From e941df3257b321c8328fc1d45ef0b38df9fc4651 Mon Sep 17 00:00:00 2001 From: Chun-Yi Lee Date: Feb 15 2024 09:01:29 +0000 Subject: net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv (bsc#1219127 CVE-2024-23849). --- diff --git a/patches.suse/net-rds-Fix-UBSAN-array-index-out-of-bounds-in-rds_c.patch b/patches.suse/net-rds-Fix-UBSAN-array-index-out-of-bounds-in-rds_c.patch new file mode 100644 index 0000000..6511437 --- /dev/null +++ b/patches.suse/net-rds-Fix-UBSAN-array-index-out-of-bounds-in-rds_c.patch @@ -0,0 +1,64 @@ +From: Sharath Srinivasan +Date: Fri, 19 Jan 2024 17:48:39 -0800 +Subject: net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv +Patch-mainline: v6.8-rc2 +Git-commit: 13e788deb7348cc88df34bed736c3b3b9927ea52 +References: bsc#1219127 CVE-2024-23849 + +Syzcaller UBSAN crash occurs in rds_cmsg_recv(), +which reads inc->i_rx_lat_trace[j + 1] with index 4 (3 + 1), +but with array size of 4 (RDS_RX_MAX_TRACES). +Here 'j' is assigned from rs->rs_rx_trace[i] and in-turn from +trace.rx_trace_pos[i] in rds_recv_track_latency(), +with both arrays sized 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). So fix the +off-by-one bounds check in rds_recv_track_latency() to prevent +a potential crash in rds_cmsg_recv(). + +Found by syzcaller: +================================================================= +UBSAN: array-index-out-of-bounds in net/rds/recv.c:585:39 +index 4 is out of range for type 'u64 [4]' +CPU: 1 PID: 8058 Comm: syz-executor228 Not tainted 6.6.0-gd2f51b3516da #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS 1.15.0-1 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:217 [inline] + __ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348 + rds_cmsg_recv+0x60d/0x700 net/rds/recv.c:585 + rds_recvmsg+0x3fb/0x1610 net/rds/recv.c:716 + sock_recvmsg_nosec net/socket.c:1044 [inline] + sock_recvmsg+0xe2/0x160 net/socket.c:1066 + __sys_recvfrom+0x1b6/0x2f0 net/socket.c:2246 + __do_sys_recvfrom net/socket.c:2264 [inline] + __se_sys_recvfrom net/socket.c:2260 [inline] + __x64_sys_recvfrom+0xe0/0x1b0 net/socket.c:2260 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x63/0x6b +================================================================== + +Fixes: 3289025aedc0 ("RDS: add receive message trace used by application") +Reported-by: Chenyuan Yang +Closes: https://lore.kernel.org/linux-rdma/CALGdzuoVdq-wtQ4Az9iottBqC5cv9ZhcE5q8N7LfYFvkRsOVcw@mail.gmail.com/ +Signed-off-by: Sharath Srinivasan +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Acked-by: Chun-Yi Lee +--- + net/rds/af_rds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rds/af_rds.c ++++ b/net/rds/af_rds.c +@@ -315,7 +315,7 @@ static int rds_recv_track_latency(struct + + rs->rs_rx_traces = trace.rx_traces; + for (i = 0; i < rs->rs_rx_traces; i++) { +- if (trace.rx_trace_pos[i] > RDS_MSG_RX_DGRAM_TRACE_MAX) { ++ if (trace.rx_trace_pos[i] >= RDS_MSG_RX_DGRAM_TRACE_MAX) { + rs->rs_rx_traces = 0; + return -EFAULT; + } diff --git a/series.conf b/series.conf index 0f8f59d..cfc5197 100644 --- a/series.conf +++ b/series.conf @@ -26980,6 +26980,7 @@ patches.suse/smb-client-fix-potential-OOB-in-smb2_dump_detail-.patch patches.suse/Bluetooth-af_bluetooth-Fix-Use-After-Free-in-bt_sock.patch patches.suse/xen-netback-don-t-produce-zero-size-SKB-frags.patch + patches.suse/net-rds-Fix-UBSAN-array-index-out-of-bounds-in-rds_c.patch patches.suse/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch patches.suse/dm-limit-the-number-of-targets-and-parameter-size-ar.patch