| From foo@baz Wed 29 Jul 2020 12:42:55 PM CEST |
| From: Peilin Ye <yepeilin.cs@gmail.com> |
| Date: Wed, 22 Jul 2020 11:19:01 -0400 |
| Subject: AX.25: Fix out-of-bounds read in ax25_connect() |
| |
| From: Peilin Ye <yepeilin.cs@gmail.com> |
| |
| [ Upstream commit 2f2a7ffad5c6cbf3d438e813cfdc88230e185ba6 ] |
| |
| Checks on `addr_len` and `fsa->fsa_ax25.sax25_ndigis` are insufficient. |
| ax25_connect() can go out of bounds when `fsa->fsa_ax25.sax25_ndigis` |
| equals to 7 or 8. Fix it. |
| |
| This issue has been reported as a KMSAN uninit-value bug, because in such |
| a case, ax25_connect() reaches into the uninitialized portion of the |
| `struct sockaddr_storage` statically allocated in __sys_connect(). |
| |
| It is safe to remove `fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS` because |
| `addr_len` is guaranteed to be less than or equal to |
| `sizeof(struct full_sockaddr_ax25)`. |
| |
| Reported-by: syzbot+c82752228ed975b0a623@syzkaller.appspotmail.com |
| Link: https://syzkaller.appspot.com/bug?id=55ef9d629f3b3d7d70b69558015b63b48d01af66 |
| Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ax25/af_ax25.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/net/ax25/af_ax25.c |
| +++ b/net/ax25/af_ax25.c |
| @@ -1191,7 +1191,9 @@ static int __must_check ax25_connect(str |
| if (addr_len > sizeof(struct sockaddr_ax25) && |
| fsa->fsa_ax25.sax25_ndigis != 0) { |
| /* Valid number of digipeaters ? */ |
| - if (fsa->fsa_ax25.sax25_ndigis < 1 || fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS) { |
| + if (fsa->fsa_ax25.sax25_ndigis < 1 || |
| + addr_len < sizeof(struct sockaddr_ax25) + |
| + sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) { |
| err = -EINVAL; |
| goto out_release; |
| } |