Hello Steffen Klassert,
The patch 2d151d39073a: "xfrm: Add possibility to set the default to
block if we have no policy" from Jul 18, 2021, leads to the following
static checker warning:
net/xfrm/xfrm_user.c:1969 xfrm_set_default()
error: undefined (user controlled) shift '1 << up->dirmask'
net/xfrm/xfrm_user.c
1964 static int xfrm_set_default(struct sk_buff *skb, struct nlmsghdr *nlh,
1965 struct nlattr **attrs)
1966 {
1967 struct net *net = sock_net(skb->sk);
1968 struct xfrm_userpolicy_default *up = nlmsg_data(nlh);
--> 1969 u8 dirmask = (1 << up->dirmask) & XFRM_POL_DEFAULT_MASK;
^^^^^^^^^^^^^^^^
I believe this does come from the user so it can shift wrap leading to
a syzbot/UBSan warning. I don't know that the shift wrapping will have
any other real world impact.
1970 u8 old_default = net->xfrm.policy_default;
1971
1972 net->xfrm.policy_default = (old_default & (0xff ^ dirmask))
1973 | (up->action << up->dirmask);
1974
1975 rt_genid_bump_all(net);
1976
1977 return 0;
1978 }
regards,
dan carpenter
