| From d9585eee55b144adcfa62fe8cb695723d9d9557c Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Fri, 5 Nov 2021 14:42:14 -0700 |
| Subject: llc: fix out-of-bound array index in llc_sk_dev_hash() |
| |
| From: Eric Dumazet <edumazet@google.com> |
| |
| [ Upstream commit 8ac9dfd58b138f7e82098a4e0a0d46858b12215b ] |
| |
| Both ifindex and LLC_SK_DEV_HASH_ENTRIES are signed. |
| |
| This means that (ifindex % LLC_SK_DEV_HASH_ENTRIES) is negative |
| if @ifindex is negative. |
| |
| We could simply make LLC_SK_DEV_HASH_ENTRIES unsigned. |
| |
| In this patch I chose to use hash_32() to get more entropy |
| from @ifindex, like llc_sk_laddr_hashfn(). |
| |
| UBSAN: array-index-out-of-bounds in ./include/net/llc.h:75:26 |
| index -43 is out of range for type 'hlist_head [64]' |
| CPU: 1 PID: 20999 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0 |
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 |
| Call Trace: |
| <TASK> |
| __dump_stack lib/dump_stack.c:88 [inline] |
| dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 |
| ubsan_epilogue+0xb/0x5a lib/ubsan.c:151 |
| __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:291 |
| llc_sk_dev_hash include/net/llc.h:75 [inline] |
| llc_sap_add_socket+0x49c/0x520 net/llc/llc_conn.c:697 |
| llc_ui_bind+0x680/0xd70 net/llc/af_llc.c:404 |
| __sys_bind+0x1e9/0x250 net/socket.c:1693 |
| __do_sys_bind net/socket.c:1704 [inline] |
| __se_sys_bind net/socket.c:1702 [inline] |
| __x64_sys_bind+0x6f/0xb0 net/socket.c:1702 |
| do_syscall_x64 arch/x86/entry/common.c:50 [inline] |
| do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 |
| entry_SYSCALL_64_after_hwframe+0x44/0xae |
| RIP: 0033:0x7fa503407ae9 |
| |
| Fixes: 6d2e3ea28446 ("llc: use a device based hash table to speed up multicast delivery") |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Reported-by: syzbot <syzkaller@googlegroups.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| include/net/llc.h | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| diff --git a/include/net/llc.h b/include/net/llc.h |
| index df282d9b40170..9c10b121b49b0 100644 |
| --- a/include/net/llc.h |
| +++ b/include/net/llc.h |
| @@ -72,7 +72,9 @@ struct llc_sap { |
| static inline |
| struct hlist_head *llc_sk_dev_hash(struct llc_sap *sap, int ifindex) |
| { |
| - return &sap->sk_dev_hash[ifindex % LLC_SK_DEV_HASH_ENTRIES]; |
| + u32 bucket = hash_32(ifindex, LLC_SK_DEV_HASH_BITS); |
| + |
| + return &sap->sk_dev_hash[bucket]; |
| } |
| |
| static inline |
| -- |
| 2.33.0 |
| |