{"id":813252,"url":"http://patchwork.ozlabs.org/api/1.2/patches/813252/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/patch/20170913092028.idzvduj7ran4li6b@mwanda/","project":{"id":7,"url":"http://patchwork.ozlabs.org/api/1.2/projects/7/?format=json","name":"Linux network development","link_name":"netdev","list_id":"netdev.vger.kernel.org","list_email":"netdev@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170913092028.idzvduj7ran4li6b@mwanda>","list_archive_url":null,"date":"2017-09-13T09:20:28","name":"[net] sctp: potential read out of bounds in sctp_ulpevent_type_enabled()","commit_ref":null,"pull_url":null,"state":"changes-requested","archived":true,"hash":"11c3ed8246b17c00b820e33b26119a3bbd33d520","submitter":{"id":9327,"url":"http://patchwork.ozlabs.org/api/1.2/people/9327/?format=json","name":"Dan Carpenter","email":"dan.carpenter@oracle.com"},"delegate":{"id":34,"url":"http://patchwork.ozlabs.org/api/1.2/users/34/?format=json","username":"davem","first_name":"David","last_name":"Miller","email":"davem@davemloft.net"},"mbox":"http://patchwork.ozlabs.org/project/netdev/patch/20170913092028.idzvduj7ran4li6b@mwanda/mbox/","series":[{"id":2849,"url":"http://patchwork.ozlabs.org/api/1.2/series/2849/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/list/?series=2849","date":"2017-09-13T09:20:28","name":"[net] sctp: potential read out of bounds in sctp_ulpevent_type_enabled()","version":1,"mbox":"http://patchwork.ozlabs.org/series/2849/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/813252/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/813252/checks/","tags":{},"related":[],"headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xsblY2yldz9s7v\n\tfor <patchwork-incoming@ozlabs.org>;\n\tWed, 13 Sep 2017 19:22:01 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1752074AbdIMJV6 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tWed, 13 Sep 2017 05:21:58 -0400","from userp1040.oracle.com ([156.151.31.81]:29798 \"EHLO\n\tuserp1040.oracle.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751380AbdIMJVz (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Wed, 13 Sep 2017 05:21:55 -0400","from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234])\n\tby userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2)\n\twith ESMTP id v8D9Kp5R018521\n\t(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256\n\tverify=OK); Wed, 13 Sep 2017 09:20:52 GMT","from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])\n\tby aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v8D9KoPm029130\n\t(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256\n\tverify=OK); Wed, 13 Sep 2017 09:20:50 GMT","from ubhmp0002.oracle.com (ubhmp0002.oracle.com [156.151.24.55])\n\tby userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id v8D9KnIl022766; \n\tWed, 13 Sep 2017 09:20:49 GMT","from mwanda (/197.157.34.176)\n\tby default (Oracle Beehive Gateway v4.0)\n\twith ESMTP ; Wed, 13 Sep 2017 09:20:47 +0000"],"Date":"Wed, 13 Sep 2017 12:20:28 +0300","From":"Dan Carpenter <dan.carpenter@oracle.com>","To":"Vlad Yasevich <vyasevich@gmail.com>","Cc":"Neil Horman <nhorman@tuxdriver.com>,\n\t\"David S. Miller\" <davem@davemloft.net>,\n\tlinux-sctp@vger.kernel.org, netdev@vger.kernel.org,\n\tkernel-janitors@vger.kernel.org","Subject":"[PATCH net] sctp: potential read out of bounds in\n\tsctp_ulpevent_type_enabled()","Message-ID":"<20170913092028.idzvduj7ran4li6b@mwanda>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","X-Mailer":"git-send-email haha only kidding","User-Agent":"NeoMutt/20170609 (1.8.3)","X-Source-IP":"aserv0022.oracle.com [141.146.126.234]","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"},"content":"This code causes a static checker warning because Smatch doesn't trust\nanything that comes from skb->data.  I've reviewed this code and I do\nthink skb->data can be controlled by the user here.\n\nThe sctp_event_subscribe struct has 13 __u8 fields and we want to see\nif ours is non-zero.  sn_type can be any value in the 0-USHRT_MAX range.\nWe're subtracting SCTP_SN_TYPE_BASE which is 1 << 15 so we could read\neither before the start of the struct or after the end.\n\nThis is a very old bug and it's surprising that it would go undetected\nfor so long but my theory is that it just doesn't have a big impact so\nit would be hard to notice.\n\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\n---\nI'm not terribly familiar with sctp and this is a static checker fix.\nPlease review it carefully.","diff":"diff --git a/include/net/sctp/ulpevent.h b/include/net/sctp/ulpevent.h\nindex 1060494ac230..e6873176bea7 100644\n--- a/include/net/sctp/ulpevent.h\n+++ b/include/net/sctp/ulpevent.h\n@@ -154,7 +154,11 @@ static inline int sctp_ulpevent_type_enabled(__u16 sn_type,\n \t\t\t\t\t     struct sctp_event_subscribe *mask)\n {\n \tchar *amask = (char *) mask;\n-\treturn amask[sn_type - SCTP_SN_TYPE_BASE];\n+\tint offset = sn_type - SCTP_SN_TYPE_BASE;\n+\n+\tif (offset >= sizeof(struct sctp_event_subscribe))\n+\t\treturn 0;\n+\treturn amask[offset];\n }\n \n /* Given an event subscription, is this event enabled? */\n","prefixes":["net"]}