| Message ID | 20230502082622.2392659-1-Ilia.Gavrilov@infotecs.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp450176vqo;
Tue, 2 May 2023 01:45:39 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ42FA5s/45MZ7hv2ISXnI+cFhvYlp6WOX/nZ95U5WvcLkhDvFzYme12FGDbvytWdcpHcJ9J
X-Received: by 2002:a05:6a00:848:b0:63b:7af1:47c9 with SMTP id
q8-20020a056a00084800b0063b7af147c9mr26208930pfk.13.1683017139408;
Tue, 02 May 2023 01:45:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1683017139; cv=none;
d=google.com; s=arc-20160816;
b=gpYv2w6KCbkb44DbNHuWMuqn3UZ8PunzuB6Z2UGBr/hKDJq2VVXTiyiSkMDSEJDJYe
soFlhV+Scz6sotism1DSzHJhcFxRQeNj0DaNVZJ+jujqFwtd3on9FKHv/63P0IL9X0If
P7xDjyZDMvS/z/kl5SlBM1rbR+K1x50o2sJqHaYukEu1ENfirFWzxcYdiGUNxMb3OI+0
L6TEaveGspUZ3AM6UXnwdlWjq22P0Qp4oyzFRpGJqy8H8QgKwf8YiNDYwRS9pQhE7+FT
5fKZBGpf1e/QA0fGQgLwUaYAo8OkRaBuuMVWFsrWeOz7dafs28MeXZJWklkYshdSZe8i
AOVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:content-transfer-encoding
:content-language:accept-language:message-id:date:thread-index
:thread-topic:subject:cc:to:from:dkim-signature:dkim-filter;
bh=m8D8J1VQUATKJTZzY+gdxzLobO6f59B6cKPL1bk4e0M=;
b=jHF1hrHWyK932UhAvQ3Dh4KG7sbZuwk6wgnsWBtPlkixntUflQdkQc/foQrTcP7M7C
eTqRuMCCq6DwK2vt3c3SxMT9nMclHlC0b+zzGjuIiTkGlYcnk0YIa7Wf4ki3dW/RNHKb
78nglF8TfhZ3Ie1HcxwVWSJHOtpHbK//ZkEHJAQUBIkyCaTJ+karKsCEKcXFhrcfnpn3
wN5xC9J6zwWQzBF1d6LJXfVN1R75VLTX+YOymDAZBjKJCdvslodXutnWKQUEIRo6qK2b
VbfAUDmkT8zZeo1MZyd35B/pNxYS34zE6RAAjD9S4V9IPympodUlFgE7BDmyvuED2I1L
EeSA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@infotecs.ru header.s=mx header.b=gASnqsd8;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
k1-20020a628401000000b005a8c65d57a0si30866100pfd.257.2023.05.02.01.45.26;
Tue, 02 May 2023 01:45:39 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@infotecs.ru header.s=mx header.b=gASnqsd8;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233666AbjEBIfX (ORCPT <rfc822;rbbytesnap@gmail.com> + 99 others);
Tue, 2 May 2023 04:35:23 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42426 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S233158AbjEBIfW (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 2 May 2023 04:35:22 -0400
X-Greylist: delayed 523 seconds by postgrey-1.37 at lindbergh.monkeyblade.net;
Tue, 02 May 2023 01:35:17 PDT
Received: from mx0.infotecs.ru (mx0.infotecs.ru [91.244.183.115])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99FCA3C0C;
Tue, 2 May 2023 01:35:17 -0700 (PDT)
Received: from mx0.infotecs-nt (localhost [127.0.0.1])
by mx0.infotecs.ru (Postfix) with ESMTP id 644FD108AF9C;
Tue, 2 May 2023 11:26:30 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 mx0.infotecs.ru 644FD108AF9C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infotecs.ru; s=mx;
t=1683015990; bh=m8D8J1VQUATKJTZzY+gdxzLobO6f59B6cKPL1bk4e0M=;
h=From:To:CC:Subject:Date:From;
b=gASnqsd8nqMY+YDG/pklyCP2unjn/d8TDsDAWtMBrWnLb1tF4J9BqWuHZzSh71tGJ
YYEhTUuM6zlDrBaJht2r0GIg7WrP5u7fq92FnUrQsOoa+aH4ybB39xadhJbR3dCHwm
o6NtXsemCP1rS2cAeJwdrMGUq1Z5/e7xl0Z509uQ=
Received: from msk-exch-01.infotecs-nt (msk-exch-01.infotecs-nt [10.0.7.191])
by mx0.infotecs-nt (Postfix) with ESMTP id 5AC0430633DA;
Tue, 2 May 2023 11:26:30 +0300 (MSK)
From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
To: Neil Horman <nhorman@tuxdriver.com>
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
Xin Long <lucien.xin@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
"linux-sctp@vger.kernel.org" <linux-sctp@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"lvc-project@linuxtesting.org" <lvc-project@linuxtesting.org>
Subject: [PATCH] sctp: fix a potential buffer overflow in
sctp_sched_set_sched()
Thread-Topic: [PATCH] sctp: fix a potential buffer overflow in
sctp_sched_set_sched()
Thread-Index: AQHZfM/L3fQfyLzenEuG6u7YLaEbHQ==
Date: Tue, 2 May 2023 08:26:30 +0000
Message-ID: <20230502082622.2392659-1-Ilia.Gavrilov@infotecs.ru>
Accept-Language: ru-RU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.17.0.10]
x-exclaimer-md-config: 208ac3cd-1ed4-4982-a353-bdefac89ac0a
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 177098 [May 02 2023]
X-KLMS-AntiSpam-Version: 5.9.59.0
X-KLMS-AntiSpam-Envelope-From: Ilia.Gavrilov@infotecs.ru
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Auth: dkim=none
X-KLMS-AntiSpam-Info: LuaCore: 510 510
bc345371020d3ce827abc4c710f5f0ecf15eaf2e,
{Tracking_from_domain_doesnt_match_to},
127.0.0.199:7.1.2;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;infotecs.ru:7.1.1
X-MS-Exchange-Organization-SCL: -1
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiPhishing: Clean, bases: 2023/05/02 06:48:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30,
bases: 2023/05/02 03:46:00 #21204364
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1764771379885762667?=
X-GMAIL-MSGID: =?utf-8?q?1764771379885762667?=
|
| Series |
sctp: fix a potential buffer overflow in sctp_sched_set_sched()
|
|
Commit Message
Gavrilov Ilia
May 2, 2023, 8:26 a.m. UTC
The 'sched' index value must be checked before accessing an element
of the 'sctp_sched_ops' array. Otherwise, it can lead to buffer overflow.
