Message ID | 20201010210929.620244-1-anmol.karan123@gmail.com |
---|---|
State | New |
Headers | show |
Series | [Linux-kernel-mentees,net] ethtool: strset: Fix out of bound read in strset_parse_request() | expand |
On Sun, 11 Oct 2020 02:39:29 +0530 Anmol Karn wrote: > Flag ``ETHTOOL_A_STRSET_COUNTS_ONLY`` tells the kernel to only return the string > counts of the sets, but, when req_info->counts_only tries to read the > tb[ETHTOOL_A_STRSET_COUNTS_ONLY] it gets out of bound. > > - net/ethtool/strset.c > The bug seems to trigger in this line: > > req_info->counts_only = tb[ETHTOOL_A_STRSET_COUNTS_ONLY]; > > Fix it by NULL checking for req_info->counts_only while > reading from tb[ETHTOOL_A_STRSET_COUNTS_ONLY]. > > Reported-by: syzbot+9d1389df89299fa368dc@syzkaller.appspotmail.com > Link: https://syzkaller.appspot.com/bug?id=730deff8fe9954a5e317924d9acff98d9c64a770 > Signed-off-by: Anmol Karn <anmol.karan123@gmail.com> I think the correct fix for this was already applied to net-next as: commit db972e532518 ("ethtool: strset: allow ETHTOOL_A_STRSET_COUNTS_ONLY attr")
Hello sir, On Sun, Oct 11, 2020 at 10:24 PM Jakub Kicinski <kuba@kernel.org> wrote: > > On Sun, 11 Oct 2020 02:39:29 +0530 Anmol Karn wrote: > > Flag ``ETHTOOL_A_STRSET_COUNTS_ONLY`` tells the kernel to only return the string > > counts of the sets, but, when req_info->counts_only tries to read the > > tb[ETHTOOL_A_STRSET_COUNTS_ONLY] it gets out of bound. > > > > - net/ethtool/strset.c > > The bug seems to trigger in this line: > > > > req_info->counts_only = tb[ETHTOOL_A_STRSET_COUNTS_ONLY]; > > > > Fix it by NULL checking for req_info->counts_only while > > reading from tb[ETHTOOL_A_STRSET_COUNTS_ONLY]. > > > > Reported-by: syzbot+9d1389df89299fa368dc@syzkaller.appspotmail.com > > Link: https://syzkaller.appspot.com/bug?id=730deff8fe9954a5e317924d9acff98d9c64a770 > > Signed-off-by: Anmol Karn <anmol.karan123@gmail.com> > > I think the correct fix for this was already applied to net-next as: > > commit db972e532518 ("ethtool: strset: allow ETHTOOL_A_STRSET_COUNTS_ONLY attr") I am glad that it's fixed now. Thanks, Anmol
diff --git a/net/ethtool/strset.c b/net/ethtool/strset.c index 82707b662fe4..20a7b36698f3 100644 --- a/net/ethtool/strset.c +++ b/net/ethtool/strset.c @@ -174,7 +174,8 @@ static int strset_parse_request(struct ethnl_req_info *req_base, if (ret < 0) return ret; - req_info->counts_only = tb[ETHTOOL_A_STRSET_COUNTS_ONLY]; + if (req_info->counts_only) + req_info->counts_only = tb[ETHTOOL_A_STRSET_COUNTS_ONLY]; nla_for_each_nested(attr, nest, rem) { u32 id;
Flag ``ETHTOOL_A_STRSET_COUNTS_ONLY`` tells the kernel to only return the string counts of the sets, but, when req_info->counts_only tries to read the tb[ETHTOOL_A_STRSET_COUNTS_ONLY] it gets out of bound. - net/ethtool/strset.c The bug seems to trigger in this line: req_info->counts_only = tb[ETHTOOL_A_STRSET_COUNTS_ONLY]; Fix it by NULL checking for req_info->counts_only while reading from tb[ETHTOOL_A_STRSET_COUNTS_ONLY]. Reported-by: syzbot+9d1389df89299fa368dc@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=730deff8fe9954a5e317924d9acff98d9c64a770 Signed-off-by: Anmol Karn <anmol.karan123@gmail.com> --- When I tried to reduce the index of tb[] by 1, the crash reproducer was not working anymore, hence it's probably reading from tb[ETHTOOL_A_STRSET_STRINGSETS], but this won't give the strset 'count' and hence is not a plausible fix. But checking for the req_info->counts_only seems legit. If I have missed something please let me know, and I will work towards fixing it in next version. net/ethtool/strset.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)