From patchwork Wed Jan 11 11:57:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gavrilov Ilia X-Patchwork-Id: 41950 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4e01:0:0:0:0:0 with SMTP id p1csp3277069wrt; Wed, 11 Jan 2023 04:01:17 -0800 (PST) X-Google-Smtp-Source: AMrXdXs/CdjymAonaflsw+YLDUFM2CFq1OrwxnYxWAZlZk8sPvEEMciAteAO0XWj3t6W4B4/AbBI X-Received: by 2002:a17:902:9a93:b0:192:9e13:a4ba with SMTP id w19-20020a1709029a9300b001929e13a4bamr44653648plp.34.1673438476924; Wed, 11 Jan 2023 04:01:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673438476; cv=none; d=google.com; s=arc-20160816; b=BHVAXe4kWQxzckaMEI7f0x1Nw6NSw7d1o004N3LuXStWtL68hAzW/ICjYuRcjqdMsQ w0V4aomWRYqNyLtzjNy36Dxp7gpv+kcbJRT2Cz2DFmm53DBlBvhfU4XOC3Ex+fsb39yj DN4a1qEsGBosW+I5hgKFEfWRagIpMFNDhVeFnQNxp8HrjfyUDjjpmgT03eyMRlT2+eZw qfb1t6plSkebQSPru3uD45+xLnF6qRYP+rDNY+feY00PJn21eNK1i5H17KOn48YfZ+X4 pPkbw96eu+2UCGUFSlPN+cC2wC2S5TMBVjGjMJ19gZuBk9dX0HKFPyhvq/4jfCphs/MQ /akg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :content-language:accept-language:in-reply-to:references:message-id :date:thread-index:thread-topic:subject:cc:to:from:dkim-signature :dkim-filter; bh=49kxLRcwh3/YE3yMeeqbymVlkYlZKux8cg7gP0DQr/Q=; b=pi4wkEPJ66l7AcelwsSOl7BE6LIG+HlzIkqMwQN4ocA7c4Y5QAIczViGaGY/fGXJU2 0ZJ2KH2U6xmkhQibLlX5BVou78mCqYWUs5T5Zze4NYX8tVFm05F1AJEqLl9kYJj9hkVU 9D/sFXbxXhKpS404qo3r4h7GRe8nPfeueQ9R94ql0Dt1H6fW05gHyvUpkeYYN6LLKH1u GG1rlT376TijWjeGBpxsuwne3AWN8yrCvE3TdBp+RCjC0SC7K82F4uvvQx+7rTZr37+A vBl7k0IZC8dFEnzMMlLajHdUYMTxwaOURQ6LMzGXffVJS9S4bQyl/WlyPdUxc9poPiq5 0cZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infotecs.ru header.s=mx header.b=G1Al9D6Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q8-20020a170902a3c800b00189444d216asi13594564plb.336.2023.01.11.04.01.02; Wed, 11 Jan 2023 04:01:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infotecs.ru header.s=mx header.b=G1Al9D6Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239087AbjAKL7x (ORCPT + 99 others); Wed, 11 Jan 2023 06:59:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53106 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229578AbjAKL7E (ORCPT ); Wed, 11 Jan 2023 06:59:04 -0500 Received: from mx0.infotecs.ru (mx0.infotecs.ru [91.244.183.115]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F35A21A5; Wed, 11 Jan 2023 03:57:42 -0800 (PST) Received: from mx0.infotecs-nt (localhost [127.0.0.1]) by mx0.infotecs.ru (Postfix) with ESMTP id 04DDF13607D1; Wed, 11 Jan 2023 14:57:40 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 mx0.infotecs.ru 04DDF13607D1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infotecs.ru; s=mx; t=1673438260; bh=49kxLRcwh3/YE3yMeeqbymVlkYlZKux8cg7gP0DQr/Q=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=G1Al9D6YFmtWwwZNG6Le3yDxDfxYTLh4lUz5oHq9RotGW56oJyPHPNM6xz7sso3mB 7neg5vAksZVH6fotgD0RKvB13tPugD9Rt/BvV7DNi8FPZaqpxIoZ5dh/MXVJm9szjr QDLHvfUDyU+/2YKZplzfi6x5bjlX8CRy6Vokn7vM= Received: from msk-exch-01.infotecs-nt (msk-exch-01.infotecs-nt [10.0.7.191]) by mx0.infotecs-nt (Postfix) with ESMTP id 01618316576D; Wed, 11 Jan 2023 14:57:40 +0300 (MSK) Received: from msk-exch-01.infotecs-nt (10.0.7.191) by msk-exch-01.infotecs-nt (10.0.7.191) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.12; Wed, 11 Jan 2023 14:57:39 +0300 Received: from msk-exch-01.infotecs-nt ([fe80::89df:c35f:46be:fd07]) by msk-exch-01.infotecs-nt ([fe80::89df:c35f:46be:fd07%14]) with mapi id 15.02.1118.012; Wed, 11 Jan 2023 14:57:39 +0300 From: Gavrilov Ilia To: Simon Horman CC: Pablo Neira Ayuso , Jozsef Kadlecsik , Florian Westphal , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , "netfilter-devel@vger.kernel.org" , "coreteam@netfilter.org" , "netdev@vger.kernel.org" , "linux-kernel@vger.kernel.org" , "lvc-project@linuxtesting.org" Subject: [PATCH v2] netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. Thread-Topic: [PATCH v2] netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. Thread-Index: AQHZJbPnp5vC0uHQHEOGReEeA2xCQA== Date: Wed, 11 Jan 2023 11:57:39 +0000 Message-ID: <20230111115741.3347031-1-Ilia.Gavrilov@infotecs.ru> References: In-Reply-To: Accept-Language: ru-RU, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.17.0.10] x-exclaimer-md-config: 208ac3cd-1ed4-4982-a353-bdefac89ac0a MIME-Version: 1.0 X-KLMS-Rule-ID: 1 X-KLMS-Message-Action: clean X-KLMS-AntiSpam-Lua-Profiles: 174635 [Jan 11 2023] X-KLMS-AntiSpam-Version: 5.9.59.0 X-KLMS-AntiSpam-Envelope-From: Ilia.Gavrilov@infotecs.ru X-KLMS-AntiSpam-Rate: 0 X-KLMS-AntiSpam-Status: not_detected X-KLMS-AntiSpam-Method: none X-KLMS-AntiSpam-Auth: dkim=none X-KLMS-AntiSpam-Info: LuaCore: 502 502 69dee8ef46717dd3cb3eeb129cb7cc8dab9e30f6, {Tracking_from_domain_doesnt_match_to}, 127.0.0.199:7.1.2;infotecs.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1 X-MS-Exchange-Organization-SCL: -1 X-KLMS-AntiSpam-Interceptor-Info: scan successful X-KLMS-AntiPhishing: Clean, bases: 2023/01/11 06:26:00 X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30, bases: 2023/01/11 02:11:00 #20757923 X-KLMS-AntiVirus-Status: Clean, skipped X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1754546095307325497?= X-GMAIL-MSGID: =?utf-8?q?1754727424507964353?= When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of an arithmetic expression 2 << (netmask - mask_bits - 1) is subject to overflow due to a failure casting operands to a larger data type before performing the arithmetic. Note that it's harmless since the value will be checked at the next step. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. Fixes: b9fed748185a ("netfilter: ipset: Check and reject crazy /0 input parameters") Signed-off-by: Ilia.Gavrilov Reviewed-by: Simon Horman --- v2: Fix typo of the last_ip value in the description. Fix the expression for 'hosts'. net/netfilter/ipset/ip_set_bitmap_ip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c index a8ce04a4bb72..e4fa00abde6a 100644 --- a/net/netfilter/ipset/ip_set_bitmap_ip.c +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c @@ -308,8 +308,8 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[], return -IPSET_ERR_BITMAP_RANGE; pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask); - hosts = 2 << (32 - netmask - 1); - elements = 2 << (netmask - mask_bits - 1); + hosts = 2U << (32 - netmask - 1); + elements = 2UL << (netmask - mask_bits - 1); } if (elements > IPSET_BITMAP_MAX_RANGE + 1) return -IPSET_ERR_BITMAP_RANGE_SIZE;