{"id":813665,"url":"http://patchwork.ozlabs.org/api/patches/813665/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/patch/20170913230054.fmtidvfi2swvy2mm@mwanda/","project":{"id":7,"url":"http://patchwork.ozlabs.org/api/projects/7/?format=json","name":"Linux network development","link_name":"netdev","list_id":"netdev.vger.kernel.org","list_email":"netdev@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170913230054.fmtidvfi2swvy2mm@mwanda>","list_archive_url":null,"date":"2017-09-13T23:00:54","name":"[v2,net] sctp: potential read out of bounds in sctp_ulpevent_type_enabled()","commit_ref":null,"pull_url":null,"state":"accepted","archived":true,"hash":"b06867a9e6eb1aa5ce12b854dee577cd47ef5a9a","submitter":{"id":9327,"url":"http://patchwork.ozlabs.org/api/people/9327/?format=json","name":"Dan Carpenter","email":"dan.carpenter@oracle.com"},"delegate":{"id":34,"url":"http://patchwork.ozlabs.org/api/users/34/?format=json","username":"davem","first_name":"David","last_name":"Miller","email":"davem@davemloft.net"},"mbox":"http://patchwork.ozlabs.org/project/netdev/patch/20170913230054.fmtidvfi2swvy2mm@mwanda/mbox/","series":[{"id":2995,"url":"http://patchwork.ozlabs.org/api/series/2995/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/list/?series=2995","date":"2017-09-13T23:00:54","name":"[v2,net] sctp: potential read out of bounds in sctp_ulpevent_type_enabled()","version":2,"mbox":"http://patchwork.ozlabs.org/series/2995/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/813665/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/813665/checks/","tags":{},"related":[],"headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xsxyF6cDjz9sxR\n\tfor <patchwork-incoming@ozlabs.org>;\n\tThu, 14 Sep 2017 09:02:29 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751419AbdIMXC0 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tWed, 13 Sep 2017 19:02:26 -0400","from aserp1040.oracle.com ([141.146.126.69]:41018 \"EHLO\n\taserp1040.oracle.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751125AbdIMXCZ (ORCPT\n\t<rfc822;netdev@vger.kernel.org>); Wed, 13 Sep 2017 19:02:25 -0400","from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71])\n\tby aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with\n\tESMTP id v8DN1EVD030739\n\t(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256\n\tverify=OK); Wed, 13 Sep 2017 23:01:15 GMT","from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236])\n\tby userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id\n\tv8DN1DwL025290\n\t(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256\n\tverify=OK); Wed, 13 Sep 2017 23:01:14 GMT","from ubhmp0013.oracle.com (ubhmp0013.oracle.com [156.151.24.66])\n\tby aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v8DN18DO015231; \n\tWed, 13 Sep 2017 23:01:08 GMT","from mwanda (/41.202.241.15)\n\tby default (Oracle Beehive Gateway v4.0)\n\twith ESMTP ; Wed, 13 Sep 2017 23:01:07 +0000"],"Date":"Thu, 14 Sep 2017 02:00:54 +0300","From":"Dan Carpenter <dan.carpenter@oracle.com>","To":"Vlad Yasevich <vyasevich@gmail.com>","Cc":"Neil Horman <nhorman@tuxdriver.com>,\n\t\"David S. Miller\" <davem@davemloft.net>,\n\tlinux-sctp@vger.kernel.org, netdev@vger.kernel.org,\n\tkernel-janitors@vger.kernel.org","Subject":"[PATCH v2 net] sctp: potential read out of bounds in\n\tsctp_ulpevent_type_enabled()","Message-ID":"<20170913230054.fmtidvfi2swvy2mm@mwanda>","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":"<20170913.092522.934509429497822082.davem@davemloft.net>","X-Mailer":"git-send-email haha only kidding","User-Agent":"NeoMutt/20170609 (1.8.3)","X-Source-IP":"userv0021.oracle.com [156.151.31.71]","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"},"content":"This code causes a static checker warning because Smatch doesn't trust\nanything that comes from skb->data.  I've reviewed this code and I do\nthink skb->data can be controlled by the user here.\n\nThe sctp_event_subscribe struct has 13 __u8 fields and we want to see\nif ours is non-zero.  sn_type can be any value in the 0-USHRT_MAX range.\nWe're subtracting SCTP_SN_TYPE_BASE which is 1 << 15 so we could read\neither before the start of the struct or after the end.\n\nThis is a very old bug and it's surprising that it would go undetected\nfor so long but my theory is that it just doesn't have a big impact so\nit would be hard to notice.\n\nSigned-off-by: Dan Carpenter <dan.carpenter@oracle.com>\n---\nv2:  Use reverse-christmas-tree local variable ordering.","diff":"diff --git a/include/net/sctp/ulpevent.h b/include/net/sctp/ulpevent.h\nindex 1060494ac230..b8c86ec1a8f5 100644\n--- a/include/net/sctp/ulpevent.h\n+++ b/include/net/sctp/ulpevent.h\n@@ -153,8 +153,12 @@ __u16 sctp_ulpevent_get_notification_type(const struct sctp_ulpevent *event);\n static inline int sctp_ulpevent_type_enabled(__u16 sn_type,\n \t\t\t\t\t     struct sctp_event_subscribe *mask)\n {\n+\tint offset = sn_type - SCTP_SN_TYPE_BASE;\n \tchar *amask = (char *) mask;\n-\treturn amask[sn_type - SCTP_SN_TYPE_BASE];\n+\n+\tif (offset >= sizeof(struct sctp_event_subscribe))\n+\t\treturn 0;\n+\treturn amask[offset];\n }\n \n /* Given an event subscription, is this event enabled? */\n","prefixes":["v2","net"]}