Re: [PATCH] net: 6pack: fix slab-out-of-bounds in decode_data

From: Dan Carpenter
Date: Mon Aug 16 2021 - 03:16:02 EST

Next message: Jiri Kosina: "Re: [PATCH] Revert "floppy: reintroduce O_NDELAY fix""
Previous message: Miquel Raynal: "Re: [PATCH V4 4/8] i3c: master: svc: add support for slave to stop returning data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Aug 14, 2021 at 05:17:44PM +0300, Pavel Skripkin wrote:
> On 8/14/21 3:23 AM, Kevin Dawson wrote:
> > On Fri, Aug 13, 2021 at 05:58:34PM +0300, Dan Carpenter wrote:
> > > On Fri, Aug 13, 2021 at 02:28:55PM +0300, Pavel Skripkin wrote:
> > > > Syzbot reported slab-out-of bounds write in decode_data().
> > > > The problem was in missing validation checks.
> > > > > Syzbot's reproducer generated malicious input, which caused
> > > > decode_data() to be called a lot in sixpack_decode(). Since
> > > > rx_count_cooked is only 400 bytes and noone reported before,
> > > > that 400 bytes is not enough, let's just check if input is malicious
> > > > and complain about buffer overrun.
> > > > > ...
> > > > > diff --git a/drivers/net/hamradio/6pack.c
> > > b/drivers/net/hamradio/6pack.c
> > > > index fcf3af76b6d7..f4ffc2a80ab7 100644
> > > > --- a/drivers/net/hamradio/6pack.c
> > > > +++ b/drivers/net/hamradio/6pack.c
> > > > @@ -827,6 +827,12 @@ static void decode_data(struct sixpack *sp, unsigned char inbyte)
> > > > return;
> > > > }
> > > > > + if (sp->rx_count_cooked + 3 >= sizeof(sp->cooked_buf)) {
> > >
> > > It should be + 2 instead of + 3.
> > >
> > > We write three bytes. idx, idx + 1, idx + 2. Otherwise, good fix!
> >
> > I would suggest that the statement be:
> >
> > if (sp->rx_count_cooked + 3 > sizeof(sp->cooked_buf)) {
> >
> > or even, because it's a buffer overrun test:
> >
> > if (sp->rx_count_cooked > sizeof(sp->cooked_buf) - 3) {
> >
>
> Hmm, I think, it will be more straightforward for someone not aware about
> driver details.
>
> @Dan, can I add your Reviewed-by tag to v3 and what do you think about
> Kevin's suggestion?
>

I don't care. Sure. I'm also fine with leaving it as is. I've been
using "idx + 2 >= sizeof()" enough recently that it has become an idiom
for me. But that's probably a bias on my part.

I guess "idx + 3 > sizeof()" is probably the most readable. Moving
the + 3 to the other side would prevent integer overflows but we're not
concerned about that here and no need to over engineer things if it
hurts readability.

regards,
dan carpenter

Next message: Jiri Kosina: "Re: [PATCH] Revert "floppy: reintroduce O_NDELAY fix""
Previous message: Miquel Raynal: "Re: [PATCH V4 4/8] i3c: master: svc: add support for slave to stop returning data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]