Re: [PATCH net] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()

From: Sam Sun
Date: Mon Mar 04 2024 - 22:21:11 EST

Next message: Waiman Long: "Re: [PATCH] mm/kmemleak: Don't hold kmemleak_lock when calling printk()"
Previous message: Alan Stern: "Re: usbip doesn't work with userspace code that accesses USB devices"
In reply to: Jay Vosburgh: "Re: [PATCH net] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 5, 2024 at 10:47 AM Jay Vosburgh <jay.vosburgh@xxxxxxxxxxxxx> wrote:
>
> Sam Sun <samsun1006219@xxxxxxxxx> wrote:
>
> >Dear kernel developers and maintainers,
> >
> >We found a bug through our modified Syzkaller. In function
> >bond_option_arp_ip_targets_set(), if newval->string is an empty
> >string, newval->string+1 will point to the byte after the string,
> >causing an out-of-bound read. KASAN report is listed below.
>
> Conceptually, the change here seems fine. However, I don't
> think including the full KASAN report adds much to the description
> above.
>

Thanks for pointing this out! I will remove this next time when I
submit a patch.

> >We developed a patch to fix this problem. Check the string length
> >first before calling in4_pton().
> >
> >Reported-by: Yue Sun <samsun1006219@xxxxxxxxx>
> >Signed-off-by: Yue Sun <samsun1006219@xxxxxxxxx>
> >
> >diff --git a/drivers/net/bonding/bond_options.c
> >b/drivers/net/bonding/bond_options.c
> >index f3f27f0bd2a6..a6d01055f455 100644
> >--- a/drivers/net/bonding/bond_options.c
> >+++ b/drivers/net/bonding/bond_options.c
> >@@ -1198,7 +1198,7 @@ static int bond_option_arp_ip_targets_set(struct
> >bonding *bond,
> > __be32 target;
> >
> > if (newval->string) {
> >- if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) {
> >+ if (!strlen(newval->string) || !in4_pton(newval->string+1,
> >-1, (u8 *)&target, -1, NULL)) {
>
> The text beginning with "-1," is a separate line, and something
> messed up the tabs. Also, this should be rewritten as
>
> if (!strlen(newval->string) ||
> !in4_pton(newval->string + 1, -1, (u8 *)&target, -1, NULL)) {
>
> to avoid a long line.
>

Yes you are right, I should have used the checkpatch script before
submitting the patch. Sorry for the inconvenience.

> -J
>
> > netdev_err(bond->dev, "invalid ARP target %pI4 specified\n",
> > &target);
> > return ret;
> >
>
>
> ---
> -Jay Vosburgh, jay.vosburgh@xxxxxxxxxxxxx

I modified the patch and it is listed below.

Reported-by: Yue Sun <samsun1006219@xxxxxxxxx>
Signed-off-by: Yue Sun <samsun1006219@xxxxxxxxx>
diff --git a/drivers/net/bonding/bond_options.c
b/drivers/net/bonding/bond_options.c
index f3f27f0bd2a6..7f765b42fad4 100644
--- a/drivers/net/bonding/bond_options.c
+++ b/drivers/net/bonding/bond_options.c
@@ -1198,7 +1198,8 @@ static int bond_option_arp_ip_targets_set(struct
bonding *bond,
__be32 target;

if (newval->string) {
- if (!in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) {
+ if (!strlen(newval->string) ||
+ !in4_pton(newval->string+1, -1, (u8 *)&target, -1, NULL)) {
netdev_err(bond->dev, "invalid ARP target %pI4 specified\n",
&target);
return ret;

Best Regards,
Yue

Next message: Waiman Long: "Re: [PATCH] mm/kmemleak: Don't hold kmemleak_lock when calling printk()"
Previous message: Alan Stern: "Re: usbip doesn't work with userspace code that accesses USB devices"
In reply to: Jay Vosburgh: "Re: [PATCH net] drivers/net/bonding: Fix out-of-bounds read in bond_option_arp_ip_targets_set()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]