Note that it's harmless since the 'sched' parameter is checked before
calling 'sctp_sched_set_sched'.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
---
net/sctp/stream_sched.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
Comments
On Tue, May 02, 2023 at 08:26:30AM +0000, Gavrilov Ilia wrote: > The 'sched' index value must be checked before accessing an element > of the 'sctp_sched_ops' array. Otherwise, it can lead to buffer overflow. > > Note that it's harmless since the 'sched' parameter is checked before > calling 'sctp_sched_set_sched'. > > Found by InfoTeCS on behalf of Linux Verification Center > (linuxtesting.org) with SVACE. > > Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") > Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> Reviewed-by: Simon Horman <simon.horman@corigine.com>
On Tue, May 02, 2023 at 08:26:30AM +0000, Gavrilov Ilia wrote: > The 'sched' index value must be checked before accessing an element > of the 'sctp_sched_ops' array. Otherwise, it can lead to buffer overflow. > > Note that it's harmless since the 'sched' parameter is checked before > calling 'sctp_sched_set_sched'. > > Found by InfoTeCS on behalf of Linux Verification Center > (linuxtesting.org) with SVACE. > > Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") > Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> Reviewed-by: Simon Horman <simon.horman@corigine.com> > --- > net/sctp/stream_sched.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c > index 330067002deb..a339917d7197 100644 > --- a/net/sctp/stream_sched.c > +++ b/net/sctp/stream_sched.c > @@ -146,18 +146,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream) > int sctp_sched_set_sched(struct sctp_association *asoc, > enum sctp_sched_type sched) > { > - struct sctp_sched_ops *n = sctp_sched_ops[sched]; > + struct sctp_sched_ops *n; nit: reverse xmas tree - longest line to shortest - for local variable declarations in networking code. > struct sctp_sched_ops *old = asoc->outqueue.sched; > struct sctp_datamsg *msg = NULL; > struct sctp_chunk *ch; > int i, ret = 0; > > - if (old == n) > - return ret; > - > if (sched > SCTP_SS_MAX) > return -EINVAL; > > + n = sctp_sched_ops[sched]; > + if (old == n) > + return ret; > + > if (old) > sctp_sched_free_sched(&asoc->stream); > > -- > 2.30.2 >
The 05/02/2023 08:26, Gavrilov Ilia wrote: Hi, > > The 'sched' index value must be checked before accessing an element > of the 'sctp_sched_ops' array. Otherwise, it can lead to buffer overflow. > > Note that it's harmless since the 'sched' parameter is checked before > calling 'sctp_sched_set_sched'. If the 'sched' parameter is already checked, is it not better to remove the check from this function? > > Found by InfoTeCS on behalf of Linux Verification Center > (linuxtesting.org) with SVACE. > > Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") I am not sure how much this is net material because as you said, this issue can't happen. But don't forget to specify the target tree in the subject. You can do that when creating the patch using: git format-patch ... --subject-prefix "PATCH net" > Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru> > --- > net/sctp/stream_sched.c | 9 +++++---- > 1 file changed, 5 insertions(+), 4 deletions(-) > > diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c > index 330067002deb..a339917d7197 100644 > --- a/net/sctp/stream_sched.c > +++ b/net/sctp/stream_sched.c > @@ -146,18 +146,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream) > int sctp_sched_set_sched(struct sctp_association *asoc, > enum sctp_sched_type sched) > { > - struct sctp_sched_ops *n = sctp_sched_ops[sched]; > + struct sctp_sched_ops *n; > struct sctp_sched_ops *old = asoc->outqueue.sched; > struct sctp_datamsg *msg = NULL; > struct sctp_chunk *ch; > int i, ret = 0; > > - if (old == n) > - return ret; > - > if (sched > SCTP_SS_MAX) > return -EINVAL; > > + n = sctp_sched_ops[sched]; > + if (old == n) > + return ret; > + > if (old) > sctp_sched_free_sched(&asoc->stream); > > -- > 2.30.2
diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c index 330067002deb..a339917d7197 100644 --- a/net/sctp/stream_sched.c +++ b/net/sctp/stream_sched.c @@ -146,18 +146,19 @@ static void sctp_sched_free_sched(struct sctp_stream *stream) int sctp_sched_set_sched(struct sctp_association *asoc, enum sctp_sched_type sched) { - struct sctp_sched_ops *n = sctp_sched_ops[sched]; + struct sctp_sched_ops *n; struct sctp_sched_ops *old = asoc->outqueue.sched; struct sctp_datamsg *msg = NULL; struct sctp_chunk *ch; int i, ret = 0; - if (old == n) - return ret; - if (sched > SCTP_SS_MAX) return -EINVAL; + n = sctp_sched_ops[sched]; + if (old == n) + return ret; + if (old) sctp_sched_free_sched(&asoc->stream);