From patchwork Fri Oct 14 17:43:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rasmus Villemoes X-Patchwork-Id: 1690108 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=prevas.dk header.i=@prevas.dk header.a=rsa-sha256 header.s=selector1 header.b=cpLVpHIa; dkim-atps=neutral Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Mpv046XwBz23jf for ; Sat, 15 Oct 2022 04:44:20 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 234BA84EB9; Fri, 14 Oct 2022 19:44:10 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=prevas.dk Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (1024-bit key; unprotected) header.d=prevas.dk header.i=@prevas.dk header.b="cpLVpHIa"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4470C84F06; Fri, 14 Oct 2022 19:44:06 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2107.outbound.protection.outlook.com [40.107.21.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 3A41284EB7 for ; Fri, 14 Oct 2022 19:44:00 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=reject dis=none) header.from=prevas.dk Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=rasmus.villemoes@prevas.dk ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dYNYQA5u+/8nptJjDkbnp65CO1UPVcQI03DlMV8pHX9GuxjbfGJsJB5xgaJtn7BD0qd0oEm++37LfmI54IawQqH6/JCeKt9n6OGF8m+nlCIV2i6c2Tj2zRw/QvibstKX1Xn5E5yD5zwHkOrVZDhf+upXmTL9qNW040PBh6TiBqXr1HwDeSLPG3xbjks1QD95JHi96kVcsZ8Ui01N804FUJtsHcLIkvAoO5MiCjbEk80ifYz2/T8H9Eruftc4kbPGTuN4fM2nLe/G/z1sEU29pVDfgRpt4p5k7a6YJKV+61jP4wG+Lku2l5WZCdBw32mWHALQMXCBm7NggZst1vX9fA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WRBr3aMxOloZt2WWRnUJhZVKl4lcn5Lurdpc5o4HI2M=; b=RwZLkdQCNZMVUPMLnvlSVgndKipF72X7UCqNgBmBTL6jjkkjLd3OHTtzvfZviSNEjPV9tJRY5bkUnyYtrGpOr6eTFM2mXUqa1AlgL+56ylTGmsfrVZZ+FnomozueYXz14KEqCb2g3b/EamS5lhKhdXFdVHhpOW47zSLRSgq/YCMz2ZC+JmIkGs6AfHepgBTNPL1VBjAIkITMSZ/zvpcOOx8rjHeJ+NNJtwlLivuxNPUVDrU+mUzEGA/vGfPgevEPgoaAhmklpMEwjoCa2EDm8jjvrCFgaEwL9TOWH6FA0IBULhtbn5EwVw69b9/BQXizvx70WT8nHp54teFIbjlf3w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=prevas.dk; dmarc=pass action=none header.from=prevas.dk; dkim=pass header.d=prevas.dk; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=prevas.dk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WRBr3aMxOloZt2WWRnUJhZVKl4lcn5Lurdpc5o4HI2M=; b=cpLVpHIaTt93SwNSgnq32Tx7K3QxtR1NNi5F+qhW+hSNzrhP1CWGDmgkWkLnYh+K6F4nXk4mJ0hvmaryd5RfZXsOkKqSMkDALhOM23L+U99wPcGV6cUfUsI0jRRmLbSlEMF5q6hI5x1w1lXzr3rAa8+zPLrs5ae7QQX/Kqt4/0M= Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=prevas.dk; Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:34a::22) by DB8PR10MB3305.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:11c::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5723.29; Fri, 14 Oct 2022 17:43:59 +0000 Received: from DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM ([fe80::dc91:193:719e:5fb0]) by DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM ([fe80::dc91:193:719e:5fb0%8]) with mapi id 15.20.5676.044; Fri, 14 Oct 2022 17:43:59 +0000 From: Rasmus Villemoes To: u-boot@lists.denx.de Cc: Fabio Estevam , Nicolas Bidron , Tom Rini , Joe Hershberger , Ramon Fried , Rasmus Villemoes Subject: [PATCH 2/6] net: compare received length to sizeof(ip_hdr), not sizeof(ip_udp_hdr) Date: Fri, 14 Oct 2022 19:43:38 +0200 Message-Id: <20221014174342.3216982-3-rasmus.villemoes@prevas.dk> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk> References: <20221014174342.3216982-1-rasmus.villemoes@prevas.dk> X-ClientProxiedBy: BE1P281CA0021.DEUP281.PROD.OUTLOOK.COM (2603:10a6:b10:15::7) To DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:34a::22) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB5266:EE_|DB8PR10MB3305:EE_ X-MS-Office365-Filtering-Correlation-Id: 124a3ffd-a60a-4c71-5dc2-08daae0baca5 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: EN2gJO+Nb63Iyi71fCp2i4Ar3Rbrde3E+BQKZqrcH8gstjoH4kzrtXZfYF7odZHxkws5gaZi/HwRhYQ/A+ZgBmUxjj35CmLWmM9QgZD9j7xub+eGXXHJxXV70gBUXmhO5VzQlFYop9cAaO9xIyEKoAXtoRR7ua6bRrIk8cPH+M2f3p4ggTOB4SwX4dNxw9a/QndPKYMTuLXkTvHuv0TNHfb1Mw8BdTPQVLmQyabjfEKSS4xsjGjpi79ZjC6UwJr9KCrk7fnEAXZukhHkxD719pzirdcGsUGvnqn69K3vTO9LtuAHNh/RAeq7ipejm+0XxG40kdbbpCpXTeMp9xG6hjgp2O2Yz9lhGs80W5ZMnofAZI0uyRYq2g+o5HafrRZBLSiC0L3PhbUyaCfgtAqJSi32uXr/LGqWnjyi3eGiqh3+kStFFbhAZ2LvI1ixOJXM6jgywm9HZvQoVAeN8jEUiwSCp57fC1MIL4bTZH3zeOpqUnt8G7zbZIsTX5h7zyhk7RwRyfp6IOcLC14SbRzC2911PIF+WpDM1Ojul93c1SFdz94gpMDM0Y9g7NNlv0oY3qOvWSjLZi5CCnxFroA6xDICPy+ycGVMX1nwBA0ESckNS1h7ToAs9P4tivhHiuKDGYXlo4bWvgpRRsddRImm0XipGzu3DoKlgJE1QMwUztcbfBTKt612oxncOJ0P5Uj15ggf/s4nWzPodzgH6mRxGoXt8teG4diSOebeBS48EcOnWBskNBmgc5trfZQ99kSQYxhETyuBh6FCz2KGYnSjLw== X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(366004)(39850400004)(396003)(376002)(346002)(136003)(451199015)(66899015)(36756003)(52116002)(2616005)(6506007)(6512007)(26005)(41300700001)(6486002)(66946007)(66556008)(66476007)(8676002)(4326008)(478600001)(38350700002)(38100700002)(86362001)(8936002)(83380400001)(6916009)(44832011)(5660300002)(8976002)(316002)(1076003)(186003)(6666004)(107886003)(54906003)(2906002); DIR:OUT; SFP:1102; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: UHoK4BI3i5wgP91s7Gdx68P1MdCYSLVoAmFo9m24Z9KKxQI+REHoXHdAqEwxvNMQXGtFBH2Q5559Xuwm3R5i4S3mJ4V6n+ZBgCYOR7BUMU5IIMMULbbRaG1AuABkU3bW2JJHf3Dq7E80TKlKSXL4mgf2ABhcX3sC8yPHJNjpbnsVg8mjVxSRj0SEvuTevgckI/3T0wVNPnoRXk/BADfU7TO0Wbvfj5Q0fh6YeXoFGnzamAXWoJg36QHVukrnbBc6Yau7grCxsqTfxVHG0aZloSWTtS9iIthOB9D6gG9SurV+8EANzx/8F9JYEANB9xcqvp02bMzlK+7Q5320J9AIHSXqoBmlceiU1+k2Juz5ezqYKdZXISlmJwQhoGzqFSuHj3lPrSbRxMZQAdnZKwG+7AExcTkeTmTWS6x3fn64ss5eiZAgchasJuqx+xVYjjjJpijGMgz2i6/8yw5XMfNREomPzp2pMQspIlHsz9cX74EWjS8sxQ3G/u/ZOl6m/7IrozqVKHsCDzPqhI1X/Ek/A6IOa4OoDP2hlnnUG0kLurmUJW6cJgI3D7v/e0t8zOvms/QUp8ATmBFJfy+JqerjLxEyrG3xSEMoCzaj9jQPnXk8umsFtYGPkV0KxJFZ6HYDKAkdwWh8L4jtfsY/tMe1EPuq6B5ItVs4cPnbLw1IGrSOsVWkrsOrTZe5LQStnxVA9Z6k+TT0p3D8HIIpVxIEy9wzhJGJMaEP6mOg4jhZJPozkv0GIlYgybKve//OpubnKwSGJBvCpKzgkIgPy2aipHwBCZLifBAgZbZYZBk9qgWvh9nUn6+wSbiw0hu9bP20PDmCNE4+HotTNsOAGnFbbJvIX5gYgu06R9wHHqKwYu/NZGrYU8txCWGjP67v9d456kSymf9ysxkZe4nYXpxZ3TqUwv7ObeVdgDU7Y5ZnxEm/QDcCp8ZFlRnbozA5vRsqp2QoIR2TpZbFZ1SeiphXXSptGRx1yY2gcB49DEPIAF3aEFXtkz7QJh2AwdOVTDyatyNtzlkXLXhnLWFrq7HbqaMGOC7C4TjYMk6X6IqjU6/PiQBG+4m4hPM8uDGyEqFvPiHRNeIukRRtQ+se2ho9mqGtb6CzrX47P4Y5piFtRNZdSR57FnZMJ1Zeq4A1vY67JX7hI5eUjdO0uV+/jf8iYPs2exxg+XsTYDKWTxAAck4eCH60G1Q9y4ta4Z7VxmHgO3cxm6H/cYBeLHPd4hpihtIgLDVzr7BMU/UQ/gUJg6Um89dMRGfinebF5vcOZvdgA/AAzArQNT3lO7i0cz4zKYUeS4ljFJgKbCzR6GEJJyqKJDfxpnnpkUuH1GJI0aM4OxIIe7+7dw178BrOc98JlVHNDoBYk+pTlexFduLRTYDTpkcvrqmqAA/yCYFbtPznULcL8szBqbCjfITHIZLI9GE6er3RkM9i9ix8pw2k2l80UiqF7Ye9wiDWHPifqGjvpItz5FGGU5osT3H6SLt01xLioqvTGhm3kDKyl3tPqzdsfTcs0TGJKt4/dpTG4OkaUygu7zjJ3r/I5rY8E0NC8gL8e76S12wLjplKEKlHoFB1XSzoVNuaGCafdFFybwfautaoxYCn+smvW12Bcz0sAQ== X-OriginatorOrg: