Received: by 2002:a05:6602:18e:0:0:0:0 with SMTP id m14csp2116513ioo; Mon, 23 May 2022 10:24:25 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxR0RnsdqHMMT5fEqVbHurH4Unx0RcWcB55XgW2YuLT/Gjrm1181G8jova/sipOsxgVWmxq X-Received: by 2002:a17:902:bd05:b0:15f:19a0:95ed with SMTP id p5-20020a170902bd0500b0015f19a095edmr23864748pls.31.1653326665241; Mon, 23 May 2022 10:24:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1653326665; cv=none; d=google.com; s=arc-20160816; b=KWYTzminTEbYwVFzb/ImOGi58nyVdYvc664A0qr612IsbSGZFNJ06GFnobNuPDlsaJ VnsrDFDmG+wps+RljdHR2GUDqv33+/F4gVpA2SuxX4mWFbbENf8xmzuktdwM6bN6q4M3 LZ5cXoFL7ThdHo+Atjxgf/Xb/bOtFp6eDnYEDOKTrIIdLqZuak7b0gjIzqranc9ftC1C AgGgod0Kz6OHrpivhd9M8dDl3JE3YtgCeIWEcRRlVdVvvMA/1Sa1LfpzIYforQsQLfNt RpgFf+yd+RvhEQU79F78pvySB97ygbS70zP8hHwfQ3b2ajB0gmCOEH2xDl4+8hedspw6 5YDA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=tWGp1RaQAbUQ862ySP1wLcjz7W0B7NpOfvD8hx/JOVE=; b=Ro6Ndi7iwIy2h43Km3grJQMNek8AK1ceUU0n0m+uVsRL1TCLuT/5gpjS3C8MLtlDsz GqSW3wvttsc/XQQ9+SBE6zDF7vnq58oSF12453Id5TlYD/l8WdITCkFVeYYM5m+LLbYo uobwcSGFaeS9On49gvgCzHgh3LQ3mtf+dmz3A4dlMXsN49Al+998PeUWPMeag8KTiSHI EEYXWCfLvb6mME+1nHEQqi1v21kvzMwGy/yPdzk2wp1R7k1kICdDa7ItuyxwKCHpCoxF yxz5mzwwiBXqArkpyuWWl+f68+b3BzMq0nazTqseH9QGd5ImS1J9HeCup5mqOG92/Oga oWEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TDOb9ioZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id j17-20020a170903029100b0015819f5edc5si11065467plr.426.2022.05.23.10.24.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 May 2022 10:24:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=TDOb9ioZ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id BDB988B09B; Mon, 23 May 2022 10:24:04 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240180AbiEWRT5 (ORCPT + 99 others); Mon, 23 May 2022 13:19:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37658 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240678AbiEWRQj (ORCPT ); Mon, 23 May 2022 13:16:39 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A2EEF15729; Mon, 23 May 2022 10:16:19 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id E6008614CA; Mon, 23 May 2022 17:13:22 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F3744C385A9; Mon, 23 May 2022 17:13:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1653326002; bh=amzS8tdbXvXwVohrv+HoHg7A0i5q82gunCd6tiY4OQY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TDOb9ioZEWVLHngT7eucPAtfcZlA/MbSuIL5xvH4ef4bWr15rXUnSGe+wtC+ymE2z 3yjXPAMEhIEPCVXqjqUXmSNdkpv4KYQyf3r9EHpYWPPOspqk7vBLRU+v6i+gpGBE9e BMdLR3lwscydixLh8V70oFIzEZcafi87QP7AojJQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Paolo Abeni , "David S. Miller" , Sasha Levin , syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com Subject: [PATCH 5.4 37/68] net/sched: act_pedit: sanitize shift argument before usage Date: Mon, 23 May 2022 19:05:04 +0200 Message-Id: <20220523165808.698375192@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220523165802.500642349@linuxfoundation.org> References: <20220523165802.500642349@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paolo Abeni [ Upstream commit 4d42d54a7d6aa6d29221d3fd4f2ae9503e94f011 ] syzbot was able to trigger an Out-of-Bound on the pedit action: UBSAN: shift-out-of-bounds in net/sched/act_pedit.c:238:43 shift exponent 1400735974 is too large for 32-bit type 'unsigned int' CPU: 0 PID: 3606 Comm: syz-executor151 Not tainted 5.18.0-rc5-syzkaller-00165-g810c2f0a3f86 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 ubsan_epilogue+0xb/0x50 lib/ubsan.c:151 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x187 lib/ubsan.c:322 tcf_pedit_init.cold+0x1a/0x1f net/sched/act_pedit.c:238 tcf_action_init_1+0x414/0x690 net/sched/act_api.c:1367 tcf_action_init+0x530/0x8d0 net/sched/act_api.c:1432 tcf_action_add+0xf9/0x480 net/sched/act_api.c:1956 tc_ctl_action+0x346/0x470 net/sched/act_api.c:2015 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5993 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] netlink_unicast+0x543/0x7f0 net/netlink/af_netlink.c:1345 netlink_sendmsg+0x904/0xe00 net/netlink/af_netlink.c:1921 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:725 ____sys_sendmsg+0x6e2/0x800 net/socket.c:2413 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fe36e9e1b59 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffef796fe88 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe36e9e1b59 RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003 RBP: 00007fe36e9a5d00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe36e9a5d90 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 The 'shift' field is not validated, and any value above 31 will trigger out-of-bounds. The issue predates the git history, but syzbot was able to trigger it only after the commit mentioned in the fixes tag, and this change only applies on top of such commit. Address the issue bounding the 'shift' value to the maximum allowed by the relevant operator. Reported-and-tested-by: syzbot+8ed8fc4c57e9dcf23ca6@syzkaller.appspotmail.com Fixes: 8b796475fd78 ("net/sched: act_pedit: really ensure the skb is writable") Signed-off-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/sched/act_pedit.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c index 305cb190e997..f095a0fb75c6 100644 --- a/net/sched/act_pedit.c +++ b/net/sched/act_pedit.c @@ -231,6 +231,10 @@ static int tcf_pedit_init(struct net *net, struct nlattr *nla, for (i = 0; i < p->tcfp_nkeys; ++i) { u32 cur = p->tcfp_keys[i].off; + /* sanitize the shift value for any later use */ + p->tcfp_keys[i].shift = min_t(size_t, BITS_PER_TYPE(int) - 1, + p->tcfp_keys[i].shift); + /* The AT option can read a single byte, we can bound the actual * value with uchar max. */ -- 2.35.1