| Message ID | d2b63acc5cd76db46132eb6ebd106f159fc5132d.camel@mediatek.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel+bounces-88606-ouuuleilei=gmail.com@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:7301:2097:b0:108:e6aa:91d0 with SMTP id
gs23csp1144918dyb;
Fri, 1 Mar 2024 07:12:57 -0800 (PST)
X-Forwarded-Encrypted: i=3;
AJvYcCVbvTi5AZaIw4zgBbzwhvbiTJCh4WRg4D8aqBmuhVjlH789Zlwy0vm056Ntd7mtRypfbBDOJ5Bc6/jHg3UlRhsqqv3ERQ==
X-Google-Smtp-Source:
AGHT+IERRJvuPxCn2ih5utDyOYX80t+PNjb/FD/l0m7IF2Zqw4PqdB97Ll/UPyoPDx1Y/vJsCkZg
X-Received: by 2002:a9d:75da:0:b0:6dd:dc68:d543 with SMTP id
c26-20020a9d75da000000b006dddc68d543mr2353172otl.7.1709305977767;
Fri, 01 Mar 2024 07:12:57 -0800 (PST)
Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161])
by mx.google.com with ESMTPS id
c1-20020a631c01000000b005d8e3a18786si3754054pgc.508.2024.03.01.07.12.57
for <ouuuleilei@gmail.com>
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Fri, 01 Mar 2024 07:12:57 -0800 (PST)
Received-SPF: pass (google.com: domain of
linux-kernel+bounces-88606-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.48.161 as permitted sender) client-ip=147.75.48.161;
Authentication-Results: mx.google.com;
dkim=pass header.i=@mediatek.com header.s=dk header.b=dnoVt7ID;
dkim=pass header.i=@mediateko365.onmicrosoft.com
header.s=selector2-mediateko365-onmicrosoft-com header.b=a8uwyFdn;
arc=fail (signature failed);
spf=pass (google.com: domain of
linux-kernel+bounces-88606-ouuuleilei=gmail.com@vger.kernel.org designates
147.75.48.161 as permitted sender)
smtp.mailfrom="linux-kernel+bounces-88606-ouuuleilei=gmail.com@vger.kernel.org";
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE)
header.from=mediatek.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
[52.25.139.140])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by sy.mirrors.kernel.org (Postfix) with ESMTPS id 41DCDB22679
for <ouuuleilei@gmail.com>; Fri, 1 Mar 2024 15:12:56 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
by smtp.subspace.kernel.org (Postfix) with ESMTP id 2D5996F07D;
Fri, 1 Mar 2024 15:12:39 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com
header.b="dnoVt7ID";
dkim=pass (1024-bit key) header.d=mediateko365.onmicrosoft.com
header.i=@mediateko365.onmicrosoft.com header.b="a8uwyFdn"
Received: from mailgw01.mediatek.com (unknown [60.244.123.138])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by smtp.subspace.kernel.org (Postfix) with ESMTPS id 88125622;
Fri, 1 Mar 2024 15:12:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
arc=fail smtp.client-ip=60.244.123.138
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
t=1709305954; cv=fail;
b=Rij/BqIRGmoabyH1uOZT+5sHgg5MKmnQla6oeyE8/vd8mfcrquBRcnFmqynjNlkAK4ENiic6IzaXhj0QAq5s6vqMYOy+nbx54Y2CmO4zChM71lYb/xCq3oWcKCT94RJGxN30MHQGl7KIzSzhtoaqUopzzgczNA5cWG2UQmzlqm8=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
s=arc-20240116; t=1709305954; c=relaxed/simple;
bh=IZUR4MyqRKiOvrqP/zVjb0oSt5npYT/jGrlpJcuxHvo=;
h=From:To:CC:Subject:Date:Message-ID:Content-Type:MIME-Version;
b=sPD5TsMCjbyzKKerxrJyiEKbC+esVTFWNbU7YLoI9uKfc/nHBDO4AXI6oDib/W1X0cb6UOtw5CqqH1B8NGC/yyg3hJ7Uv8+2syzWTbqTfJHpHTCSZfHxt3UDuuphJWLla7uEDLGDZux0yQDij9pZguw4ESDJEheNPs3quuH82pM=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
dmarc=pass (p=quarantine dis=none) header.from=mediatek.com;
spf=pass smtp.mailfrom=mediatek.com;
dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com
header.b=dnoVt7ID;
dkim=pass (1024-bit key) header.d=mediateko365.onmicrosoft.com
header.i=@mediateko365.onmicrosoft.com header.b=a8uwyFdn;
arc=fail smtp.client-ip=60.244.123.138
Authentication-Results: smtp.subspace.kernel.org;
dmarc=pass (p=quarantine dis=none) header.from=mediatek.com
Authentication-Results: smtp.subspace.kernel.org;
spf=pass smtp.mailfrom=mediatek.com
X-UUID: 1df943b8d7de11eeb8927bc1f75efef4-20240301
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
d=mediatek.com; s=dk;
h=MIME-Version:Content-Transfer-Encoding:Content-ID:Content-Type:Message-ID:Date:Subject:CC:To:From;
bh=IZUR4MyqRKiOvrqP/zVjb0oSt5npYT/jGrlpJcuxHvo=;
b=dnoVt7IDFApCGwqs84NdJ5qZ71Q2YyMSZ5EXLSu3hYiXtfqot3CNdOLjClPrcRDIGbaVVaU9LbGjh8v20HXeRK/38mdCWrKCk+NA/yJjfQU+ONg4brhaVQUpCCiBRJ64tyWzl8uFpFVS2IKxMl+uu+We1ZARS+uknjDcSzY4wXk=;
X-CID-P-RULE: Release_Ham
X-CID-O-INFO: VERSION:1.1.37,REQID:a2fb74b0-9f62-40eb-a297-db7a7f984288,IP:0,U
RL:0,TC:0,Content:0,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION:
release,TS:0
X-CID-META: VersionHash:6f543d0,CLOUDID:7f6be88f-e2c0-40b0-a8fe-7c7e47299109,B
ulkID:nil,BulkQuantity:0,Recheck:0,SF:102,TC:nil,Content:0,EDM:-3,IP:nil,U
RL:11|1,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,AV:0,LES
:1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0
X-CID-BVR: 0
X-CID-BAS: 0,_,0,_
X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_ULN
X-UUID: 1df943b8d7de11eeb8927bc1f75efef4-20240301
Received: from mtkmbs10n2.mediatek.inc [(172.21.101.183)] by
mailgw01.mediatek.com
(envelope-from <lena.wang@mediatek.com>)
(Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256)
with ESMTP id 1912379308; Fri, 01 Mar 2024 23:12:28 +0800
Received: from mtkmbs10n1.mediatek.inc (172.21.101.34) by
mtkmbs10n2.mediatek.inc (172.21.101.183) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.2.1118.26; Fri, 1 Mar 2024 23:12:26 +0800
Received: from APC01-TYZ-obe.outbound.protection.outlook.com (172.21.101.237)
