On Wed, 2024-02-28 at 00:20 +0100, Florian Westphal wrote: > > External email : Please do not click links or open attachments until > you have verified the sender or the content. > lena wang <lena.wang@xxxxxxxxxxxx> wrote: > > UBSAN load reports an exception of BRK#5515 SHIFT_ISSUE:Bitwise > shifts > > that are out of bounds for their data type. > > > > vmlinux get_bitmap(b=75) + 712 > > <net/netfilter/nf_conntrack_h323_asn1.c:0> > > vmlinux decode_seq(bs=0xFFFFFFD008037000, f=0xFFFFFFD008037018, > > level=134443100) + 1956 > > <net/netfilter/nf_conntrack_h323_asn1.c:592> > > vmlinux decode_choice(base=0xFFFFFFD0080370F0, level=23843636) + > 1216 > > <net/netfilter/nf_conntrack_h323_asn1.c:814> > > vmlinux decode_seq(f=0xFFFFFFD0080371A8, level=134443500) + 812 > > <net/netfilter/nf_conntrack_h323_asn1.c:576> > > vmlinux decode_choice(base=0xFFFFFFD008037280, level=0) + 1216 > > <net/netfilter/nf_conntrack_h323_asn1.c:814> > > vmlinux DecodeRasMessage() + 304 > > <net/netfilter/nf_conntrack_h323_asn1.c:833> > > vmlinux ras_help() + 684 > > <net/netfilter/nf_conntrack_h323_main.c:1728> > > vmlinux nf_confirm() + 188 > > <net/netfilter/nf_conntrack_proto.c:137> > > vmlinux ipv4_confirm() + 204 > > <net/netfilter/nf_conntrack_proto.c:169> > > vmlinux nf_hook_entry_hookfn() + 56 > > <include/linux/netfilter.h:137> > > vmlinux nf_hook_slow(s=0) + 156 > > <net/netfilter/core.c:584> > > vmlinux nf_hook(pf=2, hook=1, sk=0, outdev=0) + 748 > > <include/linux/netfilter.h:254> > > vmlinux NF_HOOK(pf=2, hook=1, sk=0, out=0) + 748 > > <include/linux/netfilter.h:297> > > vmlinux ip_local_deliver() + 1072 > > <net/ipv4/ip_input.c:252> > > vmlinux dst_input() + 64 > > <include/net/dst.h:443> > > vmlinux ip_rcv_finish(sk=0) + 120 > > <net/ipv4/ip_input.c:435> > > Can you trim this a bit? There is no need to have a full stacktrace > in the changelog. > Yes and I will change in v2 patch. Thanks. > > Due to abnormal data in skb->data, the extension bitmap length > > exceeds 32 when decoding ras message then uses the length to make > > a shift operation. It will change into negative after several loop. > > UBSAN load could detect a negative shift as an undefined behaviour > > and reports exception. > > So we add the protection to avoid the length exceeding 32. Or else > > it will return out of range error and stop decoding. > > > > Signed-off-by: lena wang <lena.wang@xxxxxxxxxxxx> > > --- > > net/netfilter/nf_conntrack_h323_asn1.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > if (base) > > -- > > 2.18.0 > > > > diff --git a/net/netfilter/nf_conntrack_h323_asn1.c > > b/net/netfilter/nf_conntrack_h323_asn1.c > > index e697a824b001..85be1c589ef0 100644 > > --- a/net/netfilter/nf_conntrack_h323_asn1.c > > +++ b/net/netfilter/nf_conntrack_h323_asn1.c > > @@ -589,6 +589,8 @@ static int decode_seq(struct bitstr *bs, const > > struct field_t *f, > > bmp2_len = get_bits(bs, 7) + 1; > > if (nf_h323_error_boundary(bs, 0, bmp2_len)) > > return H323_ERROR_BOUND; > > + if (bmp2_len > 32) > > + return H323_ERROR_RANGE; > > bmp2 = get_bitmap(bs, bmp2_len); > > There is another get_bitmap call earlier in this function, can > you update that too and submit a v2? > > Thanks! The first caller's len comes from fields f->sz that defines in net/netfilter/nf_conntrack_h323_type.c. It will not exceed 32. Is it necessary to add this protection? Thanks.