prevas.dk X-MS-Exchange-CrossTenant-Network-Message-Id: 124a3ffd-a60a-4c71-5dc2-08daae0baca5 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB5266.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Oct 2022 17:43:59.1988 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: d350cf71-778d-4780-88f5-071a4cb1ed61 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: n1gJ0qXg1sWPdOKC9kuCVbq1atMkmFN6sEkGHwAtxir5RcTk+1VAW/1nIRFouQv//n1ZGHS3Q8OmdbccOpFKyxYzIpt0EENfanCt9b1OOXQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR10MB3305 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean While the code mostly/only handles UDP packets, it's possible for the last fragment of a fragmented UDP packet to be smaller than 28 bytes; it can be as small as 21 bytes (an IP header plus one byte of payload). So until we've performed the defragmentation step and thus know whether we're now holding a full packet, we should only check for the existence of the fields in the ip header, i.e. that there are at least 20 bytes present. In practice, we always seem to be handed a "len" of minimum 60 from the device layer, i.e. minimal ethernet frame length minus FCS, so this is mostly theoretical. After we've fetched the header's claimed length and used that to update the len variable, check that the header itself claims to be the minimal possible length. This is probably how CVE-2022-30552 should have been dealt with in the first place, because net_defragment() is not the only place that wants to know the size of the IP datagram payload: If we receive a non-fragmented ICMP packet, we pass "len" to receive_icmp() which in turn may pass it to ping_receive() which does compute_ip_checksum(icmph, len - IP_HDR_SIZE) and due to the signature of compute_ip_checksum(), that would then lead to accessing ~4G of address space, very likely leading to a crash. Signed-off-by: Rasmus Villemoes --- net/net.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/net.c b/net/net.c index 536731245b..86b1d90159 100644 --- a/net/net.c +++ b/net/net.c @@ -1191,9 +1191,9 @@ void net_process_received_packet(uchar *in_packet, int len) case PROT_IP: debug_cond(DEBUG_NET_PKT, "Got IP\n"); /* Before we start poking the header, make sure it is there */ - if (len < IP_UDP_HDR_SIZE) { + if (len < IP_HDR_SIZE) { debug("len bad %d < %lu\n", len, - (ulong)IP_UDP_HDR_SIZE); + (ulong)IP_HDR_SIZE); return; } /* Check the packet length */ @@ -1202,6 +1202,10 @@ void net_process_received_packet(uchar *in_packet, int len) return; } len = ntohs(ip->ip_len); + if (len < IP_HDR_SIZE) { + debug("bad ip->ip_len %d < %d\n", len, (int)IP_HDR_SIZE); + return; + } debug_cond(DEBUG_NET_PKT, "len=%d, v=%02x\n", len, ip->ip_hl_v & 0xff);