git.baikalelectronics.ru Git - kernel.git/commit

author	Michal Kubecek <mkubecek@suse.cz>
	Mon, 24 Feb 2020 19:42:12 +0000 (20:42 +0100)
committer	David S. Miller <davem@davemloft.net>
	Wed, 26 Feb 2020 19:27:31 +0000 (11:27 -0800)
commit	632020f1894f12a3cf86f83160362b30492dcfe2
tree	667163607addcc7d8c0ab4af5ab726fdfa71bcf0	tree \| snapshot
parent	715f6c32eff8d43a53d0a8f3a6e6dedc3a53204a	commit \| diff

ethtool: limit bitset size

Syzbot reported that ethnl_compact_sanity_checks() can be tricked into
reading past the end of ETHTOOL_A_BITSET_VALUE and ETHTOOL_A_BITSET_MASK
attributes and even the message by passing a value between (u32)(-31)
and (u32)(-1) as ETHTOOL_A_BITSET_SIZE.

The problem is that DIV_ROUND_UP(attr_nbits, 32) is 0 for such values so
that zero length ETHTOOL_A_BITSET_VALUE will pass the length check but
ethnl_bitmap32_not_zero() check would try to access up to 512 MB of
attribute "payload".

Prevent this overflow byt limiting the bitset size. Technically, compact
bitset format would allow bitset sizes up to almost 2^18 (so that the
nest size does not exceed U16_MAX) but bitsets used by ethtool are much
shorter. S16_MAX, the largest value which can be directly used as an
upper limit in policy, should be a reasonable compromise.

Fixes: f0a430114682 ("ethtool: netlink bitset handling")
Reported-by: syzbot+7fd4ed5b4234ab1fdccd@syzkaller.appspotmail.com
Reported-by: syzbot+709b7a64d57978247e44@syzkaller.appspotmail.com
Reported-by: syzbot+983cb8fb2d17a7af549d@syzkaller.appspotmail.com
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/ethtool/bitset.c		diff \| blob \| history
net/ethtool/bitset.h		diff \| blob \| history