| From 91874ecf32e41b5d86a4cb9d60e0bee50d828058 Mon Sep 17 00:00:00 2001 |
| From: Dmitry Safonov <dima@arista.com> |
| Date: Sun, 5 Aug 2018 01:35:53 +0100 |
| Subject: netlink: Don't shift on 64 for ngroups |
| |
| From: Dmitry Safonov <dima@arista.com> |
| |
| commit 91874ecf32e41b5d86a4cb9d60e0bee50d828058 upstream. |
| |
| It's legal to have 64 groups for netlink_sock. |
| |
| As user-supplied nladdr->nl_groups is __u32, it's possible to subscribe |
| only to first 32 groups. |
| |
| The check for correctness of .bind() userspace supplied parameter |
| is done by applying mask made from ngroups shift. Which broke Android |
| as they have 64 groups and the shift for mask resulted in an overflow. |
| |
| Fixes: 61f4b23769f0 ("netlink: Don't shift with UB on nlk->ngroups") |
| Cc: "David S. Miller" <davem@davemloft.net> |
| Cc: Herbert Xu <herbert@gondor.apana.org.au> |
| Cc: Steffen Klassert <steffen.klassert@secunet.com> |
| Cc: netdev@vger.kernel.org |
| Cc: stable@vger.kernel.org |
| Reported-and-Tested-by: Nathan Chancellor <natechancellor@gmail.com> |
| Signed-off-by: Dmitry Safonov <dima@arista.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/netlink/af_netlink.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/net/netlink/af_netlink.c |
| +++ b/net/netlink/af_netlink.c |
| @@ -988,8 +988,8 @@ static int netlink_bind(struct socket *s |
| |
| if (nlk->ngroups == 0) |
| groups = 0; |
| - else |
| - groups &= (1ULL << nlk->ngroups) - 1; |
| + else if (nlk->ngroups < 8*sizeof(groups)) |
| + groups &= (1UL << nlk->ngroups) - 1; |
| |
| bound = nlk->bound; |
| if (bound) { |