Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp670301pxb; Tue, 5 Apr 2022 18:06:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxHVcIKxyqw4D0d0Dzpe0LcjpHEMoVhs/b4x7ehUJzwwq2xnAmqfcUt4J8NirI3/4uxdkl6 X-Received: by 2002:a05:6402:1941:b0:413:2b7e:676e with SMTP id f1-20020a056402194100b004132b7e676emr6383115edz.114.1649207185663; Tue, 05 Apr 2022 18:06:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649207185; cv=none; d=google.com; s=arc-20160816; b=geUwZZlTk5AyYb/qWk2r5XVL2+rnGejw+h0EiS+LHNT6+1Bc1y7nG9IXp4qqLuNrYZ PNR5CCkMHD1U/hEdVi9BZsbEo72PCMiXZ+1H/fiCvAc+1u9HbzSjxU+4ZinsF6H1lAsi PZW2pAsEgMsrCwuB/KO4lU1zsQnbqUG8lHbVIUl1zT5BtwucHjZaNjA9M8oMFPsU6SrH CuwJ30EMrbvt+QwIS0Z8JBDcAnMOuyXyk8G3LGRx+2q2FEjG/E3iy+f5cYPBVy78yayv Ra1NjPGNOVEn9l4Einf/ZuX01ZQ4P72z1lHiX4z8BBFR9ePfVP4dwyrYz8Z0zuKHZSXI D06Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cLRLUk28FJbITA6zo92hxvKhZLyGU39pnSwkOPyz/lw=; b=hptkn2nBqYdqOwTCIBmoXIW8H/Qi34QCY+F62QEa1na3U1lAlYIeE4CIQxk/dCrCHB 1s5kYYqxBJxYD52nMOhCew0wPCEiVbHBYM2YtrF3tWcs/H9ILxmNCFFdXjRmyKYKBdmN D5kx9g2i1x3NFAasU/JiEcMS+V6e8XYJ4hAMeaA+bU0s69J1rRFdipn3V0OjAK+1d6+S KJkopbD4mQfFz1/6eTxmpnpvT1teTjuypx7UmZDg4L6zutol6Er0VZuBwDsJVxnJpIjD mJRjOQG/FUBymhufXHcrODcOy6G8s4W6WZmowA8NI/72+htxqpIOqS6shgPMUSF+cuZ6 HrEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=meRpfhKk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p14-20020a1709060dce00b006df76385dccsi10418085eji.620.2022.04.05.18.06.01; Tue, 05 Apr 2022 18:06:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=meRpfhKk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1353553AbiDEMtt (ORCPT + 99 others); Tue, 5 Apr 2022 08:49:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41902 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244530AbiDEJKD (ORCPT ); Tue, 5 Apr 2022 05:10:03 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7923125EBB; Tue, 5 Apr 2022 01:59:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B26E3B81A22; Tue, 5 Apr 2022 08:59:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 28815C385A0; Tue, 5 Apr 2022 08:59:41 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649149182; bh=da01Yu1VRcc/0ZM/zmhrzof8NG1WHBs1WVz1sV/nRo4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=meRpfhKkskr0noF+WQ6ltGty2TRg/ZvmUkvPs5urNMIA8jOxu26RRrGy84l2Tnuj0 Gk1w0D+57pgfgVBNk4cSBo9yCC87zeh4WaN/eQXimrD+tx7472vK8YQ5MuRY1KEaKe PxSPiV5SXuYerCriJU3n9Ww3idJ8EZFmSGWLd63o= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Petr Machata , Ido Schimmel , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.16 0623/1017] af_netlink: Fix shift out of bounds in group mask calculation Date: Tue, 5 Apr 2022 09:25:36 +0200 Message-Id: <20220405070412.775282745@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070354.155796697@linuxfoundation.org> References: <20220405070354.155796697@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Petr Machata [ Upstream commit 0caf6d9922192dd1afa8dc2131abfb4df1443b9f ] When a netlink message is received, netlink_recvmsg() fills in the address of the sender. One of the fields is the 32-bit bitfield nl_groups, which carries the multicast group on which the message was received. The least significant bit corresponds to group 1, and therefore the highest group that the field can represent is 32. Above that, the UB sanitizer flags the out-of-bounds shift attempts. Which bits end up being set in such case is implementation defined, but it's either going to be a wrong non-zero value, or zero, which is at least not misleading. Make the latter choice deterministic by always setting to 0 for higher-numbered multicast groups. To get information about membership in groups >= 32, userspace is expected to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO socket option. [0] https://lwn.net/Articles/147608/ The way to trigger this issue is e.g. through monitoring the BRVLAN group: # bridge monitor vlan & # ip link add name br type bridge Which produces the following citation: UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19 shift exponent 32 is too large for 32-bit type 'int' Fixes: f7fa9b10edbb ("[NETLINK]: Support dynamic number of multicast groups per netlink family") Signed-off-by: Petr Machata Reviewed-by: Ido Schimmel Link: https://lore.kernel.org/r/2bef6aabf201d1fc16cca139a744700cff9dcb04.1647527635.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/netlink/af_netlink.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 9eba2e648385..6fbc3ea735e5 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -157,6 +157,8 @@ EXPORT_SYMBOL(do_trace_netlink_extack); static inline u32 netlink_group_mask(u32 group) { + if (group > 32) + return 0; return group ? 1 << (group - 1) : 0; } -- 2.34.1