From 1958e34c4c1b8b4fb62eba693fbd7693536947b9 Mon Sep 17 00:00:00 2001 From: flebourse Date: Thu, 23 Dec 2021 16:11:06 +0100 Subject: [PATCH] qca-nss-ecm: fix a memcpy overflow in ecm_db Calls to ipv6_addr_prefix() trigger a memcpy overflow if the prefix len argument is greater than 128, cap it at this value. stack bactrace: detected buffer overflow in memcpy Kernel BUG at fortify_panic+0x20/0x24 Internal error: Oops - BUG: 0 [#1] SMP CPU: 2 PID: 2592 Comm: netifd Not tainted 5.10.80 #0 Hardware name: Xiaomi AX9000 (DT) Call trace: fortify_panic+0x20/0x24 ecm_db_exit+0x42c/0x49c [ecm] ecm_db_exit+0x464/0x49c [ecm] atomic_notifier_call_chain+0x5c/0x90 ip6_route_add+0x13c/0x1a4 inet6_rtm_newroute+0x98/0xa0 rtnetlink_rcv_msg+0x10c/0x34c netlink_rcv_skb+0x5c/0x130 rtnetlink_rcv+0x1c/0x2c netlink_unicast+0x1ec/0x2e0 netlink_sendmsg+0x1a4/0x394 ____sys_sendmsg+0x270/0x2b4 ___sys_sendmsg+0x7c/0xc0 __sys_sendmsg+0x5c/0xb0 __arm64_sys_sendmsg+0x28/0x34 el0_svc_common.constprop.0+0x88/0x190 do_el0_svc+0x74/0x94 el0_svc+0x14/0x20 el0_sync_handler+0xa8/0x130 el0_sync+0x184/0x1c0 Code: aa0003e1 912b4040 910003fd 97fff56c (d4210000) Signed-off-By: Francis Le Bourse --- ecm_db/ecm_db.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/ecm_db/ecm_db.c +++ b/ecm_db/ecm_db.c @@ -298,7 +298,7 @@ static int ecm_db_ipv6_route_table_updat * Compute ECM connection's prefix destination address by masking it with the * route config's destination address prefix length. */ - ipv6_addr_prefix(&prefix_addr, &ecm_in6, cfg->fc_dst_len); + ipv6_addr_prefix(&prefix_addr, &ecm_in6, min(128, cfg->fc_dst_len)); DEBUG_TRACE("dest addr prefix: %pI6 prefix_len: %d ecm_in6: %pI6\n", &prefix_addr, cfg->fc_dst_len, &ecm_in6); @@ -326,7 +326,7 @@ static int ecm_db_ipv6_route_table_updat * Compute ECM connection's prefix source address by masking it with the * route config's destination address prefix length. */ - ipv6_addr_prefix(&prefix_addr, &ecm_in6, cfg->fc_dst_len); + ipv6_addr_prefix(&prefix_addr, &ecm_in6, min(128, cfg->fc_dst_len)); DEBUG_TRACE("src addr prefix: %pI6 prefix_len: %d ecm_in6: %pI6\n", &prefix_addr, cfg->fc_dst_len, &ecm_in6);