diff options
| author |   Michal Kubecek <mkubecek@suse.cz> | 2020-02-24 20:42:12 +0100 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2020-02-26 11:27:31 -0800 |
| commit | e34f1753eebc428c312527662eb1b529cf260240 (patch) | |
| tree | 667163607addcc7d8c0ab4af5ab726fdfa71bcf0 /drivers/net/ethernet | |
| parent | net: Fix Tx hash bound checking (diff) | |
| download | linux-dev-e34f1753eebc428c312527662eb1b529cf260240.tar.xz linux-dev-e34f1753eebc428c312527662eb1b529cf260240.zip | |
ethtool: limit bitset size
Syzbot reported that ethnl_compact_sanity_checks() can be tricked into
reading past the end of ETHTOOL_A_BITSET_VALUE and ETHTOOL_A_BITSET_MASK
attributes and even the message by passing a value between (u32)(-31)
and (u32)(-1) as ETHTOOL_A_BITSET_SIZE.
The problem is that DIV_ROUND_UP(attr_nbits, 32) is 0 for such values so
that zero length ETHTOOL_A_BITSET_VALUE will pass the length check but
ethnl_bitmap32_not_zero() check would try to access up to 512 MB of
attribute "payload".
Prevent this overflow byt limiting the bitset size. Technically, compact
bitset format would allow bitset sizes up to almost 2^18 (so that the
nest size does not exceed U16_MAX) but bitsets used by ethtool are much
shorter. S16_MAX, the largest value which can be directly used as an
upper limit in policy, should be a reasonable compromise.
Fixes: 10b518d4e6dd ("ethtool: netlink bitset handling")
Reported-by: syzbot+7fd4ed5b4234ab1fdccd@syzkaller.appspotmail.com
Reported-by: syzbot+709b7a64d57978247e44@syzkaller.appspotmail.com
Reported-by: syzbot+983cb8fb2d17a7af549d@syzkaller.appspotmail.com
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/ethernet')
0 files changed, 0 insertions, 0 deletions