From patchwork Sat Aug 4 23:55:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dmitry Safonov X-Patchwork-Id: 953499 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=quarantine dis=none) header.from=arista.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=arista.com header.i=@arista.com header.b="igt34LEY"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41jglt0wR4z9ryt for ; Sun, 5 Aug 2018 09:55:54 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729748AbeHEB6M (ORCPT ); Sat, 4 Aug 2018 21:58:12 -0400 Received: from mail-ed1-f66.google.com ([209.85.208.66]:39540 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729669AbeHEB6M (ORCPT ); Sat, 4 Aug 2018 21:58:12 -0400 Received: by mail-ed1-f66.google.com with SMTP id h4-v6so3442167edi.6 for ; Sat, 04 Aug 2018 16:55:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arista.com; s=googlenew; h=from:to:cc:subject:date:message-id; bh=04/YLKpPy8GzPvF3YsUrwDSbX3uagrGSa0DdrzEICE8=; b=igt34LEYNlt12B/IwJUmTggUMGV15KOxX1Tx4sAJnMwA6JPC5aZf55ENnDOCgGYi/E WGcGlW1iMc7ZzxLfXYz3fS5+z0i3wV18ZNOBZlN9UE0kzp0Z6htByNCyfZt5N+efbGr+ LAPi0Ml92Y20LUsvMkozr1KRH+q3/q8/9ni2fXZiKs6I/UqFhuz1y7vm8aIfebgJSHXQ Zf4ioMry85z1Jg4CwPg1mO2sh8cMpQ+BSApgQPCXGtDP2xpU4RyeAnfq80V8KaXg+5AU 01SECHn8Q3cKsBgn3DAtY3ZFYVVJhTV1AQpW1XjMDFHbyMyNwetKKEyf+uEDZ6HvKT3C Uf7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=04/YLKpPy8GzPvF3YsUrwDSbX3uagrGSa0DdrzEICE8=; b=iKRywgQhmivCYOejND68dzo3OUiYZ9rehJbgL58g0MtbFnq7f/bCVQu0tP7ea1DH4L 5QavOppVH4KzkLRa1/6zsrWgt7ppNrZHsCwGjb5VIodXRfOUF7zKx3asmKiFFtJc+vJ0 ZRfCgXog2EcqtdrYqX2NIYU3MZiTTLzvhMZxdu2RUlG/AeMQpZagUK7cCea6xryp3ddY jRzduXb1Njo0L2IH6R6k7BmUnxkaJ1V0N2Lwdk5F3TZH2wbogvwnnbTxMObkpEFN/JdV WPjzrCSY6J+pcDcQ/OXJTut+kOiVJYDd27YnSKFqSqjzDBFDEbaZdnG6feQWt0oIEQC5 wPmA== X-Gm-Message-State: AOUpUlE0zqm8Gq6X8K+DsJn+gmq3nYO8LmCLMRG3YyOyfwNVdLnhXo8P p2RWCd8D3RASX0QN56gfJ9Cm3w== X-Google-Smtp-Source: AAOMgpceEYfIx06YAyM6yWiQXn62m/xtg+EP65KJhcUqRNFz4i6sR8FR9OWHkhAu1hxUYbptE/9uUw== X-Received: by 2002:a50:9e2f:: with SMTP id z44-v6mr12298861ede.303.1533426946504; Sat, 04 Aug 2018 16:55:46 -0700 (PDT) Received: from localhost.localdomain ([2a02:8084:ea2:c100:5459:5b7e:632c:59fc]) by smtp.gmail.com with ESMTPSA id d11-v6sm3332674edo.39.2018.08.04.16.55.45 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 04 Aug 2018 16:55:45 -0700 (PDT) From: Dmitry Safonov To: linux-kernel@vger.kernel.org Cc: Dmitry Safonov , Nathan Chancellor , "David S. Miller" , Herbert Xu , Steffen Klassert , netdev@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH] netlink: Don't shift on 64 for ngroups Date: Sun, 5 Aug 2018 00:55:44 +0100 Message-Id: <20180804235544.10347-1-dima@arista.com> X-Mailer: git-send-email 2.13.6 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org It's legal to have 64 groups for netlink_sock. As user-supplied nladdr->nl_groups is __u32, it's possible to subscribe only to first 32 groups. The check for correctness of .bind() userspace supplied parameter is done by applying mask made from ngroups shift. Which broke Android as they have 64 groups and the shift for mask resulted in an overflow. Fixes: 61f4b23769f0 ("netlink: Don't shift with UB on nlk->ngroups") Cc: "David S. Miller" Cc: Herbert Xu Cc: Steffen Klassert Cc: netdev@vger.kernel.org Cc: stable@vger.kernel.org Reported-and-Tested-by: Nathan Chancellor Signed-off-by: Dmitry Safonov --- net/netlink/af_netlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 7d860a22e5fb..e44edadfad20 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -1011,8 +1011,8 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr, if (nlk->ngroups == 0) groups = 0; - else - groups &= (1ULL << nlk->ngroups) - 1; + else if (nlk->ngroups < sizeof(long unsigned int)) + groups &= (1UL << nlk->ngroups) - 1; bound = nlk->bound; if (bound) {