Hello Jeongjun, On Tue, 12 Nov 2024, Jeongjun Park wrote: > In the bitmap_ip_uadt function, if ip is greater than ip_to, they are swapped. > However, there is no check to see if ip is smaller than map->first, which > causes an out-of-bounds vulnerability. Therefore, you need to add a missing > bounds check to prevent out-of-bounds. It's a good catch, thanks! However, with the patch below the if (ip < map->first_ip) return -IPSET_ERR_BITMAP_RANGE; lines in the branch just after swapping the from/to addresses becomes unnecessary. Could you send a second version of the patch with the lines above removed? Best regards, Jozsef > Cc: <stable@xxxxxxxxxxxxxxx> > Reported-by: syzbot+58c872f7790a4d2ac951@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support") > Signed-off-by: Jeongjun Park <aha310510@xxxxxxxxx> > --- > net/netfilter/ipset/ip_set_bitmap_ip.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c > index e4fa00abde6a..705c316b001a 100644 > --- a/net/netfilter/ipset/ip_set_bitmap_ip.c > +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c > @@ -178,7 +178,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[], > ip_to = ip; > } > > - if (ip_to > map->last_ip) > + if (ip < map->first_ip || ip_to > map->last_ip) > return -IPSET_ERR_BITMAP_RANGE; > > for (; !before(ip_to, ip); ip += map->hosts) { > -- > -- E-mail : kadlec@xxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx Address: Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary