| Message ID | 20170130151815.9638-2-aryabinin@virtuozzo.com |
|---|---|
| State | Accepted |
| Series | "net: fix stack out-of-bounds access in dump_one_netdev()" |
| Commit | 607784cff46910e6ef9b88f3966e1b60c15a58ce |
| Headers | show
Delivered-To: criupatchwork@gmail.com Received: from gmail-imap.l.google.com [74.125.199.108] by patchwork.criu.org with IMAP (fetchmail-6.3.26) for <root@localhost> (single-drop); Mon, 30 Jan 2017 16:26:05 +0100 (CET) Received: by 10.37.248.19 with SMTP id u19csp1450770ybd; Mon, 30 Jan 2017 07:25:59 -0800 (PST) X-Received: by 10.237.50.229 with SMTP id z92mr19840165qtd.182.1485789959521; Mon, 30 Jan 2017 07:25:59 -0800 (PST) Return-Path: <criu-bounces@openvz.org> Received: from mail.openvz.org (mail.openvz.org. [199.115.104.192]) by mx.google.com with ESMTPS id z93si9734531qkg.289.2017.01.30.07.25.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Jan 2017 07:25:59 -0800 (PST) Received-SPF: pass (google.com: domain of criu-bounces@openvz.org designates 199.115.104.192 as permitted sender) client-ip=199.115.104.192; Authentication-Results: mx.google.com; spf=pass (google.com: domain of criu-bounces@openvz.org designates 199.115.104.192 as permitted sender) smtp.mailfrom=criu-bounces@openvz.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=virtuozzo.com Received: from mail.openvz.org (localhost [127.0.0.1]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id v0UFNOHk030702; Mon, 30 Jan 2017 07:25:45 -0800 Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-ve1eur03lp0147.outbound.protection.outlook.com [213.199.154.147]) by mail.openvz.org (8.14.4/8.14.4) with ESMTP id v0UFJYVe030667 for <criu@openvz.org>; Mon, 30 Jan 2017 07:19:37 -0800 Authentication-Results: openvz.org; dkim=none (message not signed) header.d=none; openvz.org; dmarc=none action=none header.from=virtuozzo.com; Received: from localhost.sw.ru (195.214.232.6) by DB6PR0801MB2053.eurprd08.prod.outlook.com (10.168.86.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.860.13; Mon, 30 Jan 2017 15:19:33 +0000 From: Andrey Ryabinin <aryabinin@virtuozzo.com> To: <criu@openvz.org> Date: Mon, 30 Jan 2017 18:18:14 +0300 Message-ID: <20170130151815.9638-2-aryabinin@virtuozzo.com> X-Mailer: git-send-email 2.10.2 MIME-Version: 1.0 X-Originating-IP: [195.214.232.6] X-ClientProxiedBy: HE1PR09CA0077.eurprd09.prod.outlook.com (10.174.50.149) To DB6PR0801MB2053.eurprd08.prod.outlook.com (10.168.86.22) X-MS-Office365-Filtering-Correlation-Id: bab3b94e-bca9-42d6-0724-08d449236504 