by mtkmbs10n1.mediatek.inc (172.21.101.34) with Microsoft SMTP Server id
15.2.1118.26 via Frontend Transport; Fri, 1 Mar 2024 23:12:26 +0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=kTnoCllAr8vBZt0CtHR/2SmCJRDWFJ5iFC1pMk1Og0+13aHnH+MsUw0fninpF0r6FOXTiQIPluk5/qyU/Lo2Kd+LJk3gO0alKJG+RUbbk7+h435kzxpw/Qqfg62FR4EzQRb8YxJxAcjhOTCKXFhYjcXKcdrhNfP4+aFCSlGxx53F8/lCqeMBYq9kBGf/6frKLeKKLKlXOz+udwG/MBTH9EB18mRldztP2iKPKydJ/D90jzua2vbgBkvkktaRHflhUyRg66M4bNGbCIotEg8pMPpo0Vi2QjP9GEsYVCOckJIPlo4noJQ3/6ANgiL857vbfYnQlJAgKMcIf/+DUr044A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=IZUR4MyqRKiOvrqP/zVjb0oSt5npYT/jGrlpJcuxHvo=;
b=JCveFP9VP3uzQDPduMkA5+lkoE4xsKf1d6cbbYq8bUvsr/VFGulyQ3tYKGUqdhRI6pKFytSHGqphzKPmUITxVdK/BurDPZ4nDyFloIVuSQq2s0/ppSWg3nqHsraJRCtfvHDbmyNtMXdPoFyZ8ERzRm9jsoQivRVmyA/ZPqo+pJpzlqBVtMpPS8bVTvAyR2VzLdNInqr9z8mPKprNS1T1zT+OFU3ZiMII3PAyVYZXSo13w000ZHdp8UEee0JkRAXiL8yHPusDIXQVp4gcgSa/NrczNVy1aZX97YsjAY/lw+7z95hqbYvIRlXu2v0wHOycgEL1/GtJJA0zdtrvizBYxw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=mediatek.com; dmarc=pass action=none header.from=mediatek.com;
dkim=pass header.d=mediatek.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mediateko365.onmicrosoft.com; s=selector2-mediateko365-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=IZUR4MyqRKiOvrqP/zVjb0oSt5npYT/jGrlpJcuxHvo=;
b=a8uwyFdnKEEPslr21daQrh/MTEGuhb/Kw/rXewJjuN6thlIefYla/TpcgAwWEyreZYW2jg+L6cu0eqnNniI5uqPFAs4+3bU2C6N6a0FDCMhtXH0q2hnknEbyJ+tDUPkXP68rDusgHffr3TOkpFHcJ2peoaROjVjI1cozFqzPKB0=
Received: from SEZPR03MB6466.apcprd03.prod.outlook.com (2603:1096:101:4a::8)
by JH0PR03MB8667.apcprd03.prod.outlook.com (2603:1096:990:91::8) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7316.36; Fri, 1 Mar
2024 15:12:24 +0000
Received: from SEZPR03MB6466.apcprd03.prod.outlook.com
([fe80::3b7d:ad2c:b2cf:def7]) by SEZPR03MB6466.apcprd03.prod.outlook.com
([fe80::3b7d:ad2c:b2cf:def7%6]) with mapi id 15.20.7339.033; Fri, 1 Mar 2024
15:12:24 +0000
From: =?utf-8?b?TGVuYSBXYW5nICjnjovlqJwp?= <Lena.Wang@mediatek.com>
To: "fw@strlen.de" <fw@strlen.de>, "davem@davemloft.net"
<davem@davemloft.net>, "pablo@netfilter.org" <pablo@netfilter.org>,
"kadlec@netfilter.org" <kadlec@netfilter.org>
CC: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>
Subject: [PATCH net v2] netfilter: Add protection for bmp length out of range
Thread-Topic: [PATCH net v2] netfilter: Add protection for bmp length out of
range
Thread-Index: AQHaa+rdzH5Tz/8ipEqlkF6sbjThfg==
Date: Fri, 1 Mar 2024 15:12:24 +0000
Message-ID: <d2b63acc5cd76db46132eb6ebd106f159fc5132d.camel@mediatek.com>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed)
header.d=none;dmarc=none action=none header.from=mediatek.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SEZPR03MB6466:EE_|JH0PR03MB8667:EE_
