[v2] netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
| Message ID | 20230111115741.3347031-1-Ilia.Gavrilov@infotecs.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp3277069wrt;
Wed, 11 Jan 2023 04:01:17 -0800 (PST)
X-Google-Smtp-Source:
AMrXdXs/CdjymAonaflsw+YLDUFM2CFq1OrwxnYxWAZlZk8sPvEEMciAteAO0XWj3t6W4B4/AbBI
X-Received: by 2002:a17:902:9a93:b0:192:9e13:a4ba with SMTP id
w19-20020a1709029a9300b001929e13a4bamr44653648plp.34.1673438476924;
Wed, 11 Jan 2023 04:01:16 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1673438476; cv=none;
d=google.com; s=arc-20160816;
b=BHVAXe4kWQxzckaMEI7f0x1Nw6NSw7d1o004N3LuXStWtL68hAzW/ICjYuRcjqdMsQ
w0V4aomWRYqNyLtzjNy36Dxp7gpv+kcbJRT2Cz2DFmm53DBlBvhfU4XOC3Ex+fsb39yj
DN4a1qEsGBosW+I5hgKFEfWRagIpMFNDhVeFnQNxp8HrjfyUDjjpmgT03eyMRlT2+eZw
qfb1t6plSkebQSPru3uD45+xLnF6qRYP+rDNY+feY00PJn21eNK1i5H17KOn48YfZ+X4
pPkbw96eu+2UCGUFSlPN+cC2wC2S5TMBVjGjMJ19gZuBk9dX0HKFPyhvq/4jfCphs/MQ
/akg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:content-transfer-encoding
:content-language:accept-language:in-reply-to:references:message-id
:date:thread-index:thread-topic:subject:cc:to:from:dkim-signature
:dkim-filter;
bh=49kxLRcwh3/YE3yMeeqbymVlkYlZKux8cg7gP0DQr/Q=;
b=pi4wkEPJ66l7AcelwsSOl7BE6LIG+HlzIkqMwQN4ocA7c4Y5QAIczViGaGY/fGXJU2
0ZJ2KH2U6xmkhQibLlX5BVou78mCqYWUs5T5Zze4NYX8tVFm05F1AJEqLl9kYJj9hkVU
9D/sFXbxXhKpS404qo3r4h7GRe8nPfeueQ9R94ql0Dt1H6fW05gHyvUpkeYYN6LLKH1u
GG1rlT376TijWjeGBpxsuwne3AWN8yrCvE3TdBp+RCjC0SC7K82F4uvvQx+7rTZr37+A
vBl7k0IZC8dFEnzMMlLajHdUYMTxwaOURQ6LMzGXffVJS9S4bQyl/WlyPdUxc9poPiq5
0cZA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@infotecs.ru header.s=mx header.b=G1Al9D6Y;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
q8-20020a170902a3c800b00189444d216asi13594564plb.336.2023.01.11.04.01.02;
Wed, 11 Jan 2023 04:01:16 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@infotecs.ru header.s=mx header.b=G1Al9D6Y;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S239087AbjAKL7x (ORCPT <rfc822;syz17693488234@gmail.com>
+ 99 others); Wed, 11 Jan 2023 06:59:53 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53106 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229578AbjAKL7E (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Wed, 11 Jan 2023 06:59:04 -0500
Received: from mx0.infotecs.ru (mx0.infotecs.ru [91.244.183.115])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F35A21A5;
Wed, 11 Jan 2023 03:57:42 -0800 (PST)
Received: from mx0.infotecs-nt (localhost [127.0.0.1])
by mx0.infotecs.ru (Postfix) with ESMTP id 04DDF13607D1;
Wed, 11 Jan 2023 14:57:40 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 mx0.infotecs.ru 04DDF13607D1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infotecs.ru; s=mx;
t=1673438260; bh=49kxLRcwh3/YE3yMeeqbymVlkYlZKux8cg7gP0DQr/Q=;
h=From:To:CC:Subject:Date:References:In-Reply-To:From;
b=G1Al9D6YFmtWwwZNG6Le3yDxDfxYTLh4lUz5oHq9RotGW56oJyPHPNM6xz7sso3mB
7neg5vAksZVH6fotgD0RKvB13tPugD9Rt/BvV7DNi8FPZaqpxIoZ5dh/MXVJm9szjr
QDLHvfUDyU+/2YKZplzfi6x5bjlX8CRy6Vokn7vM=
Received: from msk-exch-01.infotecs-nt (msk-exch-01.infotecs-nt [10.0.7.191])
by mx0.infotecs-nt (Postfix) with ESMTP id 01618316576D;
Wed, 11 Jan 2023 14:57:40 +0300 (MSK)
Received: from msk-exch-01.infotecs-nt (10.0.7.191) by msk-exch-01.infotecs-nt
(10.0.7.191) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.12; Wed, 11 Jan
2023 14:57:39 +0300
Received: from msk-exch-01.infotecs-nt ([fe80::89df:c35f:46be:fd07]) by
msk-exch-01.infotecs-nt ([fe80::89df:c35f:46be:fd07%14]) with mapi id
15.02.1118.012; Wed, 11 Jan 2023 14:57:39 +0300
From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
To: Simon Horman <simon.horman@corigine.com>
CC: Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Florian Westphal <fw@strlen.de>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
"netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>,
"coreteam@netfilter.org" <coreteam@netfilter.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"lvc-project@linuxtesting.org" <lvc-project@linuxtesting.org>
Subject: [PATCH v2] netfilter: ipset: Fix overflow before widen in the
bitmap_ip_create() function.
