Re: [PATCH v3] net: ipmr: Fix out-of-bounds access i mr_mfc_uses_dev()

From: Jakub Kicinski
Date: Wed Jan 29 2025 - 19:56:46 EST

Next message: Paul Moore: "Re: [PATCH v3] audit: Initialize lsmctx to avoid memory allocation error"
Previous message: Andrii Nakryiko: "Re: [PATCH bpf v2 2/2] samples/{bpf,hid}: fix broken vmlinux path for VMLINUX_BTF"
In reply to: Abdullah: "[PATCH v3] net: ipmr: Fix out-of-bounds access i mr_mfc_uses_dev()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 29 Jan 2025 12:50:17 +0400 Abdullah wrote:
> The issue was reported by Syzbot as an out-of-bounds read:
> UBSAN: array-index-out-of-bounds in net/ipv4/ipmr_base.c:289:10
> Index -772737152 is out of range for type 'const struct vif_device[32]'
>
> The problem occurs when the minvif/maxvif values in the mr_mfc struct
> become invalid (possibly due to memory corruption or uninitialized values).
> This patch fixes the issue by ensuring proper boundary checks and rcu_read
> locking before accessing vif_table[] in mr_mfc_uses_dev().
>
> Fixes: <COMMIT_HASH>
> Reported-by: syzbot+5cfae50c0e5f2c500013@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Abdullah <asharji1828@xxxxxxxxx>

Could you explain what you're trying to do here?

Are you just tossing patches to test at syzbot? If yes, please remove
the unnecessary CCs, reply directly to the syzbot address, there is no
need to spam the mailing lists.

Or do you mean this as a real submissions? In which case why is there
<COMMIT_HASH> instead of the correct commit? The entire submission
feels a little.. LLM-aided.
--
pw-bot: cr

Next message: Paul Moore: "Re: [PATCH v3] audit: Initialize lsmctx to avoid memory allocation error"
Previous message: Andrii Nakryiko: "Re: [PATCH bpf v2 2/2] samples/{bpf,hid}: fix broken vmlinux path for VMLINUX_BTF"
In reply to: Abdullah: "[PATCH v3] net: ipmr: Fix out-of-bounds access i mr_mfc_uses_dev()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]