x-ms-office365-filtering-correlation-id: 22fe3f85-c2f9-4397-bb0c-08dc3a02001f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info:
gCmwC7CmLsiXBdCBRKzdR4WjJIndjvELigEhKISsxNuTA1A2vMtVWxSPDTOYAQLUmCDLckl4SMNAJpoUDyiyz9BOyYvoxki8IDTk4CJvcx+1IvQaRBS4PdINKRikhEv92wIE/GyQ1UypRKBLw/UuvWrjTFQEpfNGTmcG+LxYfxhGvKrwtA9RPodzf+Pn/0+oaDyJXktTGHwp1PEx5Yf7WVJlkM+2Ln3HZRMj82kIEpvPTMQb+vmHPUrdrZWt48D7+x7w3Cj7+Bm/TIRtbO/r4wakeJiX/Il/mhn49pot32dp+c+19gHuTGM2zGfEJOMF9Ada0bHnaHc13vfd5f5IqT1pjtq6iBO1VtUrAA2pYiqY/e3fKmIeeKj8PJMnKFtktCQ8VJkeql+KvZMeGtkTXBNnMocBxSy1UhPbPwf6sC0BmdnMF6vQ6E+zAIMoYQhjsGqTN+PIOv8amiObdpOTrSC39y+yUXz7idW99go0a60nQgobUgJoHVsP+bMmYSXX6VCArjheUR0U0V84khGqZOdwj0NCNaomg93LKit0/Mneasmhy7zbHXu2y2LUsw+q/Tx/TlQV3poZUHByxrYxQQV6XOm6NcPqHjaSOzcIoobpCNEu0BuCRCm/tC8S00ZWm2F9p4Zej7WFavCTv6EON9tTrcDoYtQMAI451Jt7uI9p0tohDBNfosavcmNSv8SGa6wzbx3D3dfkzu+GW23fsdPCoDE7OmkcA9QjVfpPWAw=
x-forefront-antispam-report:
CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SEZPR03MB6466.apcprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(38070700009);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?q?mUk9UdJog7urjmYcJRQY8hGWsk46?=
=?utf-8?q?DnfFTU20liEaKoN8yzj2C44gsQP8/co/RVA9GMyUiFa67GDlXQi2QXUorLqQgDMjc?=
=?utf-8?q?Z/kqjfr1LivJ7X/mif2MjqPKnQ9IwswBigJlnry0jaYOKIIdtn1Rol7226T6GCMEq?=
=?utf-8?q?Azwg4uKq1UeVQSAJmwglF4COEy7XleMHVqYG2pzKEAs/78Bq8/be1MEr/+ovhMhn1?=
=?utf-8?q?IL+GJZPApO7SUUk5Mnri+TfOnIvn0sHbGxmyGCpQnUR+v8TMV/e/JaJG5nOXg3DBW?=
=?utf-8?q?X4+KlpWN2CyLulAn0wZOTRecvXQth+bDbg39Xliu7T5WNIgfYUKqFVU/WP/9JaiNo?=
=?utf-8?q?7f9wcxDsZYEkIPZg1sWaEAp89P5C4kbq+NI8yzDZ55v0cGN1mGzApxCA8hHaoWyzV?=
=?utf-8?q?o7R39VoARgBwatDWQh4J9Q+QtUhEiOO+zpYj23cCGhQBJwPm/AlB8Mb/J53RBxAUx?=
=?utf-8?q?CebId9r6Dnxy1wUkR29cyPaw9rhGh/IU4E05orHqCHIzaHUyuNz/HWLhibWhJE2GB?=
=?utf-8?q?uJ6e7IXuQPnvrhvznLPenpXUV7vtsDSBiinBW7cn3J32xOHet4WzUMs7X6XIiEXGW?=
=?utf-8?q?ULmpd13g2j8lM4LKEr3ZlesXAkzIy6lR31W/6sFs7wWbZBICeEq9qXpkw246khoaC?=
=?utf-8?q?8xY7b3aQZ+cePj41l4n+raMu/Ws7wJisGQbQ/dZ4/nywnXVBFHOTqsvgxmCISVqA/?=
=?utf-8?q?gm/9A+zXWsNc55EVXIv1RwWtH77Byy3xLUbEjO5agevIq7G1yg9Ju2CoP3TAJYlkT?=
=?utf-8?q?jPUzje/t/v87L19ZcaWqmUtod2PWjilt5SUVhP0nLsMOFkoyEgnnU5ZrJtjwT9Ijy?=
=?utf-8?q?YL2nwyxT7MHFZxWJJecgssifHx+QfaaIIwtXqZvDo+B1p/C4Vni43dv03rUoRMhnE?=
=?utf-8?q?Uq9RWs4CQKcz1zo2Ofp2cx7UmgwoUmlnDQjvGUzcXDp3JIOa6jdoVfq1TV3BtnnTg?=
=?utf-8?q?j1BKYErlzkE4ARsijNrCY2GtzAIe/rnkblNuLg9LXFOPCuYoksRXbCeaapqF2+FI9?=
=?utf-8?q?H1J08duB+KNmdaykIXGYbdPBAVxqTYJRib53IP6yUdYrAN92kulZ1Sr88cUHnOfiE?=
=?utf-8?q?WrC/93hzJMY+CiUiC0ttVFUMiIFoGPoDfrXgLB73en2+lJMLxKSO4tWqqiwVoEDSe?=
=?utf-8?q?uKC7pph4c5L5BHIATCQ5HhSwnWDYhG5Mxpy6h8snIfIrHR63YLboXBvfVgTEso2k1?=
