| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0e6f6c848c3340579c6ee99ba46c4df1@AcuMS.aculab.com>
Date: Tue, 6 Feb 2018 11:00:04 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Xin Long' <lucien.xin@...il.com>
CC: Sasha Levin <Alexander.Levin@...rosoft.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>,
"David S . Miller" <davem@...emloft.net>
Subject: RE: [PATCH AUTOSEL for 4.14 019/110] sctp: fix the issue that a __u16
variable may overflow in sctp_ulpq_renege
From: Xin Long
> Sent: 06 February 2018 10:43
> To: David Laight
>
> On Mon, Feb 5, 2018 at 7:35 PM, David Laight <David.Laight@...lab.com> wrote:
> > From: Sasha Levin
> >> Sent: 03 February 2018 18:01
> >> [ Upstream commit 5c468674d17056148da06218d4da5d04baf22eac ]
> >>
> >> Now when reneging events in sctp_ulpq_renege(), the variable freed
> >> could be increased by a __u16 value twice while freed is of __u16
> >> type. It means freed may overflow at the second addition.
> >>
> >> This patch is to fix it by using __u32 type for 'freed', while at
> >> it, also to remove 'if (chunk)' check, as all renege commands are
> >> generated in sctp_eat_data and it can't be NULL.
> >>
> >> Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
> >> Signed-off-by: Xin Long <lucien.xin@...il.com>
> >> Acked-by: Neil Horman <nhorman@...driver.com>
> >> Signed-off-by: David S. Miller <davem@...emloft.net>
> >> Signed-off-by: Sasha Levin <alexander.levin@...rosoft.com>
> >> ---
> >> net/sctp/ulpqueue.c | 24 ++++++++----------------
> >> 1 file changed, 8 insertions(+), 16 deletions(-)
> >>
> >> diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c
> >> index a71be33f3afe..e36ec5dd64c6 100644
> >> --- a/net/sctp/ulpqueue.c
> >> +++ b/net/sctp/ulpqueue.c
> >> @@ -1084,29 +1084,21 @@ void sctp_ulpq_partial_delivery(struct sctp_ulpq *ulpq,
> >> void sctp_ulpq_renege(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk,
> >> gfp_t gfp)
> >> {
> >> - struct sctp_association *asoc;
> >> - __u16 needed, freed;
> >> -
> >> - asoc = ulpq->asoc;
> >> + struct sctp_association *asoc = ulpq->asoc;
> >> + __u32 freed = 0;
> >> + __u16 needed;
> >>
> >> - if (chunk) {
> >> - needed = ntohs(chunk->chunk_hdr->length);
> >> - needed -= sizeof(struct sctp_data_chunk);
> >> - } else
> >> - needed = SCTP_DEFAULT_MAXWINDOW;
> >> -
> >> - freed = 0;
> >> + needed = ntohs(chunk->chunk_hdr->length) -
> >> + sizeof(struct sctp_data_chunk);
> >>
> >> if (skb_queue_empty(&asoc->base.sk->sk_receive_queue)) {
> >> freed = sctp_ulpq_renege_order(ulpq, needed);
> >> - if (freed < needed) {
> >> + if (freed < needed)
> >> freed += sctp_ulpq_renege_frags(ulpq, needed - freed);
> >> - }
> >> }
> >> /* If able to free enough room, accept this chunk. */
> >> - if (chunk && (freed >= needed)) {
> >> - int retval;
> >> - retval = sctp_ulpq_tail_data(ulpq, chunk, gfp);
> >> + if (freed >= needed) {
> >> + int retval = sctp_ulpq_tail_data(ulpq, chunk, gfp);
> >> /*
> >> * Enter partial delivery if chunk has not been
> >> * delivered; otherwise, drain the reassembly queue.
> >
> > Hmmm...
> > ISTM that all the maths should be done using 'unsigned int' to avoid horrid
> > masking operations on many cpus....
> You meant 'if (u32 >= u16)' is not good ?
> If so, I did some tests:
>
> # x.c
> int main()
> {
> unsigned int a = 1;
> unsigned short b = 1;
>
> if (a > b) <----
> a++;
> }
>
> # y.c
> int main()
> {
> unsigned int a = 1;
> unsigned int b = 1;
>
> if (a > b) <----
> a++;
> }
>
> # x.s
> movl $1, -4(%rbp)
> movw $1, -6(%rbp)
> movzwl -6(%rbp), %eax
> cmpl -4(%rbp), %eax
>
> # y.s
> movl $1, -4(%rbp)
> movl $1, -8(%rbp)
> movl -4(%rbp), %eax
> cmpl -8(%rbp), %eax
>
>
> So looks like x.c vs y.c is:
> movzwl vs movl
>
> does it matter?
Compile it for something other than x86.
David
Powered by blists - more mailing lists