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:DB6PR0801MB2053; X-Microsoft-Exchange-Diagnostics: 1; DB6PR0801MB2053; 3:M6GHN3MlVyO7oTzhxF8I3GFCqtlrMJmYvyEsaPEALJSYNbGFNoIyPMorWnZxRZRu5deGZz3Sc832tyGkIeteRgpHr+9ifhjd7TvG/jWoVzhLt6BxZcm6AzNeEern6TQ1TRIEhPhkiJRLR6hwiuUX/cjMZmdbkXiIeIfpuU72Ukpj5LUcePajoNqIj2CuhvUx250Aolyo+L/DLniV0xQJ75J3ALCc3yzpqgb7meNPwo1gNzMWG5czAg0lMKQlgtGV9Z3w+5QfQRf/GY42kBcxZQ==; 25:oLpZUlaYTMCjbbs+n83WTa3XU3/GnXaIsWlgx0sjAh8Xb8FSzFwTC4cHuNGfvlIS2px+WPPw1Tm5A4E0R5+oNpXkr3QLoWmt1POSb9K+u4/vaIzsl5GCfvapUMRRQp0Mb7za1L2oScStisPdR+/GviW9w/m4YBnUYfO78dRSMvrtXOaZUOEOjiuvtols1X2GY0cBA5meuW+P3dAxfs31kj/6TycihL61kVntVALlTFgZsOjp0NqQevIpkQGXwf/aNSS+psf9Ex9hbYZK2FwkheTpiPMUF8OjyiEBamJWd/D/0+H931znbKwvyy4SRh2hpJ22TQpF07u7xsoxwv20HxQtmjSDlTEIyOqBw0luaIn9d1IafVxL4ocMlRo2mWyhK+4A/EKSKSDTUt/nLd+W29eJFMrDCNtxZP3n+6IqvRWyjDaseoDuin/cwMgeAjj7UtpfuSYuSjtM+xZX1xHQPQ== X-Microsoft-Exchange-Diagnostics: 1; DB6PR0801MB2053; 31:WoISqzBzRf1MNJ+oqyuUx4en90G/mNKeGEM2r0hUT8W35HXAEFNhHjkazMkNH/1n/goi5ZaFnZ3rOjFXEalGkEDjdcrNEw75sFs70LLs72grFFuP5T4O0cPQFNGmRji8DIYaVjtn2tbGk/nH/oQV9u6egSFPO25TBL+iIz0CmVP/yCV5w+hs0/c+1HgPqjv41RvsUE5aprRZC8vGOTjdVnOgx2pl252jFv+6xR6aAYN9VZEX1t1AAJTdEeRpWBknOOMaVHSAJMHaUM2gxSb0zw1sNiZSoS4LFnn4EHYu9Lc=; 20:1fIJrf4wYlEpFomiSldAi2HGSBUYbquVc7ctu1Xy4pEV4HMOdiZyERZ5uhTcxiGkPQyGBUmCOsAj9HB/ssOON4z/HhmBpJE/l5DrhE2SQuecyWBH144m1jg99lnwUbojDTg+TbRNQxMj3Z76xUl/kCve+K0BMDeFh+OGFk2gx2QH6dRLpGImZ10GserQioxrt+WmO4s5MrD/KqVerNARWzQ9/hMM91QKdclbFe1/ogOlo6i8en6T8i4oDGVEbtOv X-Exchange-Antispam-Report-Test: UriScan:(131327999870524); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(9101524098)(601004)(2401047)(8121501046)(10201501046)(3002001); SRVR:DB6PR0801MB2053; BCL:0; PCL:0; RULEID:; SRVR:DB6PR0801MB2053; X-Microsoft-Exchange-Diagnostics: 1; DB6PR0801MB2053; 4:hb/QGlUb7dGAJGXht0CIqRia9r5sKd3eqwIiNc7CViDT0fYM6cDKUthxApkzcI3Y89NrlNxSEE+fkMfwybGiSpuCpQZ9qjWGqs32ZIM8qymS+FcBN25wO3cITmssELS8S9nhYVqTBp9OUw6kFiOHI7zoiHOFbrlDsAT8ORck/+v30eTbY7IeX1o6fArmG6zVF0S/WzH3KoNoKdm79K1MLh+zawKOvHV7Hni6hbpHO7BKrkNq6MmJGQfdaDZmzBzPZncasFW/robpK7p6wiSLPRDFBDUv+qtzNPLoh064qzhydMs7uKbIUunA9lgJk+HO+vGkDLTyvfLzRBe7hBzeX7I9YmngD3OIEHNqc3AFhW07JQ2KXs0/FhRKz+6jrv6ce7hUo9xT3L3GcqzND3FbnPjMiAKrhjeqQ0SQop5iaNWDNIjFHTiQHQsGm2Ar2t5p; 23:vAWURFaY8VR1Fqv2hxCWEpKAxMuq8zUVuC9gTpQR5EDw8NnYQZvAfjqtuMTcOt+kEDM1LSIkr3m6kw6Xx0c0Kj3hTfUHMySrxGV5QGfh4z5t6mKT2czPMzP6DjCj331SeIueLKV/KK4zRsluh1z8ng== X-Forefront-Antispam-Report: SFV:SKI; SFS:; DIR:INB; SFP:; SCL:-1; SRVR:DB6PR0801MB2053; H:localhost.sw.ru; FPR:; SPF:None; LANG:en; X-Microsoft-Exchange-Diagnostics: 1; DB6PR0801MB2053; 