From patchwork Wed Sep 13 23:00:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 813665 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3xsxyF6cDjz9sxR for ; Thu, 14 Sep 2017 09:02:29 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751419AbdIMXC0 (ORCPT ); Wed, 13 Sep 2017 19:02:26 -0400 Received: from aserp1040.oracle.com ([141.146.126.69]:41018 "EHLO aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751125AbdIMXCZ (ORCPT ); Wed, 13 Sep 2017 19:02:25 -0400 Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v8DN1EVD030739 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 13 Sep 2017 23:01:15 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v8DN1DwL025290 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 13 Sep 2017 23:01:14 GMT Received: from ubhmp0013.oracle.com (ubhmp0013.oracle.com [156.151.24.66]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v8DN18DO015231; Wed, 13 Sep 2017 23:01:08 GMT Received: from mwanda (/41.202.241.15) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 13 Sep 2017 23:01:07 +0000 Date: Thu, 14 Sep 2017 02:00:54 +0300 From: Dan Carpenter To: Vlad Yasevich Cc: Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH v2 net] sctp: potential read out of bounds in sctp_ulpevent_type_enabled() Message-ID: <20170913230054.fmtidvfi2swvy2mm@mwanda> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20170913.092522.934509429497822082.davem@davemloft.net> X-Mailer: git-send-email haha only kidding User-Agent: NeoMutt/20170609 (1.8.3) X-Source-IP: userv0021.oracle.com [156.151.31.71] Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This code causes a static checker warning because Smatch doesn't trust anything that comes from skb->data. I've reviewed this code and I do think skb->data can be controlled by the user here. The sctp_event_subscribe struct has 13 __u8 fields and we want to see if ours is non-zero. sn_type can be any value in the 0-USHRT_MAX range. We're subtracting SCTP_SN_TYPE_BASE which is 1 << 15 so we could read either before the start of the struct or after the end. This is a very old bug and it's surprising that it would go undetected for so long but my theory is that it just doesn't have a big impact so it would be hard to notice. Signed-off-by: Dan Carpenter --- v2: Use reverse-christmas-tree local variable ordering. diff --git a/include/net/sctp/ulpevent.h b/include/net/sctp/ulpevent.h index 1060494ac230..b8c86ec1a8f5 100644 --- a/include/net/sctp/ulpevent.h +++ b/include/net/sctp/ulpevent.h @@ -153,8 +153,12 @@ __u16 sctp_ulpevent_get_notification_type(const struct sctp_ulpevent *event); static inline int sctp_ulpevent_type_enabled(__u16 sn_type, struct sctp_event_subscribe *mask) { + int offset = sn_type - SCTP_SN_TYPE_BASE; char *amask = (char *) mask; - return amask[sn_type - SCTP_SN_TYPE_BASE]; + + if (offset >= sizeof(struct sctp_event_subscribe)) + return 0; + return amask[offset]; } /* Given an event subscription, is this event enabled? */