Thread-Topic: [PATCH v2] netfilter: ipset: Fix overflow before widen in the
bitmap_ip_create() function.
Thread-Index: AQHZJbPnp5vC0uHQHEOGReEeA2xCQA==
Date: Wed, 11 Jan 2023 11:57:39 +0000
Message-ID: <20230111115741.3347031-1-Ilia.Gavrilov@infotecs.ru>
References: <Y76NQ7tQVB7kE0dG@corigine.com>
In-Reply-To: <Y76NQ7tQVB7kE0dG@corigine.com>
Accept-Language: ru-RU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.17.0.10]
x-exclaimer-md-config: 208ac3cd-1ed4-4982-a353-bdefac89ac0a
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 174635 [Jan 11 2023]
X-KLMS-AntiSpam-Version: 5.9.59.0
X-KLMS-AntiSpam-Envelope-From: Ilia.Gavrilov@infotecs.ru
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Auth: dkim=none
X-KLMS-AntiSpam-Info: LuaCore: 502 502
69dee8ef46717dd3cb3eeb129cb7cc8dab9e30f6,
{Tracking_from_domain_doesnt_match_to},
127.0.0.199:7.1.2;infotecs.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1
X-MS-Exchange-Organization-SCL: -1
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiPhishing: Clean, bases: 2023/01/11 06:26:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30,
bases: 2023/01/11 02:11:00 #20757923
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1754546095307325497?=
X-GMAIL-MSGID: =?utf-8?q?1754727424507964353?=
|
| Series |
[v2] netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
|
|
Commit Message
Gavrilov Ilia
Jan. 11, 2023, 11:57 a.m. UTC
When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of
an arithmetic expression 2 << (netmask - mask_bits - 1) is subject
to overflow due to a failure casting operands to a larger data type
before performing the arithmetic.
Note that it's harmless since the value will be checked at the next step.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters")
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
---
v2: Fix typo of the last_ip value in the description. Fix the expression for 'hosts'.
net/netfilter/ipset/ip_set_bitmap_ip.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
On Wed, Jan 11, 2023 at 11:57:39AM +0000, Gavrilov Ilia wrote: > [You don't often get email from ilia.gavrilov@infotecs.ru. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > > When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of > an arithmetic expression 2 << (netmask - mask_bits - 1) is subject > to overflow due to a failure casting operands to a larger data type > before performing the arithmetic. > > Note that it's harmless since the value will be checked at the next step. > > Found by InfoTeCS on behalf of Linux Verification Center > (linuxtesting.org) with SVACE. > > Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters") > Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> Reviewed-by: Simon Horman <simon.horman@corigine.com> > --- > v2: Fix typo of the last_ip value in the description. Fix the expression for 'hosts'. > net/netfilter/ipset/ip_set_bitmap_ip.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c > index a8ce04a4bb72..e4fa00abde6a 100644 > --- a/net/netfilter/ipset/ip_set_bitmap_ip.c > +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c > @@ -308,8 +308,8 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[], > return -IPSET_ERR_BITMAP_RANGE; > > pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask); > - hosts = 2 << (32 - netmask - 1); > - elements = 2 << (netmask - mask_bits - 1); > + hosts = 2U << (32 - netmask - 1); > + elements = 2UL << (netmask - mask_bits - 1); > } > if (elements > IPSET_BITMAP_MAX_RANGE + 1) > return -IPSET_ERR_BITMAP_RANGE_SIZE; > -- > 2.30.2
On Wed, Jan 11, 2023 at 01:00:53PM +0100, Simon Horman wrote: > On Wed, Jan 11, 2023 at 11:57:39AM +0000, Gavrilov Ilia wrote: > > [You don't often get email from ilia.gavrilov@infotecs.ru. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > > > > When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of > > an arithmetic expression 2 << (netmask - mask_bits - 1) is subject > > to overflow due to a failure casting operands to a larger data type > > before performing the arithmetic. > > > > Note that it's harmless since the value will be checked at the next step. > > > > Found by InfoTeCS on behalf of Linux Verification Center > > (linuxtesting.org) with SVACE. > > > > Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters") > > Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> > > Reviewed-by: Simon Horman <simon.horman@corigine.com> Applied, thanks
diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c index a8ce04a4bb72..e4fa00abde6a 100644 --- a/net/netfilter/ipset/ip_set_bitmap_ip.c +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c @@ -308,8 +308,8 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[], return -IPSET_ERR_BITMAP_RANGE; pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask); - hosts = 2 << (32 - netmask - 1); - elements = 2 << (netmask - mask_bits - 1); + hosts = 2U << (32 - netmask - 1); + elements = 2UL << (netmask - mask_bits - 1); } if (elements > IPSET_BITMAP_MAX_RANGE + 1) return -IPSET_ERR_BITMAP_RANGE_SIZE;