6:AnFsntWyIGD4r53wlp9H6UP+CEbUOzuevJCNt//AWK0/aqmoV4Wwz6pttLD2eMw5Tn5z+pHFObPsEEx3mPJa0EFJb/7sCO7JGK15O9Rjg7H58PbwKvj4HJ+zxZNlpsPE0gt4PC/zFtQS/1GnOP6JYSX9tMzhunYxM91eh4npl8ll5LpAniv/0Uon8TfGKM0NREdq1UT/y4kysijbH5u0KCsHnVIfI7cmkmedH4NpvrAcTi1IW2UnAt0VIYOGD3OE45UDwVcwPcgLMyOCsATFbHx+us+WVL2tvBYUIVSG0y8WKmcsQeYcSyQWANgHDu/T9G6UEbvHLRk9WP+YVrehmuevadXVofpeZP/2T8Lv25RZKprt9tmX+Uz9UHvU+D17jwL3PPs2pWbeflEprDqCmbsTfix79Het/Et6neA5jc0=; 5:sgyB5Q1eJJ0XznuFQGoEw9cXDZGa/wq6IbCPkKXodAZy5UIbKw/BvQPyrM3oXIJJIRXzZulKJige4pOtuTM9adbitfjfgZ8ezT3/a7VcwX+2GlEEe6JH/dSO65X7+TW93+x04DXqqNQKS4XxuakuPg==; 24:fdSdBXJ9/3rmoW39kMU/Zr/OCcT+oiu1NY+t6a5IMEIjr4XrMlPxIvu7GET1Lr1pR2s8+vyVExsVzqinNBWuUBuFF9VP/+QDtL0guUGndu4= SpamDiagnosticOutput: 1:0 X-Microsoft-Exchange-Diagnostics: 1; DB6PR0801MB2053; 7:o/xy9kYXRdWGK8W+JfoWb8KQzgFYWAxh500HGfataluP8EellK/s6t94SmKpHcgKzXyNLEeNlva+7hyoF1+ufQQbifsecwxZASNwOcFyKLF1+3EP7GnchlPgmr/NpEDkTjAjUDGj/B0I3N+xPah8r8IgPrrglNaiSRUg52IzPBS7O2+Cy76jUYVBpkbY9eVBsWeKN0fRxXkRp9T51jRy7QYadFkiFeq14gcZu8zhqx1VwToQiVaMhpG3muSZtjr8uldfLNZZ56dST3CpjCbrW76czAb+oeolMU2QQOB0qCUmX/e4ayrVVDu91t8jYOj9dKneSXEo2gNUosdhe6aAe7Wl1Pb3td9+IvkBtLZ6t3KxzJnRutc2XOO59MmDcNyE8rzPJvz9IJA40D17hk1iWBLhV87PoqZ2Cp5ig4YUtfFIZ5DDX150UMUnFvreIzAEphq2tAub2jIck13YGcotlQ==; 20:eqsb6gqZmxWt3BK21M5Okn/7CAV9uQAdYQcRN27ThXwl5hwAL8dd/o0aoDu9Z9ocbRUeF3JU2LiV3q7hhLasju6jFBb+XnuZ1h4zIfFA/BPMLzpX3nn5U7PULR6w1s2/BC+zt5akw4BY80dKKzWrehG34j2kWhQ4mncdwhzGp0s= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jan 2017 15:19:33.0395 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0801MB2053 X-MS-Exchange-CrossPremises-OriginalClientIPAddress: 195.214.232.6 X-MS-Exchange-CrossPremises-AuthSource: DB6PR0801MB2053.eurprd08.prod.outlook.com X-MS-Exchange-CrossPremises-AuthAs: Internal X-MS-Exchange-CrossPremises-AuthMechanism: 06 X-MS-Exchange-CrossPremises-AVStamp-Service: 1.0 X-MS-Exchange-CrossPremises-SCL: -1 X-MS-Exchange-CrossPremises-Antispam-ScanContext: DIR:Originating; SFV:SKI; SKIP:0; X-MS-Exchange-CrossPremises-Processed-By-Journaling: Journal Agent X-OrganizationHeadersPreserved: DB6PR0801MB2053.eurprd08.prod.outlook.com Subject: [CRIU] [PATCH] net: fix stack out-of-bounds access in dump_one_netdev() X-BeenThere: criu@openvz.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: CRIU development <criu.openvz.org> List-Unsubscribe: <https://lists.openvz.org/mailman/options/criu>, <mailto:criu-request@openvz.org?subject=unsubscribe> List-Archive: <http://lists.openvz.org/pipermail/criu/> List-Post: <mailto:criu@openvz.org> List-Help: <mailto:criu-request@openvz.org?subject=help> List-Subscribe: <https://lists.openvz.org/mailman/listinfo/criu>, <mailto:criu-request@openvz.org?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: criu-bounces@openvz.org Errors-To: criu-bounces@openvz.org |
