netlink: Don't shift on 64 for ngroups

BugLink: https://bugs.launchpad.net/bugs/1831103
It's legal to have 64 groups for netlink_sock.

As user-supplied nladdr->nl_groups is __u32, it's possible to subscribe
only to first 32 groups.

The check for correctness of .bind() userspace supplied parameter
is done by applying mask made from ngroups shift. Which broke Android
as they have 64 groups and the shift for mask resulted in an overflow.

Fixes: 61f4b23769f0 ("netlink: Don't shift with UB on nlk->ngroups")
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: netdev@vger.kernel.org
Cc: stable@vger.kernel.org
Reported-and-Tested-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 91874ecf32e41b5d86a4cb9d60e0bee50d828058)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Acked-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
Acked-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 07e61faaea479f0100d8e0f247c32f72d6cbdf0a..6db2daedf01c059efdc241af254afb3b77ae4bd4 100644 (file)
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -980,8 +980,8 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
 
        if (nlk->ngroups == 0)
                groups = 0;
-       else
-               groups &= (1ULL << nlk->ngroups) - 1;
+       else if (nlk->ngroups < 8*sizeof(groups))
+               groups &= (1UL << nlk->ngroups) - 1;
 
        bound = nlk->bound;
        if (bound) {