| From bcd0cf19ef8258ac31b9a20248b05c15a1f4b4b0 Mon Sep 17 00:00:00 2001 |
| From: Eric Dumazet <edumazet@google.com> |
| Date: Thu, 14 Jan 2021 10:52:29 -0800 |
| Subject: net_sched: avoid shift-out-of-bounds in tcindex_set_parms() |
| |
| From: Eric Dumazet <edumazet@google.com> |
| |
| commit bcd0cf19ef8258ac31b9a20248b05c15a1f4b4b0 upstream. |
| |
| tc_index being 16bit wide, we need to check that TCA_TCINDEX_SHIFT |
| attribute is not silly. |
| |
| UBSAN: shift-out-of-bounds in net/sched/cls_tcindex.c:260:29 |
| shift exponent 255 is too large for 32-bit type 'int' |
| CPU: 0 PID: 8516 Comm: syz-executor228 Not tainted 5.10.0-syzkaller #0 |
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 |
| Call Trace: |
| __dump_stack lib/dump_stack.c:79 [inline] |
| dump_stack+0x107/0x163 lib/dump_stack.c:120 |
| ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 |
| __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 |
| valid_perfect_hash net/sched/cls_tcindex.c:260 [inline] |
| tcindex_set_parms.cold+0x1b/0x215 net/sched/cls_tcindex.c:425 |
| tcindex_change+0x232/0x340 net/sched/cls_tcindex.c:546 |
| tc_new_tfilter+0x13fb/0x21b0 net/sched/cls_api.c:2127 |
| rtnetlink_rcv_msg+0x8b6/0xb80 net/core/rtnetlink.c:5555 |
| netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 |
| netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] |
| netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 |
| netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919 |
| sock_sendmsg_nosec net/socket.c:652 [inline] |
| sock_sendmsg+0xcf/0x120 net/socket.c:672 |
| ____sys_sendmsg+0x6e8/0x810 net/socket.c:2336 |
| ___sys_sendmsg+0xf3/0x170 net/socket.c:2390 |
| __sys_sendmsg+0xe5/0x1b0 net/socket.c:2423 |
| do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 |
| entry_SYSCALL_64_after_hwframe+0x44/0xa9 |
| |
| Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Reported-by: syzbot <syzkaller@googlegroups.com> |
| Link: https://lore.kernel.org/r/20210114185229.1742255-1-eric.dumazet@gmail.com |
| Signed-off-by: Jakub Kicinski <kuba@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/sched/cls_tcindex.c | 8 ++++++-- |
| 1 file changed, 6 insertions(+), 2 deletions(-) |
| |
| --- a/net/sched/cls_tcindex.c |
| +++ b/net/sched/cls_tcindex.c |
| @@ -357,9 +357,13 @@ tcindex_set_parms(struct net *net, struc |
| if (tb[TCA_TCINDEX_MASK]) |
| cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]); |
| |
| - if (tb[TCA_TCINDEX_SHIFT]) |
| + if (tb[TCA_TCINDEX_SHIFT]) { |
| cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]); |
| - |
| + if (cp->shift > 16) { |
| + err = -EINVAL; |
| + goto errout; |
| + } |
| + } |
| if (!cp->hash) { |
| /* Hash not specified, use perfect hash if the upper limit |
| * of the hashing index is below the threshold. |