From: Jon Maloy jmaloy@redhat.com
mainline inclusion from mainline-v5.17-rc4 commit 9aa422ad326634b76309e8ff342c246800621216 category: bugfix bugzilla: 186252 https://gitee.com/openeuler/kernel/issues/I4U36S CVE: CVE-2022-0435
Reference: https://github.com/torvalds/linux/commit/9aa422ad326634b76309e8ff342c2468006...
--------------------------------
The function tipc_mon_rcv() allows a node to receive and process domain_record structs from peer nodes to track their views of the network topology.
This patch verifies that the number of members in a received domain record does not exceed the limit defined by MAX_MON_DOMAIN, something that may otherwise lead to a stack overflow.
tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where we are reading a 32 bit message data length field into a uint16. To avert any risk of bit overflow, we add an extra sanity check for this in that function. We cannot see that happen with the current code, but future designers being unaware of this risk, may introduce it by allowing delivery of very large (> 64k) sk buffers from the bearer layer. This potential problem was identified by Eric Dumazet.
This fixes CVE-2022-0435
Reported-by: Samuel Page samuel.page@appgate.com Reported-by: Eric Dumazet edumazet@google.com Fixes: 35c55c9877f8 ("tipc: add neighbor monitoring framework") Signed-off-by: Jon Maloy jmaloy@redhat.com Reviewed-by: Xin Long lucien.xin@gmail.com Reviewed-by: Samuel Page samuel.page@appgate.com Reviewed-by: Eric Dumazet edumazet@google.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Zhengchao Shao shaozhengchao@huawei.com Reviewed-by: Yongjun Wei weiyongjun1@huawei.com Reviewed-by: Yue Haibing yuehaibing@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- net/tipc/link.c | 9 +++++++-- net/tipc/monitor.c | 2 ++ 2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/tipc/link.c b/net/tipc/link.c index 29591955d08a..fb835a3822f4 100644 --- a/net/tipc/link.c +++ b/net/tipc/link.c @@ -2159,7 +2159,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, struct tipc_msg *hdr = buf_msg(skb); struct tipc_gap_ack_blks *ga = NULL; bool reply = msg_probe(hdr), retransmitted = false; - u16 dlen = msg_data_sz(hdr), glen = 0; + u32 dlen = msg_data_sz(hdr), glen = 0; u16 peers_snd_nxt = msg_next_sent(hdr); u16 peers_tol = msg_link_tolerance(hdr); u16 peers_prio = msg_linkprio(hdr); @@ -2173,6 +2173,10 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, void *data;
trace_tipc_proto_rcv(skb, false, l->name); + + if (dlen > U16_MAX) + goto exit; + if (tipc_link_is_blocked(l) || !xmitq) goto exit;
@@ -2268,7 +2272,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
/* Receive Gap ACK blocks from peer if any */ glen = tipc_get_gap_ack_blks(&ga, l, hdr, true); - + if(glen > dlen) + break; tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr, &l->mon_state, l->bearer_id);
diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c index 6dce2abf436e..a37190da5a50 100644 --- a/net/tipc/monitor.c +++ b/net/tipc/monitor.c @@ -465,6 +465,8 @@ void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr, state->probing = false;
/* Sanity check received domain record */ + if (new_member_cnt > MAX_MON_DOMAIN) + return; if (dlen < dom_rec_len(arrv_dom, 0)) return; if (dlen != dom_rec_len(arrv_dom, new_member_cnt))