Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp670301pxb;
        Tue, 5 Apr 2022 18:06:25 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxHVcIKxyqw4D0d0Dzpe0LcjpHEMoVhs/b4x7ehUJzwwq2xnAmqfcUt4J8NirI3/4uxdkl6
X-Received: by 2002:a05:6402:1941:b0:413:2b7e:676e with SMTP id f1-20020a056402194100b004132b7e676emr6383115edz.114.1649207185663;
        Tue, 05 Apr 2022 18:06:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649207185; cv=none;
        d=google.com; s=arc-20160816;
        b=geUwZZlTk5AyYb/qWk2r5XVL2+rnGejw+h0EiS+LHNT6+1Bc1y7nG9IXp4qqLuNrYZ
         PNR5CCkMHD1U/hEdVi9BZsbEo72PCMiXZ+1H/fiCvAc+1u9HbzSjxU+4ZinsF6H1lAsi
         PZW2pAsEgMsrCwuB/KO4lU1zsQnbqUG8lHbVIUl1zT5BtwucHjZaNjA9M8oMFPsU6SrH
         CuwJ30EMrbvt+QwIS0Z8JBDcAnMOuyXyk8G3LGRx+2q2FEjG/E3iy+f5cYPBVy78yayv
         Ra1NjPGNOVEn9l4Einf/ZuX01ZQ4P72z1lHiX4z8BBFR9ePfVP4dwyrYz8Z0zuKHZSXI
         D06Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=cLRLUk28FJbITA6zo92hxvKhZLyGU39pnSwkOPyz/lw=;
        b=hptkn2nBqYdqOwTCIBmoXIW8H/Qi34QCY+F62QEa1na3U1lAlYIeE4CIQxk/dCrCHB
         1s5kYYqxBJxYD52nMOhCew0wPCEiVbHBYM2YtrF3tWcs/H9ILxmNCFFdXjRmyKYKBdmN
         D5kx9g2i1x3NFAasU/JiEcMS+V6e8XYJ4hAMeaA+bU0s69J1rRFdipn3V0OjAK+1d6+S
         KJkopbD4mQfFz1/6eTxmpnpvT1teTjuypx7UmZDg4L6zutol6Er0VZuBwDsJVxnJpIjD
         mJRjOQG/FUBymhufXHcrODcOy6G8s4W6WZmowA8NI/72+htxqpIOqS6shgPMUSF+cuZ6
         HrEg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=meRpfhKk;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id p14-20020a1709060dce00b006df76385dccsi10418085eji.620.2022.04.05.18.06.01;
        Tue, 05 Apr 2022 18:06:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=meRpfhKk;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1353553AbiDEMtt (ORCPT <rfc822;arunks.linux@gmail.com>
        + 99 others); Tue, 5 Apr 2022 08:49:49 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41902 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S244530AbiDEJKD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Apr 2022 05:10:03 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7923125EBB;
        Tue,  5 Apr 2022 01:59:47 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id B26E3B81A22;
        Tue,  5 Apr 2022 08:59:43 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 28815C385A0;
        Tue,  5 Apr 2022 08:59:41 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1649149182;
        bh=da01Yu1VRcc/0ZM/zmhrzof8NG1WHBs1WVz1sV/nRo4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=meRpfhKkskr0noF+WQ6ltGty2TRg/ZvmUkvPs5urNMIA8jOxu26RRrGy84l2Tnuj0
         Gk1w0D+57pgfgVBNk4cSBo9yCC87zeh4WaN/eQXimrD+tx7472vK8YQ5MuRY1KEaKe
         PxSPiV5SXuYerCriJU3n9Ww3idJ8EZFmSGWLd63o=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Petr Machata <petrm@nvidia.com>,
        Ido Schimmel <idosch@nvidia.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.16 0623/1017] af_netlink: Fix shift out of bounds in group mask calculation
Date:   Tue,  5 Apr 2022 09:25:36 +0200
Message-Id: <20220405070412.775282745@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220405070354.155796697@linuxfoundation.org>
References: <20220405070354.155796697@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Petr Machata <petrm@nvidia.com>

[ Upstream commit 0caf6d9922192dd1afa8dc2131abfb4df1443b9f ]

When a netlink message is received, netlink_recvmsg() fills in the address
of the sender. One of the fields is the 32-bit bitfield nl_groups, which
carries the multicast group on which the message was received. The least
significant bit corresponds to group 1, and therefore the highest group
that the field can represent is 32. Above that, the UB sanitizer flags the
out-of-bounds shift attempts.

Which bits end up being set in such case is implementation defined, but
it's either going to be a wrong non-zero value, or zero, which is at least
not misleading. Make the latter choice deterministic by always setting to 0
for higher-numbered multicast groups.

To get information about membership in groups >= 32, userspace is expected
to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO
socket option.
[0] https://lwn.net/Articles/147608/

The way to trigger this issue is e.g. through monitoring the BRVLAN group:

	# bridge monitor vlan &
	# ip link add name br type bridge

Which produces the following citation:

	UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19
	shift exponent 32 is too large for 32-bit type 'int'

Fixes: f7fa9b10edbb ("[NETLINK]: Support dynamic number of multicast groups per netlink family")
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Link: https://lore.kernel.org/r/2bef6aabf201d1fc16cca139a744700cff9dcb04.1647527635.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netlink/af_netlink.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 9eba2e648385..6fbc3ea735e5 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -157,6 +157,8 @@ EXPORT_SYMBOL(do_trace_netlink_extack);
 
 static inline u32 netlink_group_mask(u32 group)
 {
+	if (group > 32)
+		return 0;
 	return group ? 1 << (group - 1) : 0;
 }
 
-- 
2.34.1