Re: [PATCH net v1] net: wwan: fix global oob in wwan_rtnl_policy

From: Simon Horman
Date: Wed Oct 16 2024 - 03:15:32 EST

Next message: John Garry: "Re: [PATCH][next] scsi: scsi_debug: remove a redundant assignment to variable ret"
Previous message: Greg Kroah-Hartman: "Re: [syzbot] [input?] [usb?] [mm?] INFO: rcu detected stall in vma_link_file"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH net v1] net: wwan: fix global oob in wwan_rtnl_policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Oct 15, 2024 at 09:16:21PM +0800, Lin Ma wrote:
> The variable wwan_rtnl_link_ops assign a *bigger* maxtype which leads to
> a global out-of-bounds read when parsing the netlink attributes. Exactly
> same bug cause as the oob fixed in commit b33fb5b801c6 ("net: qualcomm:
> rmnet: fix global oob in rmnet_policy").
>
> ==================================================================
> BUG: KASAN: global-out-of-bounds in validate_nla lib/nlattr.c:388 [inline]
> BUG: KASAN: global-out-of-bounds in __nla_validate_parse+0x19d7/0x29a0 lib/nlattr.c:603
> Read of size 1 at addr ffffffff8b09cb60 by task syz.1.66276/323862

...

> According to the comment of `nla_parse_nested_deprecated`, use correct size
> `IFLA_WWAN_MAX` here to fix this issue.
>
> Fixes: 88b710532e53 ("wwan: add interface creation support")
> Signed-off-by: Lin Ma <linma@xxxxxxxxxx>

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>

Next message: John Garry: "Re: [PATCH][next] scsi: scsi_debug: remove a redundant assignment to variable ret"
Previous message: Greg Kroah-Hartman: "Re: [syzbot] [input?] [usb?] [mm?] INFO: rcu detected stall in vma_link_file"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH net v1] net: wwan: fix global oob in wwan_rtnl_policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]