diff --git a/criu/net.c b/criu/net.c index 69658ff..f3919a7 100644 --- a/criu/net.c +++ b/criu/net.c @@ -373,7 +373,7 @@ static int dump_one_netdev(int type, struct ifinfomsg *ifi, SysctlEntry *confs6 = NULL; int size6 = ARRAY_SIZE(devconfs6); char stable_secret[MAX_STR_CONF_LEN + 1] = {}; - struct nlattr *info[IFLA_INFO_MAX], **arg = NULL; + struct nlattr *info[IFLA_INFO_MAX + 1], **arg = NULL; if (!tb[IFLA_IFNAME]) { pr_err("No name for link %d\n", ifi->ifi_index);
On Mon, Jan 30, 2017 at 06:18:14PM +0300, Andrey Ryabinin wrote: > 'info' array is off-by-one, nla_parse_nested() requires destination > array (i.e. 'info') to have maxtype+1 (i.e. IFLA_INFO_MAX+1) elements: > Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Applied
'info' array is off-by-one, nla_parse_nested() requires destination array (i.e. 'info') to have maxtype+1 (i.e. IFLA_INFO_MAX+1) elements: ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffef823e3f8 WRITE of size 48 at 0x7ffef823e3f8 thread T0 #0 0x7f9ab7a3915b in __asan_memset (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x8d15b) #1 0x7f9ab6d4e553 in nla_parse (/usr/lib64/libnl-3.so.200+0xa553) #2 0x4acfb7 in dump_one_netdev criu/net.c:445 #3 0x4adb60 in dump_one_ethernet criu/net.c:594 #4 0x4adb60 in dump_one_link criu/net.c:665 #5 0x48af69 in nlmsg_receive criu/libnetlink.c:45 #6 0x48af69 in do_rtnl_req criu/libnetlink.c:119 #7 0x4b0e86 in dump_links criu/net.c:878 #8 0x4b0e86 in dump_net_ns criu/net.c:1651 #9 0x4a760d in do_dump_namespaces criu/namespaces.c:985 #10 0x4a760d in dump_namespaces criu/namespaces.c:1045 #11 0x451ef7 in cr_dump_tasks criu/cr-dump.c:1799 #12 0x424588 in main criu/crtools.c:736 #13 0x7f9ab67b171f in __libc_start_main (/lib64/libc.so.6+0x2071f) #14 0x4253d8 in _start (/criu/criu/criu+0x4253d8) Address 0x7ffef823e3f8 is located in stack of thread T0 at offset 264 in frame #0 0x4ac9ef in dump_one_netdev criu/net.c:364 This frame has 5 object(s): [32, 168) 'netdev' [224, 264) 'info' <== Memory access at offset 264 overflows this variable [320, 1040) 'req' [1088, 3368) 'path' [3424, 3625) 'stable_secret' Increase 'info' size to fix this. Fixes: b705dcc34ddb ("net: pass the struct nlattrs to dump() functions") Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com> --- criu/net.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)