| Message ID | 20230523082903.117626-1-Ilia.Gavrilov@infotecs.ru |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1987766vqo;
Tue, 23 May 2023 01:45:49 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ5bbeBq+ZNK4HOOMzc1lAonRyDftedlTjLSfKLebiHpzLTcOqFd0bVxrE7JZiPz4QXrau6l
X-Received: by 2002:a17:902:e547:b0:1ad:df75:45e0 with SMTP id
n7-20020a170902e54700b001addf7545e0mr15580151plf.39.1684831549185;
Tue, 23 May 2023 01:45:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684831549; cv=none;
d=google.com; s=arc-20160816;
b=T5FPs1bH1z52KnnJY6bOoTcCbGJ5xiwN/9VbzUaEj8IwydV1LiQ85AINrr7mVCiZEb
OEXBueWpQpfSjHX0EQOOH7wne40b6UAhmjlPIzg7WBcxZzxnUh9mHvR1lZYGSZ18nq03
5T79FkjZRxBJDPe088NBvZbkq1CtvO4siyjU5APZMU+35BAfLWhNidnOVefkgXCvLoGN
WYtC77FyE7QxW96WmJljF43OwYsHKpU9p44e2DcD/hcvIQXkqzQn77+09U9fWREyHjO/
MYq8ezgtHpwfW0SY8gU/14kFl+IoxcA6TGuH25v8LlqYVWqZI+kaoIfWA3FesQziSLBx
4DSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:mime-version:content-transfer-encoding
:content-language:accept-language:message-id:date:thread-index
:thread-topic:subject:cc:to:from:dkim-signature:dkim-filter;
bh=l7tm0vAG33rwVVbla8sHO3ovuZj7nN3i8qj/PPGqDcM=;
b=kBxlt9DZVsziyxXpYjTMD4RpK95xfEkNPO6qObIngHG3sbztDCejwZ/+nn7I99IYQJ
jsu61WQ6HMRAClcCluieaGuMiXlyZ6pgRc6U5UOQzF2gBhSPSszJ8/FjJR3WyXP4fJSY
BEWOxHwh25FZ6ueNPB6M7ZEg+qkORNQlagWsvfoHfgNYZl8kE1P3PwT7bOPgn2LDrYPx
VGj6g/AgVGOlm6VEG9LLbm+TQribr5hN8szj0p5FCQ4ueoCEFY+aloN1Khi6b3F3Uwq6
83gcNaoYz4KV6fFqu868ZV+baIAPbsSLZ6jINiUNUmt709jcjokozFLtKFgOgMewb5tJ
lKQA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@infotecs.ru header.s=mx header.b="B7wONk6/";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
ja21-20020a170902efd500b001a6a3954e0fsi1631614plb.18.2023.05.23.01.45.33;
Tue, 23 May 2023 01:45:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@infotecs.ru header.s=mx header.b="B7wONk6/";
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=infotecs.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S236177AbjEWIeK (ORCPT <rfc822;ahmedalshaiji.dev@gmail.com>
+ 99 others); Tue, 23 May 2023 04:34:10 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48534 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S235303AbjEWIdW (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 23 May 2023 04:33:22 -0400
Received: from mx0.infotecs.ru (mx0.infotecs.ru [91.244.183.115])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 12D5A2695;
Tue, 23 May 2023 01:29:48 -0700 (PDT)
Received: from mx0.infotecs-nt (localhost [127.0.0.1])
by mx0.infotecs.ru (Postfix) with ESMTP id 99E0D119C847;
Tue, 23 May 2023 11:29:44 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 mx0.infotecs.ru 99E0D119C847
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infotecs.ru; s=mx;
t=1684830584; bh=l7tm0vAG33rwVVbla8sHO3ovuZj7nN3i8qj/PPGqDcM=;
h=From:To:CC:Subject:Date:From;
b=B7wONk6/8zrDooE5B3FZP9t+Xo68hCD5k+HYS+E3Qcz8ygubne07IWje4fdECAkeR
joYL9pH8Kd1m2/ZE666bA0ulxMNQzvTrw/ehQfDOWEKc/cYeHarTpzaIaCA9xDIDkG
QE46XlSqQIgqA8zVG29toO+Il3gik2T2HnXt2MCQ=
Received: from msk-exch-01.infotecs-nt (msk-exch-01.infotecs-nt [10.0.7.191])
by mx0.infotecs-nt (Postfix) with ESMTP id 96F5A30CFAF2;
Tue, 23 May 2023 11:29:44 +0300 (MSK)
From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
To: "David S. Miller" <davem@davemloft.net>
CC: David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
"Vlad Yasevich" <vyasevic@redhat.com>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"lvc-project@linuxtesting.org" <lvc-project@linuxtesting.org>
Subject: [PATCH net] ipv6: Fix out-of-bounds access in ipv6_find_tlv()
Thread-Topic: [PATCH net] ipv6: Fix out-of-bounds access in ipv6_find_tlv()
Thread-Index: AQHZjVC60BCTLkGAM0GRT+QNTyB9AA==
Date: Tue, 23 May 2023 08:29:44 +0000
Message-ID: <20230523082903.117626-1-Ilia.Gavrilov@infotecs.ru>
Accept-Language: ru-RU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.17.0.10]
x-exclaimer-md-config: 208ac3cd-1ed4-4982-a353-bdefac89ac0a
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-KLMS-Rule-ID: 1
