Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/813665/?format=api
{ "id": 813665, "url": "http://patchwork.ozlabs.org/api/patches/813665/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/patch/20170913230054.fmtidvfi2swvy2mm@mwanda/", "project": { "id": 7, "url": "http://patchwork.ozlabs.org/api/projects/7/?format=api", "name": "Linux network development", "link_name": "netdev", "list_id": "netdev.vger.kernel.org", "list_email": "netdev@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20170913230054.fmtidvfi2swvy2mm@mwanda>", "list_archive_url": null, "date": "2017-09-13T23:00:54", "name": "[v2,net] sctp: potential read out of bounds in sctp_ulpevent_type_enabled()", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "b06867a9e6eb1aa5ce12b854dee577cd47ef5a9a", "submitter": { "id": 9327, "url": "http://patchwork.ozlabs.org/api/people/9327/?format=api", "name": "Dan Carpenter", "email": "dan.carpenter@oracle.com" }, "delegate": { "id": 34, "url": "http://patchwork.ozlabs.org/api/users/34/?format=api", "username": "davem", "first_name": "David", "last_name": "Miller", "email": "davem@davemloft.net" }, "mbox": "http://patchwork.ozlabs.org/project/netdev/patch/20170913230054.fmtidvfi2swvy2mm@mwanda/mbox/", "series": [ { "id": 2995, "url": "http://patchwork.ozlabs.org/api/series/2995/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/list/?series=2995", "date": "2017-09-13T23:00:54", "name": "[v2,net] sctp: potential read out of bounds in sctp_ulpevent_type_enabled()", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/2995/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/813665/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/813665/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<netdev-owner@vger.kernel.org>", "X-Original-To": "patchwork-incoming@ozlabs.org", "Delivered-To": "patchwork-incoming@ozlabs.org", "Authentication-Results": "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)", "Received": [ "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xsxyF6cDjz9sxR\n\tfor <patchwork-incoming@ozlabs.org>;\n\tThu, 14 Sep 2017 09:02:29 +1000 (AEST)", "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751419AbdIMXC0 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tWed, 13 Sep 2017 19:02:26 -0400", "from aserp1040.oracle.com ([141.146.126.69]:41018 \"EHLO\n\taserp1040.oracle.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751125AbdIMXCZ (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Wed, 13 Sep 2017 19:02:25 -0400", "from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71])\n\tby aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with\n\tESMTP id v8DN1EVD030739\n\t(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256\n\tverify=OK); Wed, 13 Sep 2017 23:01:15 GMT", "from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236])\n\tby userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id\n\tv8DN1DwL025290\n\t(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256\n\tverify=OK); Wed, 13 Sep 2017 23:01:14 GMT", "from ubhmp0013.oracle.com (ubhmp0013.oracle.com [156.151.24.66])\n\tby aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v8DN18DO015231; \n\tWed, 13 Sep 2017 23:01:08 GMT", "from mwanda (/41.202.241.15)\n\tby default (Oracle Beehive Gateway v4.0)\n\twith ESMTP ; Wed, 13 Sep 2017 23:01:07 +0000" ], "Date": "Thu, 14 Sep 2017 02:00:54 +0300", "From": "Dan Carpenter <dan.carpenter@oracle.com>", "To": "Vlad Yasevich <vyasevich@gmail.com>", "Cc": "Neil Horman <nhorman@tuxdriver.com>,\n\t\"David S. Miller\" <davem@davemloft.net>,\n\tlinux-sctp@vger.kernel.org, netdev@vger.kernel.org,\n\tkernel-janitors@vger.kernel.org", "Subject": "[PATCH v2 net] sctp: potential read out of bounds in\n\tsctp_ulpevent_type_enabled()", "Message-ID": "<20170913230054.fmtidvfi2swvy2mm@mwanda>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=us-ascii", "Content-Disposition": "inline", "In-Reply-To": "<20170913.092522.934509429497822082.davem@davemloft.net>", "X-Mailer": "git-send-email haha only kidding", "User-Agent": "NeoMutt/20170609 (1.8.3)", "X-Source-IP": "userv0021.oracle.com [156.151.31.71]", "Sender": "netdev-owner@vger.kernel.org", "Precedence": "bulk", "List-ID": "<netdev.vger.kernel.org>", "X-Mailing-List": "netdev@vger.kernel.org" }, "content": "This code causes a static checker warning because Smatch doesn't trust\nanything that comes from skb->data. I've reviewed this code and I do\nthink skb->data can be controlled by the user here.\n\nThe sctp_event_subscribe struct has 13 __u8 fields and we want to see\nif ours is non-zero. sn_type can be any value in the 0-USHRT_MAX range.\nWe're subtracting SCTP_SN_TYPE_BASE which is 1 << 15 so we could read\neither before the start of the struct or after the end.\n\nThis is a very old bug and it's surprising that it would go undetected\nfor so long but my theory is that it just doesn't have a big impact so\nit would be hard to notice.\n\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\n---\nv2: Use reverse-christmas-tree local variable ordering.", "diff": "diff --git a/include/net/sctp/ulpevent.h b/include/net/sctp/ulpevent.h\nindex 1060494ac230..b8c86ec1a8f5 100644\n--- a/include/net/sctp/ulpevent.h\n+++ b/include/net/sctp/ulpevent.h\n@@ -153,8 +153,12 @@ __u16 sctp_ulpevent_get_notification_type(const struct sctp_ulpevent *event);\n static inline int sctp_ulpevent_type_enabled(__u16 sn_type,\n \t\t\t\t\t struct sctp_event_subscribe *mask)\n {\n+\tint offset = sn_type - SCTP_SN_TYPE_BASE;\n \tchar *amask = (char *) mask;\n-\treturn amask[sn_type - SCTP_SN_TYPE_BASE];\n+\n+\tif (offset >= sizeof(struct sctp_event_subscribe))\n+\t\treturn 0;\n+\treturn amask[offset];\n }\n \n /* Given an event subscription, is this event enabled? */\n", "prefixes": [ "v2", "net" ] }