@syzkaller.appspotmail.com > Signed-off-by: Michal Kubecek Applied, thanks Michal.