X-KLMS-Message-Action: clean
X-KLMS-AntiSpam-Lua-Profiles: 177530 [May 23 2023]
X-KLMS-AntiSpam-Version: 5.9.59.0
X-KLMS-AntiSpam-Envelope-From: Ilia.Gavrilov@infotecs.ru
X-KLMS-AntiSpam-Rate: 0
X-KLMS-AntiSpam-Status: not_detected
X-KLMS-AntiSpam-Method: none
X-KLMS-AntiSpam-Auth: dkim=none
X-KLMS-AntiSpam-Info: LuaCore: 513 513
41a024eb192917672f8141390381bc9a34ec945f,
{Tracking_from_domain_doesnt_match_to},
127.0.0.199:7.1.2;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;infotecs.ru:7.1.1
X-MS-Exchange-Organization-SCL: -1
X-KLMS-AntiSpam-Interceptor-Info: scan successful
X-KLMS-AntiPhishing: Clean, bases: 2023/05/23 07:14:00
X-KLMS-AntiVirus: Kaspersky Security for Linux Mail Server, version 8.0.3.30,
bases: 2023/05/23 05:11:00 #21371280
X-KLMS-AntiVirus-Status: Clean, skipped
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1766673926294067533?=
X-GMAIL-MSGID: =?utf-8?q?1766673926294067533?=
|
| Series |
[net] ipv6: Fix out-of-bounds access in ipv6_find_tlv()
|
|
Commit Message
Gavrilov Ilia
May 23, 2023, 8:29 a.m. UTC
optlen is fetched without checking whether there is more than one byte to parse.
It can lead to out-of-bounds access.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: 3c73a0368e99 ("ipv6: Update ipv6 static library with newly needed functions")
Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
---
net/ipv6/exthdrs_core.c | 2 ++
1 file changed, 2 insertions(+)
Comments
Tue, May 23, 2023 at 10:29:44AM CEST, Ilia.Gavrilov@infotecs.ru wrote: >optlen is fetched without checking whether there is more than one byte to parse. >It can lead to out-of-bounds access. > >Found by InfoTeCS on behalf of Linux Verification Center >(linuxtesting.org) with SVACE. > >Fixes: 3c73a0368e99 ("ipv6: Update ipv6 static library with newly needed functions") >Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> Reviewed-by: Jiri Pirko <jiri@nvidia.com>
On 5/23/23 2:29 AM, Gavrilov Ilia wrote: > optlen is fetched without checking whether there is more than one byte to parse. > It can lead to out-of-bounds access. > > Found by InfoTeCS on behalf of Linux Verification Center > (linuxtesting.org) with SVACE. > > Fixes: 3c73a0368e99 ("ipv6: Update ipv6 static library with newly needed functions") That is not the right Fixes tag; that commit only moved the code. Fixes: c61a40432509 ("[IPV6]: Find option offset by type.") > Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> > --- > net/ipv6/exthdrs_core.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/ipv6/exthdrs_core.c b/net/ipv6/exthdrs_core.c > index da46c4284676..49e31e4ae7b7 100644 > --- a/net/ipv6/exthdrs_core.c > +++ b/net/ipv6/exthdrs_core.c > @@ -143,6 +143,8 @@ int ipv6_find_tlv(const struct sk_buff *skb, int offset, int type) > optlen = 1; > break; > default: > + if (len < 2) > + goto bad; > optlen = nh[offset + 1] + 2; > if (optlen > len) > goto bad; Reviewed-by: David Ahern <dsahern@kernel.org>
Hello: This patch was applied to netdev/net.git (main) by David S. Miller <davem@davemloft.net>: On Tue, 23 May 2023 08:29:44 +0000 you wrote: > optlen is fetched without checking whether there is more than one byte to parse. > It can lead to out-of-bounds access. > > Found by InfoTeCS on behalf of Linux Verification Center > (linuxtesting.org) with SVACE. > > Fixes: 3c73a0368e99 ("ipv6: Update ipv6 static library with newly needed functions") > Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru> > > [...] Here is the summary with links: - [net] ipv6: Fix out-of-bounds access in ipv6_find_tlv() https://git.kernel.org/netdev/net/c/878ecb0897f4 You are awesome, thank you!
diff --git a/net/ipv6/exthdrs_core.c b/net/ipv6/exthdrs_core.c index da46c4284676..49e31e4ae7b7 100644 --- a/net/ipv6/exthdrs_core.c +++ b/net/ipv6/exthdrs_core.c @@ -143,6 +143,8 @@ int ipv6_find_tlv(const struct sk_buff *skb, int offset, int type) optlen = 1; break; default: + if (len < 2) + goto bad; optlen = nh[offset + 1] + 2; if (optlen > len) goto bad;