netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2161695
Upstream Status: commit 9ea4b47

commit 9ea4b47
Author: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Date:   Wed Jan 11 11:57:39 2023 +0000

    netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.

    When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of
    an arithmetic expression 2 << (netmask - mask_bits - 1) is subject
    to overflow due to a failure casting operands to a larger data type
    before performing the arithmetic.

    Note that it's harmless since the value will be checked at the next step.

    Found by InfoTeCS on behalf of Linux Verification Center
    (linuxtesting.org) with SVACE.

    Fixes: b9fed74 ("netfilter: ipset: Check and reject crazy /0 input parameters")
    Signed-off-by: Ilia.Gavrilov <Ilia.Gavrilov@infotecs.ru>
    Reviewed-by: Simon Horman <simon.horman@corigine.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Florian Westphal <fwestpha@redhat.com>

Author: fw-strlen

net/netfilter/ipset/ip_set_bitmap_ip.c

@@ -308,8 +308,8 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
 			return -IPSET_ERR_BITMAP_RANGE;
 
 		pr_debug("mask_bits %u, netmask %u\n", mask_bits, netmask);
-		hosts = 2 << (32 - netmask - 1);
-		elements = 2 << (netmask - mask_bits - 1);
+		hosts = 2U << (32 - netmask - 1);
+		elements = 2UL << (netmask - mask_bits - 1);
 	}
 	if (elements > IPSET_BITMAP_MAX_RANGE + 1)
 		return -IPSET_ERR_BITMAP_RANGE_SIZE;