Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp2271156pxb;
        Mon, 11 Jan 2021 05:42:02 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxbNDC8P1WH9sjK0Tvj8dTjag0Gm/qFlfo/BfKGAeWLyUizGyLTkzfmIJuJW+evrC3dT6Jr
X-Received: by 2002:a05:6402:229c:: with SMTP id cw28mr14160507edb.285.1610372522012;
        Mon, 11 Jan 2021 05:42:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610372522; cv=none;
        d=google.com; s=arc-20160816;
        b=hBYJPq+8YdwK7M/pgZchFKutnvq6KhCzBFRaMo7DfOXA48DHGFziDhT22q1Zx/300W
         vGpw0Gs1Uj9liM2G/kDiwLg2ONjvDnQGwU+ACHP7E9BUZ0Ia3A58mmFQyeoSATAyh2Cz
         DThjlnrGo5PfdAXv2FY7kS1Ys9nRrkjcAj2z/d753fl6ftAEQPnveCr1EFthDxOsxE2Z
         TUGlnTPsZkrZF+ncpYLZwxcIGXjvxW47gL0k4XOBTOJCleOlPA5TIVioLYwTsIckYaL5
         T0WDly2KMiw69JnK92ZzycXME3cbl3yEg67rnFgcyPcE2tfBMlhLQJB9acUHlzIKzZ95
         qsUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=Ro4y9ks2RiEwOtq4yDF6jPyRKMj86M/nGu18GlljNyE=;
        b=nKOI9F2tftkg1i6ITKHb/Is19+wvGXWMOI1BvBI2SGpkVwAQIAoil64Ue1s4dSnE87
         7QEoGDJNV5FU7PPFBengHIZc5UDvi6/oBVBFoN5JWljqX2JYUv6UjDhfNNjudSo8aaq3
         jVt+70sdUQjNtTM7a066szMtmagXUM/F877tWJDaE375rs/l7hT2/EaVgUjuOLeTxMgK
         qQ7sW0zCr36Juki/aVdjQ8eQJPOq3lk/3/2KUT31mol0UYqQwZbDFh1lI5bG7yzNvN55
         TFchJYUCTGOYbn3N+kUf+mD142fi/3VQdYf8gkq1p9Mf0TLb+gm5BTmlNheh1Q5Vntsv
         UZ+A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KczsJ3uR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j5si6985778edj.409.2021.01.11.05.41.38;
        Mon, 11 Jan 2021 05:42:02 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KczsJ3uR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732955AbhAKNhD (ORCPT <rfc822;linx.orlando.fred@gmail.com>
        + 99 others); Mon, 11 Jan 2021 08:37:03 -0500
Received: from mail.kernel.org ([198.145.29.99]:60420 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731627AbhAKNN2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 11 Jan 2021 08:13:28 -0500
Received: by mail.kernel.org (Postfix) with ESMTPSA id 1940321973;
        Mon, 11 Jan 2021 13:12:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1610370767;
        bh=dTw/4c7vdboY41bKzNKv8RRdtWYMYkKxufFm7M1CimA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=KczsJ3uR/6Soa5P9hwrvP0DIk5DVJK1wAmRQXrrhYT1KTEXDXxKfLs3L108mS1kTg
         Lv2mXgRUwmiItkVBT5ca7/h5aC9gH37FbnzLcrpTxPxjt2QbO7UZs4OqcQNjj3FN/B
         GEEz/LdwD/Vmb1DTkriIB1btOuieYoABoTjaNLFU=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+d66bfadebca46cf61a2b@syzkaller.appspotmail.com,
        Vasily Averin <vvs@virtuozzo.com>,
        Jozsef Kadlecsik <kadlec@netfilter.org>,
        Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 5.4 88/92] netfilter: ipset: fix shift-out-of-bounds in htable_bits()
Date:   Mon, 11 Jan 2021 14:02:32 +0100
Message-Id: <20210111130043.400224281@linuxfoundation.org>
X-Mailer: git-send-email 2.30.0
In-Reply-To: <20210111130039.165470698@linuxfoundation.org>
References: <20210111130039.165470698@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Vasily Averin <vvs@virtuozzo.com>

commit 5c8193f568ae16f3242abad6518dc2ca6c8eef86 upstream.

htable_bits() can call jhash_size(32) and trigger shift-out-of-bounds

UBSAN: shift-out-of-bounds in net/netfilter/ipset/ip_set_hash_gen.h:151:6
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 0 PID: 8498 Comm: syz-executor519
 Not tainted 5.10.0-rc7-next-20201208-syzkaller #0
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 htable_bits net/netfilter/ipset/ip_set_hash_gen.h:151 [inline]
 hash_mac_create.cold+0x58/0x9b net/netfilter/ipset/ip_set_hash_gen.h:1524
 ip_set_create+0x610/0x1380 net/netfilter/ipset/ip_set_core.c:1115
 nfnetlink_rcv_msg+0xecc/0x1180 net/netfilter/nfnetlink.c:252
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
 nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:600
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

This patch replaces htable_bits() by simple fls(hashsize - 1) call:
it alone returns valid nbits both for round and non-round hashsizes.
It is normal to set any nbits here because it is validated inside
following htable_size() call which returns 0 for nbits>31.

Fixes: 1feab10d7e6d("netfilter: ipset: Unified hash type generation")
Reported-by: syzbot+d66bfadebca46cf61a2b@syzkaller.appspotmail.com
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/netfilter/ipset/ip_set_hash_gen.h |   20 +++++---------------
 1 file changed, 5 insertions(+), 15 deletions(-)

--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -143,20 +143,6 @@ htable_size(u8 hbits)
 	return hsize * sizeof(struct hbucket *) + sizeof(struct htable);
 }
 
-/* Compute htable_bits from the user input parameter hashsize */
-static u8
-htable_bits(u32 hashsize)
-{
-	/* Assume that hashsize == 2^htable_bits */
-	u8 bits = fls(hashsize - 1);
-
-	if (jhash_size(bits) != hashsize)
-		/* Round up to the first 2^n value */
-		bits = fls(hashsize);
-
-	return bits;
-}
-
 #ifdef IP_SET_HASH_WITH_NETS
 #if IPSET_NET_COUNT > 1
 #define __CIDR(cidr, i)		(cidr[i])
@@ -1520,7 +1506,11 @@ IPSET_TOKEN(HTYPE, _create)(struct net *
 	if (!h)
 		return -ENOMEM;
 
-	hbits = htable_bits(hashsize);
+	/* Compute htable_bits from the user input parameter hashsize.
+	 * Assume that hashsize == 2^htable_bits,
+	 * otherwise round up to the first 2^n value.
+	 */
+	hbits = fls(hashsize - 1);
 	hsize = htable_size(hbits);
 	if (hsize == 0) {
 		kfree(h);