1. Patchew
  2. linux
  3. View series

[PATCH net] pktgen: Avoid out-of-range in get_imix_entries

Artem Chernyshev posted 1 patch 1 month, 3 weeks ago 
net/core/pktgen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH net] pktgen: Avoid out-of-range in get_imix_entries
Posted by Artem Chernyshev 1 month, 3 weeks ago 
In get_imit_enries() pkt_dev->n_imix_entries = MAX_IMIX_ENTRIES 
leads to oob for pkt_dev->imix_entries array.
```
UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24
index 20 is out of range for type 'imix_pkt [20]'
CPU: 2 PID: 1210 Comm: bash Not tainted 6.10.0-rc1 #121
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<TASK>
dump_stack_lvl lib/dump_stack.c:117
__ubsan_handle_out_of_bounds lib/ubsan.c:429
get_imix_entries net/core/pktgen.c:874
pktgen_if_write net/core/pktgen.c:1063
pde_write fs/proc/inode.c:334
proc_reg_write fs/proc/inode.c:346
vfs_write fs/read_write.c:593
ksys_write fs/read_write.c:644
do_syscall_64 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe arch/x86/entry/entry_64.S:130
RIP: 0033:0x7f148408b240
```

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: 52a62f8603f9 ("pktgen: Parse internet mix (imix) input")
Signed-off-by: Artem Chernyshev <artem.chernyshev@red-soft.ru>
---
 net/core/pktgen.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/pktgen.c b/net/core/pktgen.c
index 34f68ef74b8f..97cf5c797a22 100644
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -881,7 +881,7 @@ static ssize_t get_imix_entries(const char __user *buffer,
 		i++;
 		pkt_dev->n_imix_entries++;
 
-		if (pkt_dev->n_imix_entries > MAX_IMIX_ENTRIES)
+		if (pkt_dev->n_imix_entries >= MAX_IMIX_ENTRIES)
 			return -E2BIG;
 	} while (c == ' ');
 
-- 
2.44.0
Re: [PATCH net] pktgen: Avoid out-of-range in get_imix_entries
Posted by Jakub Kicinski 1 month, 2 weeks ago 
On Mon,  7 Oct 2024 01:12:20 +0300 Artem Chernyshev wrote:
> In get_imit_enries() pkt_dev->n_imix_entries = MAX_IMIX_ENTRIES 
> leads to oob for pkt_dev->imix_entries array.

I don't think so, at least not exactly. It's legal to fill the array
completely. It's not legal to try to _add_ to an already full array.

AFAICT the fix needs more work.
-- 
pw-bot: cr
Re: [PATCH net] pktgen: Avoid out-of-range in get_imix_entries
Posted by Artem Chernyshev 1 month, 2 weeks ago 
Thank you for the review. I will return with V2

Best regards,
Artem

On Tue, Oct 08, 2024 at 06:23:19PM -0700, Jakub Kicinski wrote:
> On Mon,  7 Oct 2024 01:12:20 +0300 Artem Chernyshev wrote:
> > In get_imit_enries() pkt_dev->n_imix_entries = MAX_IMIX_ENTRIES 
> > leads to oob for pkt_dev->imix_entries array.
> 
> I don't think so, at least not exactly. It's legal to fill the array
> completely. It's not legal to try to _add_ to an already full array.
> 
> AFAICT the fix needs more work.
> -- 
> pw-bot: cr

Patchew 2.1-devel-b67e4c2

© 2016 - 2024 Red Hat, Inc.