lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANn89iL3iWQkhbJ1-YgJ_DQErkhB6=rOD_JuJBiJaEb+36QrkA@mail.gmail.com>
Date:   Wed, 12 Oct 2022 05:31:50 -0700
From:   Eric Dumazet <edumazet@...gle.com>
To:     Lu Wei <luwei32@...wei.com>
Cc:     davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
        yoshfuji@...ux-ipv6.org, dsahern@...nel.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH -next] tcp: fix a signed-integer-overflow bug in tcp_add_backlog()

On Wed, Oct 12, 2022 at 2:35 AM Lu Wei <luwei32@...wei.com> wrote:
>
> The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and
> in tcp_add_backlog(), the variable limit is caculated by adding
> sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value
> of u32 and be truncated. So change it to u64 to avoid a potential
> signed-integer-overflow, which leads to opposite result is returned
> in the following function.
>
> Signed-off-by: Lu Wei <luwei32@...wei.com>

You need to add a Fixes: tag, please.

> ---
>  include/net/sock.h  | 4 ++--
>  net/ipv4/tcp_ipv4.c | 6 ++++--
>  2 files changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/include/net/sock.h b/include/net/sock.h
> index 08038a385ef2..fc0fa29d8865 100644
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -1069,7 +1069,7 @@ static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb)
>   * Do not take into account this skb truesize,
>   * to allow even a single big packet to come.
>   */
> -static inline bool sk_rcvqueues_full(const struct sock *sk, unsigned int limit)
> +static inline bool sk_rcvqueues_full(const struct sock *sk, u64 limit)
>  {
>         unsigned int qsize = sk->sk_backlog.len + atomic_read(&sk->sk_rmem_alloc);

qsize would then overflow :/

I would rather limit sk_rcvbuf and sk_sndbuf to 0x7fff0000, instead of
0x7ffffffe

If really someone is using 2GB for both send and receive queues,  I
doubt removing 64KB will be a problem.

Powered by blists - more mailing lists