=?utf-8?q?O073mRqU/NcJyKdK+Uxu0mp8pO8wE/i38MzTUGXwmIDaroq6wIKONLIBbA00oi2TZ?=
=?utf-8?q?JNfjWotW31xBNn19xqqXaq28b0zDwfCGLPHNS+KrgrP3M4bLIKqfa3ovpEQbTJXYq?=
=?utf-8?q?N1nL2a4aP/tKQlSvnu+PkBk0KeoiqzR3wgoXalICB4aNivB52LBVB+h12Pxy/5c4M?=
=?utf-8?q?CY2JfnK3I+NeToqVd3Nki3wvDblMRn3bGc5YcSr73rope5XmevC3gOKn80wuf/U54?=
=?utf-8?q?cimXlUY3BMXTYcbKANcYlFA50S61lqIQ0x0livIrfMI16giiACYgCIv5xhgHsX53n?=
=?utf-8?q?M38eRTiDzeknH/cKJrnDjtMLheczepSEag=3D=3D?=
Content-Type: text/plain; charset="utf-8"
Content-ID: <58EC96C7AF4993409323F1161E908462@apcprd03.prod.outlook.com>
Content-Transfer-Encoding: base64
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SEZPR03MB6466.apcprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id:
22fe3f85-c2f9-4397-bb0c-08dc3a02001f
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2024 15:12:24.5603
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a7687ede-7a6b-4ef6-bace-642f677fbe31
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname:
+49DUi/B2zXFowf9QvbEATGncTfLvbfNDGL2Kn9gZuvDL33UeiAL9rnbrUj2ZNxmpRL6QjitzibCQLHqygOW+Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: JH0PR03MB8667
X-TM-AS-Product-Ver: SMEX-14.0.0.3152-9.1.1006-23728.005
X-TM-AS-Result: No-10--5.079800-8.000000
X-TMASE-MatchedRID: cWqVi5YGo5wIAPmAuSvJ8Yzb2GR6Ttd3X5TqQagR07dLBxm1Vv3RsJ93
TfvULFt2/5f0y/6L/68GwOiwlwYHMkeBpfM21lfTmsge4JmkzOX/wK4D5v9hhLIPyqeQTeKk0nE
XIG9RfVfgRfDXjOa2sgN6C4LgNZr9EJHpQ2Y9lUQD2WXLXdz+Ae3+iQEtoSj4hj0Um3z4RXl18v
vd24eboroaAxIVVU84kZOl7WKIImrS77Co4bNJXQtuKBGekqUpbGVEmIfjf3te9apuqjZI/X8It
2Uf4xrQeAvJK1GayvDGMaxYwdXC1VGkx04md/ow
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
X-TMASE-Result: 10--5.079800-8.000000
X-TMASE-Version: SMEX-14.0.0.3152-9.1.1006-23728.005
X-TM-SNTS-SMTP:
27A67240241F6D061C0090B4B511A7A6468764F22637FE828506653D67D770242000:8
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1792337224715853020
X-GMAIL-MSGID: 1792337224715853020
|
| Series |
[net,v2] netfilter: Add protection for bmp length out of range
|
|
Commit Message
Lena Wang (王娜)
March 1, 2024, 3:12 p.m. UTC
From: Lena Wang <lena.wang@mediatek.com> UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts that are out of bounds for their data type. vmlinux get_bitmap(b=75) + 712 <net/netfilter/nf_conntrack_h323_asn1.c:0> vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, level=134443100) + 1956 <net/netfilter/nf_conntrack_h323_asn1.c:592> vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216 <net/netfilter/nf_conntrack_h323_asn1.c:814> vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812 <net/netfilter/nf_conntrack_h323_asn1.c:576> vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216 <net/netfilter/nf_conntrack_h323_asn1.c:814> vmlinux DecodeRasMessage() + 304 <net/netfilter/nf_conntrack_h323_asn1.c:833> vmlinux ras_help() + 684 <net/netfilter/nf_conntrack_h323_main.c:1728> vmlinux nf_confirm() + 188 <net/netfilter/nf_conntrack_proto.c:137> Due to abnormal data in skb->data, the extension bitmap length exceeds 32 when decoding ras message. Then get_bitmap uses the length to make a shift operation. It will change into negative after several loop. UBSAN load can detect a negative shift as an undefined behaviour and reports an exception. So we should add the protection to avoid the length exceeding 32. If it exceeds it will return out of range error and stop decoding ras message. Signed-off-by: Lena Wang <lena.wang@mediatek.com> --- v2: - add length protecton for another get_bitmap call. - update commit message to trim stacktrace. --- --- net/netfilter/nf_conntrack_h323_asn1.c | 4 ++++ 1 file changed, 4 insertions(+) *(unsigned int *)base = bmp; @@ -589,6 +591,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, bmp2_len = get_bits(bs, 7) + 1; if (nf_h323_error_boundary(bs, 0, bmp2_len)) return H323_ERROR_BOUND; + if (bmp2_len > 32) + return H323_ERROR_RANGE; bmp2 = get_bitmap(bs, bmp2_len); bmp |= bmp2 >> f->sz; if (base) -- 2.18.0
Comments
Fri, Mar 01, 2024 at 04:12:24PM CET, Lena.Wang@mediatek.com wrote: >From: Lena Wang <lena.wang@mediatek.com> > >UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts >that are out of bounds for their data type. > >vmlinux get_bitmap(b=75) + 712 ><net/netfilter/nf_conntrack_h323_asn1.c:0> >vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, >level=134443100) + 1956 ><net/netfilter/nf_conntrack_h323_asn1.c:592> >vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216 ><net/netfilter/nf_conntrack_h323_asn1.c:814> >vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812 ><net/netfilter/nf_conntrack_h323_asn1.c:576> >vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216 ><net/netfilter/nf_conntrack_h323_asn1.c:814> >vmlinux DecodeRasMessage() + 304 ><net/netfilter/nf_conntrack_h323_asn1.c:833> >vmlinux ras_help() + 684 ><net/netfilter/nf_conntrack_h323_main.c:1728> >vmlinux nf_confirm() + 188 ><net/netfilter/nf_conntrack_proto.c:137> > >Due to abnormal data in skb->data, the extension bitmap length >exceeds 32 when decoding ras message. Then get_bitmap uses the >length to make a shift operation. It will change into negative >after several loop. > >UBSAN load can detect a negative shift as an undefined behaviour >and reports an exception. > >So we should add the protection to avoid the length exceeding 32. >If it exceeds it will return out of range error and stop decoding >ras message. > >Signed-off-by: Lena Wang <lena.wang@mediatek.com> Missing "Fixes" tag, again...
