Message ID | 20230109115432.3001636-1-Ilia.Gavrilov@infotecs.ru |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp2111865wrt; Mon, 9 Jan 2023 03:59:08 -0800 (PST) X-Google-Smtp-Source: AMrXdXu2lga2Ojn7MiIWjByZX7OPJoqhJKYXhLyqxLdcfVg4R4jAnPS98jw+azIYmUrFa5O/Sd3f X-Received: by 2002:a17:902:8688:b0:189:e7ea:9ff9 with SMTP id g8-20020a170902868800b00189e7ea9ff9mr57169625plo.42.1673265548231; Mon, 09 Jan 2023 03:59:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673265548; cv=none; d=google.com; s=arc-20160816; b=oeuxJA+nwWlqaupd7Y2HFhco1cEHalq3NdxMbCod3TPM71cZToNry8XDp57WSMvIFd g0/sRlIoWQhDli4cQBn6VCZAjgtea1hqklCasD/8jt13pLlSEHha2roXqpa4EZQ4GzLB TV8lF+C3ljb1I1mkT9cPt3BpcpcIFV497PxLBHxF83pgc9FZex01NP2DTb+JaCCKDWYE K2wFk+70II6OOpThH4rgXpUdEsEio7CocWoTxxk8rlfQu4lNBawJSx+VXuidXXbreAVt WmB1pw2ewxCU92BUl8nYPZJJshiTut//bfVszBgRnjkR7RJBDaz6xwIWKzhJRrpzb8OF sM/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-language:accept-language:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature:dkim-filter; bh=ZXSwrerDkXcdQ+WWtvdH5WrD8pokhX2bGkxfVSiTOuA=; b=fPNhQ+3HzRzSG1AfwsoZgqaPHJmjfuCFQA2siLQJIsMHAjwdfSsibMV5hnubLMZRjv hkFKA/5K8TMpi/TMkilrU2VUS3lTDEamOEPL6idWz8t8a+gfWsQ+C4tOFaQD8zIq6k+X DWnd8BiU8rcu3UOwLEYEABfe/+Ldb+gHl3Agiy1RIiAl0w3mONBPu5Bx03ZAPEBavn1j +gefmp3Vxo9CDGJeLIY6G7mG1DcBRl2V7xDVyCnE9hHKiwdMWrX5/+lg6Odwt9XMWeVc EXWUesvzBi5dfchPcT8aGkW6ckGzGVZZNfqWorwjhdkknVwy1T15ldR0VjF2+jPYT3v/ nZow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infotecs.ru header.s=mx header.b=CS9j6l5T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a70-20020a639049000000b004b1a669dc2fsi4834575pge.7.2023.01.09.03.58.55; Mon, 09 Jan 2023 03:59:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infotecs.ru header.s=mx header.b=CS9j6l5T; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236836AbjAILy1 (ORCPT <rfc822;zhanglyra.2023@gmail.com> + 99 others); Mon, 9 Jan 2023 06:54:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38536 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236585AbjAILyG (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 9 Jan 2023 06:54:06 -0500 X-Greylist: delayed 305 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Mon, 09 Jan 2023 03:54:04 PST Received: from mx0.infotecs.ru (mx0.infotecs.ru [91.244.183.115]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E1FBBC4; Mon, 9 Jan 2023 03:54:04 -0800 (PST) Received: from mx0.infotecs-nt (localhost [127.0.0.1]) by mx0.infotecs.ru (Postfix) with ESMTP id 9906B115A6D0; Mon, 9 Jan 2023 14:54:02 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 mx0.infotecs.ru 9906B115A6D0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infotecs.ru; s=mx; t=1673265242; bh=ZXSwrerDkXcdQ+WWtvdH5WrD8pokhX2bGkxfVSiTOuA=; h=From:To:CC:Subject:Date:From; b=CS9j6l5TWg9+Ga6JM9yDos8KAzAPKbUaZu78AJjGkHMMoRGojxOEqZ5gs2PSAKpP0 8+83VAl2swHBEa7O78b6wrUc4mxXO+jCUMffcUW52wvTpirD0bJFQWkVVTlZWXQ5dS PM51tFwMj0HrGCFN31Of85Z+8CdZZEOg5XRtLdvM= Received: from msk-exch-01.infotecs-nt (msk-exch-01.infotecs-nt [10.0.7.191]) by mx0.infotecs-nt (Postfix) with ESMTP id 968D130D0A0A; Mon, 9 Jan 2023 14:54:02 +0300 (MSK) Received: from msk-exch-01.infotecs-nt (10.0.7.191) by msk-exch-01.infotecs-nt (10.0.7.191) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.12; Mon, 9 Jan 2023 14:54:02 +0300 Received: from msk-exch-01.infotecs-nt ([fe80::89df:c35f:46be:fd07]) by msk-exch-01.infotecs-nt ([fe80::89df:c35f:46be:fd07%14]) with mapi id 15.02.1118.012; Mon, 9 Jan 2023 14:54:02 +0300 From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> To: Pablo Neira Ayuso <pablo@netfilter.org> CC: Jozsef Kadlecsik <kadlec@netfilter.org>, Florian Westphal <fw@strlen.de>, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>, "netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>, "coreteam@netfilter.org" <coreteam@netfilter.org>, "netdev@vger.kernel.org" <netdev@vger.kernel.org>, "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>, "lvc-project@linuxtesting.org" <lvc-project@linuxtesting.org> Subject: [PATCH] netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. Thread-Topic: [PATCH] netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. Thread-Index: AQHZJCER6ItbAfvk9EO+bS1fujtoFQ== Date: Mon, 9 Jan 2023 11:54:02 +0000 Message-ID: <20230109115432.3001636-1-Ilia.Gavrilov@infotecs.ru> Accept-Language: ru-RU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.17.0.10] x-exclaimer-md-config: 208ac3cd-1ed4-4982-a353-bdefac89ac0a Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-KLMS-Rule-ID: 1 X-KLMS-Message-Action: clean X-KLMS-AntiSpam-Lua-Profiles: 174564 [Jan 09 2023] X-KLMS-AntiSpam-Version: 5.9.59.0 X-KLMS-AntiSpam-Envelope-From: Ilia.Gavrilov@infotecs.ru X-KLMS-AntiSpam-Rate: 0 X-KLMS-AntiSpam-Status: not_detected X-KLMS-AntiSpam-Method: none X-KLMS-AntiSpam-Auth: dkim=none X-KLMS-AntiSpam-Info: LuaCore: 502 502 69dee8ef46717dd3cb3eeb129cb7cc8dab9e30f6, {Tracking_from_domain_doesnt_match_to}, infotecs.ru:7.1.1;127.0.0.199:7.1.2;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1 X-MS-Exchange-Organization-SCL: -1 X-KLMS-AntiSpam-Interceptor-Info: scan successful X-KLMS-AntiPhishing: Clean, bases: 2023/01/09 09:37:00 X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2023/01/09 09:04:00 #20749700 X-KLMS-AntiVirus-Status: Clean, skipped X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1754546095307325497?= X-GMAIL-MSGID: =?utf-8?q?1754546095307325497?= |
