[PATCH] Add protection for bmp length out of range

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>From 39a008cc80e0373ed0cffdc2f27daba5592c2012 Mon Sep 17 00:00:00 2001
From: lena wang <lena.wang@xxxxxxxxxxxx>
Date: Tue, 20 Feb 2024 14:00:31 +0800
Subject: [PATCH] Add protection for bmp length out of range

UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts
that are out of bounds for their data type.

vmlinux   get_bitmap(b=75) + 712
<net/netfilter/nf_conntrack_h323_asn1.c:0>
vmlinux   decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018,
level=134443100) + 1956
<net/netfilter/nf_conntrack_h323_asn1.c:592>
vmlinux   decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216
<net/netfilter/nf_conntrack_h323_asn1.c:814>
vmlinux   decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812
<net/netfilter/nf_conntrack_h323_asn1.c:576>
vmlinux   decode_choice(base=0xFFFFFFD008037280, level=0) + 1216
<net/netfilter/nf_conntrack_h323_asn1.c:814>
vmlinux   DecodeRasMessage() + 304
<net/netfilter/nf_conntrack_h323_asn1.c:833>
vmlinux   ras_help() + 684
<net/netfilter/nf_conntrack_h323_main.c:1728>
vmlinux   nf_confirm() + 188
<net/netfilter/nf_conntrack_proto.c:137>
vmlinux   ipv4_confirm() + 204
<net/netfilter/nf_conntrack_proto.c:169>
vmlinux   nf_hook_entry_hookfn() + 56
<include/linux/netfilter.h:137>
vmlinux   nf_hook_slow(s=0) + 156
<net/netfilter/core.c:584>
vmlinux   nf_hook(pf=2, hook=1, sk=0, outdev=0) + 748
<include/linux/netfilter.h:254>
vmlinux   NF_HOOK(pf=2, hook=1, sk=0, out=0) + 748
<include/linux/netfilter.h:297>
vmlinux   ip_local_deliver() + 1072
<net/ipv4/ip_input.c:252>
vmlinux   dst_input() + 64
<include/net/dst.h:443>
vmlinux   ip_rcv_finish(sk=0) + 120
<net/ipv4/ip_input.c:435>
vmlinux   NF_HOOK(pf=2, hook=0, sk=0, out=0) + 136
<include/linux/netfilter.h:299>
vmlinux   ip_rcv() + 320
<net/ipv4/ip_input.c:546>
vmlinux   deliver_skb(orig_dev=0xFFFFFFD0080B7F5C) + 268
<net/core/dev.c:2274>
vmlinux   deliver_ptype_list_skb(orig_dev=0xFFFFFFD008037AB8) + 96
<net/core/dev.c:2289>
vmlinux   __netif_receive_skb_core(pfmemalloc=false) + 4984
<net/core/dev.c:5328>
vmlinux   __netif_receive_skb_one_core(pfmemalloc=false) + 72
<net/core/dev.c:5370>
vmlinux   __netif_receive_skb() + 268
<net/core/dev.c:5486>
vmlinux   process_backlog(quota=134446100) + 672
<net/core/dev.c:6393>
vmlinux   napi_poll() + 312
<net/core/dev.c:6844>
vmlinux   net_rx_action() + 732
<net/core/dev.c:6914>
vmlinux   __do_softirq() + 712
<kernel/softirq.c:305>
vmlinux   do_softirq_own_stack()
<include/linux/interrupt.h:578>
vmlinux   invoke_softirq() + 152
<kernel/softirq.c:402>
vmlinux   el0_svc() + 32
<arch/arm64/kernel/entry-common.c:357>
vmlinux   el0_sync_handler() + 132
<arch/arm64/kernel/entry-common.c:373>

Due to abnormal data in skb->data, the extension bitmap length
exceeds 32 when decoding ras message then uses the length to make
a shift operation. It will change into negative after several loop.
UBSAN load could detect a negative shift as an undefined behaviour
and reports exception.
So we add the protection to avoid the length exceeding 32. Or else
it will return out of range error and stop decoding.

Signed-off-by: lena wang <lena.wang@xxxxxxxxxxxx>
---
 net/netfilter/nf_conntrack_h323_asn1.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
b/net/netfilter/nf_conntrack_h323_asn1.c
index e697a824b001..85be1c589ef0 100644
--- a/net/netfilter/nf_conntrack_h323_asn1.c
+++ b/net/netfilter/nf_conntrack_h323_asn1.c
@@ -589,6 +589,8 @@ static int decode_seq(struct bitstr *bs, const
struct field_t *f,
        bmp2_len = get_bits(bs, 7) + 1;
        if (nf_h323_error_boundary(bs, 0, bmp2_len))
                return H323_ERROR_BOUND;
+       if (bmp2_len > 32)
+               return H323_ERROR_RANGE;
        bmp2 = get_bitmap(bs, bmp2_len);
        bmp |= bmp2 >> f->sz;
        if (base)
--
2.18.0




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux