Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp3610234pxu; Tue, 8 Dec 2020 17:14:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJySm8ylPQ2bMkotJo6g8KieBeDEgayPFih9TY4M8OEdG28+2AY7frG4ILRWxhSifKVne7Y/ X-Received: by 2002:a50:fc13:: with SMTP id i19mr613416edr.281.1607476476401; Tue, 08 Dec 2020 17:14:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1607476476; cv=none; d=google.com; s=arc-20160816; b=0N/eZ0F5GI/Jaz7t1jsp42ohBVasxIkzGdDS/Wo2iLMoJdhX9y74tSleAXOWeaepAw 3l2opW1yZ1PYCTFFrL1xw224HD4ccYdQOpnrhVDGs7tdxE7igzQbcQQF113xf+3p5PRA kbgogtApxEeLpB9UD2NLjeswKCFnyJEAfB2Bm0ZTvApAiipIfaoS4pCo4wf4flu9awnS FD592KN+dnB58mbtQ4u3N+i50Ny0rjgoKOqEHF8dPOIevV/8dWM+TGLJEw3ucQ91UU/j wJI6+gkAnDXRIjyh3Q86c7uJbetxBQkNNkSs/4QcPiTUKwjY4YLL4IX4Fus9npXGYkzU BKXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:date:cc:to:subject:from:message-id; bh=dsEW1RUEzF7txTuVIPYC34tFCw9vS7y/qZXYDRpr+U4=; b=HMcqJ5Q0YaIleSdA+xsOiWp6EexnF+jGOId+ttWyWvOwIj14GG2jlVKWUhJrU+EDqx kjeosaydt2hvk3GS3KloTLFPsUMh4H+itcudyKBMPtYnKshM2H+Qss32wsMJDN4MARwV yPp8C9XNX2SLUVrRAJz93gC8emdnDGVgyhuu34ThtW+6Y1TMhz12QED7HCfkTbhjfj3m VtFgKHPxVKwY/B5+5eZDFjkqSHZyOKgQwXtBk6j+rbAgHu/KaoPnDIwC6PlSE5WdvkdW orqT26UHmWsmNcl1uY45mAt8QClVbN1fTn1x1oRqIRAKhl5Pk9D011zLRcfmcCJA6D5x +9RA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c23si130418edv.521.2020.12.08.17.14.14; Tue, 08 Dec 2020 17:14:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730436AbgLHWOe (ORCPT + 99 others); Tue, 8 Dec 2020 17:14:34 -0500 Received: from mx2.suse.de ([195.135.220.15]:58610 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727914AbgLHWOd (ORCPT ); Tue, 8 Dec 2020 17:14:33 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id E700BAC55; Tue, 8 Dec 2020 22:13:51 +0000 (UTC) Received: by lion.mk-sys.cz (Postfix, from userid 1000) id 9261D60394; Tue, 8 Dec 2020 23:13:51 +0100 (CET) Message-Id: <3487ee3a98e14cd526f55b6caaa959d2dcbcad9f.1607465316.git.mkubecek@suse.cz> From: Michal Kubecek Subject: [PATCH net] ethtool: fix stack overflow in ethnl_parse_bitset() To: "David S. Miller" , Jakub Kicinski , netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Date: Tue, 8 Dec 2020 23:13:51 +0100 (CET) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Syzbot reported a stack overflow in bitmap_from_arr32() called from ethnl_parse_bitset() when bitset from netlink message is longer than target bitmap length. While ethnl_compact_sanity_checks() makes sure that trailing part is all zeros (i.e. the request does not try to touch bits kernel does not recognize), we also need to cap change_bits to nbits so that we don't try to write past the prepared bitmaps. Fixes: 88db6d1e4f62 ("ethtool: add ethnl_parse_bitset() helper") Reported-by: syzbot+9d39fa49d4df294aab93@syzkaller.appspotmail.com Signed-off-by: Michal Kubecek --- net/ethtool/bitset.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ethtool/bitset.c b/net/ethtool/bitset.c index 1fb3603d92ad..0515d6604b3b 100644 --- a/net/ethtool/bitset.c +++ b/net/ethtool/bitset.c @@ -628,6 +628,8 @@ int ethnl_parse_bitset(unsigned long *val, unsigned long *mask, return ret; change_bits = nla_get_u32(tb[ETHTOOL_A_BITSET_SIZE]); + if (change_bits > nbits) + change_bits = nbits; bitmap_from_arr32(val, nla_data(tb[ETHTOOL_A_BITSET_VALUE]), change_bits); if (change_bits < nbits) -- 2.29.2