| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Feb 2018 18:42:30 +0800
From: Xin Long <lucien.xin@...il.com>
To: David Laight <David.Laight@...lab.com>
Cc: Sasha Levin <Alexander.Levin@...rosoft.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>,
"David S . Miller" <davem@...emloft.net>
Subject: Re: [PATCH AUTOSEL for 4.14 019/110] sctp: fix the issue that a __u16
variable may overflow in sctp_ulpq_renege
On Mon, Feb 5, 2018 at 7:35 PM, David Laight <David.Laight@...lab.com> wrote:
> From: Sasha Levin
>> Sent: 03 February 2018 18:01
>> [ Upstream commit 5c468674d17056148da06218d4da5d04baf22eac ]
>>
>> Now when reneging events in sctp_ulpq_renege(), the variable freed
>> could be increased by a __u16 value twice while freed is of __u16
>> type. It means freed may overflow at the second addition.
>>
>> This patch is to fix it by using __u32 type for 'freed', while at
>> it, also to remove 'if (chunk)' check, as all renege commands are
>> generated in sctp_eat_data and it can't be NULL.
>>
>> Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
>> Signed-off-by: Xin Long <lucien.xin@...il.com>
>> Acked-by: Neil Horman <nhorman@...driver.com>
>> Signed-off-by: David S. Miller <davem@...emloft.net>
>> Signed-off-by: Sasha Levin <alexander.levin@...rosoft.com>
>> ---
>> net/sctp/ulpqueue.c | 24 ++++++++----------------
>> 1 file changed, 8 insertions(+), 16 deletions(-)
>>
>> diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
>> index a71be33f3afe..e36ec5dd64c6 100644
>> --- a/net/sctp/ulpqueue.c
>> +++ b/net/sctp/ulpqueue.c
>> @@ -1084,29 +1084,21 @@ void sctp_ulpq_partial_delivery(struct sctp_ulpq *ulpq,
>> void sctp_ulpq_renege(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk,
>> gfp_t gfp)
>> {
>> - struct sctp_association *asoc;
>> - __u16 needed, freed;
>> -
>> - asoc = ulpq->asoc;
>> + struct sctp_association *asoc = ulpq->asoc;
>> + __u32 freed = 0;
>> + __u16 needed;
>>
>> - if (chunk) {
>> - needed = ntohs(chunk->chunk_hdr->length);
>> - needed -= sizeof(struct sctp_data_chunk);
>> - } else
>> - needed = SCTP_DEFAULT_MAXWINDOW;
>> -
>> - freed = 0;
>> + needed = ntohs(chunk->chunk_hdr->length) -
>> + sizeof(struct sctp_data_chunk);
>>
>> if (skb_queue_empty(&asoc->base.sk->sk_receive_queue)) {
>> freed = sctp_ulpq_renege_order(ulpq, needed);
>> - if (freed < needed) {
>> + if (freed < needed)
>> freed += sctp_ulpq_renege_frags(ulpq, needed - freed);
>> - }
>> }
>> /* If able to free enough room, accept this chunk. */
>> - if (chunk && (freed >= needed)) {
>> - int retval;
>> - retval = sctp_ulpq_tail_data(ulpq, chunk, gfp);
>> + if (freed >= needed) {
>> + int retval = sctp_ulpq_tail_data(ulpq, chunk, gfp);
>> /*
>> * Enter partial delivery if chunk has not been
>> * delivered; otherwise, drain the reassembly queue.
>
> Hmmm...
> ISTM that all the maths should be done using 'unsigned int' to avoid horrid
> masking operations on many cpus....
You meant 'if (u32 >= u16)' is not good ?
If so, I did some tests:
# x.c
int main()
{
unsigned int a = 1;
unsigned short b = 1;
if (a > b) <----
a++;
}
# y.c
int main()
{
unsigned int a = 1;
unsigned int b = 1;
if (a > b) <----
a++;
}
# x.s
movl $1, -4(%rbp)
movw $1, -6(%rbp)
movzwl -6(%rbp), %eax
cmpl -4(%rbp), %eax
# y.s
movl $1, -4(%rbp)
movl $1, -8(%rbp)
movl -4(%rbp), %eax
cmpl -8(%rbp), %eax
So looks like x.c vs y.c is:
movzwl vs movl
does it matter?
Powered by blists - more mailing lists