On Fri, Mar 01, 2024 at 03:12:24PM +0000, Lena Wang (王娜) wrote: > From: Lena Wang <lena.wang@mediatek.com> > > UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts > that are out of bounds for their data type. > > vmlinux get_bitmap(b=75) + 712 > <net/netfilter/nf_conntrack_h323_asn1.c:0> > vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, > level=134443100) + 1956 > <net/netfilter/nf_conntrack_h323_asn1.c:592> > vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216 > <net/netfilter/nf_conntrack_h323_asn1.c:814> > vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812 > <net/netfilter/nf_conntrack_h323_asn1.c:576> > vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216 > <net/netfilter/nf_conntrack_h323_asn1.c:814> > vmlinux DecodeRasMessage() + 304 > <net/netfilter/nf_conntrack_h323_asn1.c:833> > vmlinux ras_help() + 684 > <net/netfilter/nf_conntrack_h323_main.c:1728> > vmlinux nf_confirm() + 188 > <net/netfilter/nf_conntrack_proto.c:137> > > Due to abnormal data in skb->data, the extension bitmap length > exceeds 32 when decoding ras message. Then get_bitmap uses the > length to make a shift operation. It will change into negative > after several loop. > > UBSAN load can detect a negative shift as an undefined behaviour > and reports an exception. > > So we should add the protection to avoid the length exceeding 32. > If it exceeds it will return out of range error and stop decoding > ras message. > > Signed-off-by: Lena Wang <lena.wang@mediatek.com> > --- > v2: > - add length protecton for another get_bitmap call. > - update commit message to trim stacktrace. > --- > --- > net/netfilter/nf_conntrack_h323_asn1.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/net/netfilter/nf_conntrack_h323_asn1.c > b/net/netfilter/nf_conntrack_h323_asn1.c > index e697a824b001..540d97715bd2 100644 > --- a/net/netfilter/nf_conntrack_h323_asn1.c > +++ b/net/netfilter/nf_conntrack_h323_asn1.c > @@ -533,6 +533,8 @@ static int decode_seq(struct bitstr *bs, const > struct field_t *f, > /* Get fields bitmap */ > if (nf_h323_error_boundary(bs, 0, f->sz)) > return H323_ERROR_BOUND; > + if (f->sz > 32) > + return H323_ERROR_RANGE; Could you possibly place this in get_bitmap()? IIRC these are the only two calls to this function. Thanks. > bmp = get_bitmap(bs, f->sz); > if (base) > *(unsigned int *)base = bmp; > @@ -589,6 +591,8 @@ static int decode_seq(struct bitstr *bs, const > struct field_t *f, > bmp2_len = get_bits(bs, 7) + 1; > if (nf_h323_error_boundary(bs, 0, bmp2_len)) > return H323_ERROR_BOUND; > + if (bmp2_len > 32) > + return H323_ERROR_RANGE; > bmp2 = get_bitmap(bs, bmp2_len); > bmp |= bmp2 >> f->sz; > if (base) > -- > 2.18.0
Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > + if (f->sz > 32) > > + return H323_ERROR_RANGE; > > Could you possibly place this in get_bitmap()? IIRC these are the only > two calls to this function. How would you signal the error? I think this patch is fine as-is.
On Sat, Mar 02, 2024 at 12:52:41PM +0100, Florian Westphal wrote: > Pablo Neira Ayuso <pablo@netfilter.org> wrote: > > > + if (f->sz > 32) > > > + return H323_ERROR_RANGE; > > > > Could you possibly place this in get_bitmap()? IIRC these are the only > > two calls to this function. > > How would you signal the error? I think this patch is fine as-is. Provide the bitmap instead as parameter, but this opencode variant also LGTM, I am probably overdoing, we can take this as is. Thanks.
diff --git a/net/netfilter/nf_conntrack_h323_asn1.c b/net/netfilter/nf_conntrack_h323_asn1.c index e697a824b001..540d97715bd2 100644 --- a/net/netfilter/nf_conntrack_h323_asn1.c +++ b/net/netfilter/nf_conntrack_h323_asn1.c @@ -533,6 +533,8 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f, /* Get fields bitmap */ if (nf_h323_error_boundary(bs, 0, f->sz)) return H323_ERROR_BOUND; + if (f->sz > 32) + return H323_ERROR_RANGE; bmp = get_bitmap(bs, f->sz); if (base)