Series |
netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
|
|
Commit Message
Gavrilov Ilia
Jan. 9, 2023, 11:54 a.m. UTC
When first_ip is 0, last_ip is 0xFFFFFFF, and netmask is 31, the value of
an arithmetic expression 2 << (netmask - mask_bits - 1) is subject
to overflow due to a failure casting operands to a larger data type
before performing the arithmetic.
Note that it's harmless since the value will be checked at the next step.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters")
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
---
net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
Hi Gavrilov, On Mon, Jan 09, 2023 at 11:54:02AM +0000, Gavrilov Ilia wrote: > When first_ip is 0, last_ip is 0xFFFFFFF, and netmask is 31, the value of > an arithmetic expression 2 << (netmask - mask_bits - 1) is subject > to overflow due to a failure casting operands to a larger data type > before performing the arithmetic. > > Note that it's harmless since the value will be checked at the next step. Do you mean 0xFFFFFFFF (8 rather than 8 'F's) ? If so, I agree with this patch. > Found by InfoTeCS on behalf of Linux Verification Center > (linuxtesting.org) with SVACE. > > Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters") > Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> > --- > net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c > index a8ce04a4bb72..b8f0fb37378f 100644 > --- a/net/netfilter/ipset/ip_set_bitmap_ip.c > +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c > @@ -309,7 +309,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[], > > pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask); > hosts = 2 << (32 - netmask - 1); I think that hosts also overflows, in the case you have described. Although it also doesn't matter for the same reason you state. But from a correctness point of view perhaps it should also be addressed? > - elements = 2 << (netmask - mask_bits - 1); > + elements = 2UL << (netmask - mask_bits - 1); > } > if (elements > IPSET_BITMAP_MAX_RANGE + 1) > return -IPSET_ERR_BITMAP_RANGE_SIZE; > -- > 2.30.2 >
On 1/11/23 13:19, Simon Horman wrote: > Hi Gavrilov, > > On Mon, Jan 09, 2023 at 11:54:02AM +0000, Gavrilov Ilia wrote: >> When first_ip is 0, last_ip is 0xFFFFFFF, and netmask is 31, the value of >> an arithmetic expression 2 << (netmask - mask_bits - 1) is subject >> to overflow due to a failure casting operands to a larger data type >> before performing the arithmetic. >> >> Note that it's harmless since the value will be checked at the next step. > > Do you mean 0xFFFFFFFF (8 rather than 8 'F's) ? > If so, I agree with this patch. > Yes, it's my typo. I meant 0xFFFFFFFF. >> Found by InfoTeCS on behalf of Linux Verification Center >> (linuxtesting.org) with SVACE. >> >> Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters") >> Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> >> --- >> net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c >> index a8ce04a4bb72..b8f0fb37378f 100644 >> --- a/net/netfilter/ipset/ip_set_bitmap_ip.c >> +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c >> @@ -309,7 +309,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[], >> >> pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask); >> hosts = 2 << (32 - netmask - 1); > > I think that hosts also overflows, in the case you have described. > Although it also doesn't matter for the same reason you state. > But from a correctness point of view perhaps it should also be addressed? > As for 'hosts', the expression "2 << (32 - netmask - 1)" is also subject to overflow, but the type of the variable 'hosts' is u32, and the type casting gives the correct result. But I will fix it for correctness. Thank you for review. I will change that in V2. Ilia. >> - elements = 2 << (netmask - mask_bits - 1); >> + elements = 2UL << (netmask - mask_bits - 1); >> } >> if (elements > IPSET_BITMAP_MAX_RANGE + 1) >> return -IPSET_ERR_BITMAP_RANGE_SIZE; >> -- >> 2.30.2 >>
diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c index a8ce04a4bb72..b8f0fb37378f 100644 --- a/net/netfilter/ipset/ip_set_bitmap_ip.c +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c @@ -309,7 +309,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[], pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask); hosts = 2 << (32 - netmask - 1); - elements = 2 << (netmask - mask_bits - 1); + elements = 2UL << (netmask - mask_bits - 1); } if (elements > IPSET_BITMAP_MAX_RANGE + 1) return -IPSET_ERR_BITMAP_RANGE_SIZE;