lena wang <lena.wang@xxxxxxxxxxxx> wrote: > UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise shifts > that are out of bounds for their data type. > > vmlinux get_bitmap(b=75) + 712 > <net/netfilter/nf_conntrack_h323_asn1.c:0> > vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, > level=134443100) + 1956 > <net/netfilter/nf_conntrack_h323_asn1.c:592> > vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + 1216 > <net/netfilter/nf_conntrack_h323_asn1.c:814> > vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812 > <net/netfilter/nf_conntrack_h323_asn1.c:576> > vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216 > <net/netfilter/nf_conntrack_h323_asn1.c:814> > vmlinux DecodeRasMessage() + 304 > <net/netfilter/nf_conntrack_h323_asn1.c:833> > vmlinux ras_help() + 684 > <net/netfilter/nf_conntrack_h323_main.c:1728> > vmlinux nf_confirm() + 188 > <net/netfilter/nf_conntrack_proto.c:137> > vmlinux ipv4_confirm() + 204 > <net/netfilter/nf_conntrack_proto.c:169> > vmlinux nf_hook_entry_hookfn() + 56 > <include/linux/netfilter.h:137> > vmlinux nf_hook_slow(s=0) + 156 > <net/netfilter/core.c:584> > vmlinux nf_hook(pf=2, hook=1, sk=0, outdev=0) + 748 > <include/linux/netfilter.h:254> > vmlinux NF_HOOK(pf=2, hook=1, sk=0, out=0) + 748 > <include/linux/netfilter.h:297> > vmlinux ip_local_deliver() + 1072 > <net/ipv4/ip_input.c:252> > vmlinux dst_input() + 64 > <include/net/dst.h:443> > vmlinux ip_rcv_finish(sk=0) + 120 > <net/ipv4/ip_input.c:435> Can you trim this a bit? There is no need to have a full stacktrace in the changelog. > Due to abnormal data in skb->data, the extension bitmap length > exceeds 32 when decoding ras message then uses the length to make > a shift operation. It will change into negative after several loop. > UBSAN load could detect a negative shift as an undefined behaviour > and reports exception. > So we add the protection to avoid the length exceeding 32. Or else > it will return out of range error and stop decoding. > > Signed-off-by: lena wang <lena.wang@xxxxxxxxxxxx> > --- > net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ > 1 file changed, 2 insertions(+) > > if (base) > -- > 2.18.0 > > diff --git a/net/netfilter/nf_conntrack_h323_asn1.c > b/net/netfilter/nf_conntrack_h323_asn1.c > index e697a824b001..85be1c589ef0 100644 > --- a/net/netfilter/nf_conntrack_h323_asn1.c > +++ b/net/netfilter/nf_conntrack_h323_asn1.c > @@ -589,6 +589,8 @@ static int decode_seq(struct bitstr *bs, const > struct field_t *f, > bmp2_len = get_bits(bs, 7) + 1; > if (nf_h323_error_boundary(bs, 0, bmp2_len)) > return H323_ERROR_BOUND; > + if (bmp2_len > 32) > + return H323_ERROR_RANGE; > bmp2 = get_bitmap(bs, bmp2_len); There is another get_bitmap call earlier in this function, can you update that too and submit a v2? Thanks!
