From d05e7e9349bd1a0b575f7c92588804510da612c7 Mon Sep 17 00:00:00 2001 From: Jozsef Kadlecsik Date: Tue, 25 Aug 2015 11:11:57 +0200 Subject: Out of bound access in hash:net* types fixed Dave Jones reported that KASan detected out of bounds access in hash:net* types: [ 23.139532] ================================================================== [ 23.146130] BUG: KASan: out of bounds access in hash_net4_add_cidr+0x1db/0x220 at addr ffff8800d4844b58 [ 23.152937] Write of size 4 by task ipset/457 [ 23.159742] ============================================================================= [ 23.166672] BUG kmalloc-512 (Not tainted): kasan: bad access detected [ 23.173641] ----------------------------------------------------------------------------- [ 23.194668] INFO: Allocated in hash_net_create+0x16a/0x470 age=7 cpu=1 pid=456 [ 23.201836] __slab_alloc.constprop.66+0x554/0x620 [ 23.208994] __kmalloc+0x2f2/0x360 [ 23.216105] hash_net_create+0x16a/0x470 [ 23.223238] ip_set_create+0x3e6/0x740 [ 23.230343] nfnetlink_rcv_msg+0x599/0x640 [ 23.237454] netlink_rcv_skb+0x14f/0x190 [ 23.244533] nfnetlink_rcv+0x3f6/0x790 [ 23.251579] netlink_unicast+0x272/0x390 [ 23.258573] netlink_sendmsg+0x5a1/0xa50 [ 23.265485] SYSC_sendto+0x1da/0x2c0 [ 23.272364] SyS_sendto+0xe/0x10 [ 23.279168] entry_SYSCALL_64_fastpath+0x12/0x6f The bug is fixed in the patch and the testsuite is extended in ipset to check cidr handling more thoroughly. --- tests/hash:net,iface.t | 2 ++ 1 file changed, 2 insertions(+) (limited to 'tests/hash:net,iface.t') diff --git a/tests/hash:net,iface.t b/tests/hash:net,iface.t index c19de2b..a847357 100644 --- a/tests/hash:net,iface.t +++ b/tests/hash:net,iface.t @@ -134,6 +134,8 @@ 0 n=`ipset list test | grep -v Revision: | wc -l` && test $n -eq 71 # Delete test set 0 ipset destroy test +# Check all possible CIDR values +0 ./cidr.sh net,iface # Create test set with timeout support 0 ipset create test hash:net,iface timeout 30 # Add a non-matching IP address entry -- cgit v1.2.3