lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20221021171642.89090-1-kuniyu@amazon.com>
Date:   Fri, 21 Oct 2022 10:16:42 -0700
From:   Kuniyuki Iwashima <kuniyu@...zon.com>
To:     <luwei32@...wei.com>
CC:     <asml.silence@...il.com>, <ast@...nel.org>, <davem@...emloft.net>,
        <dsahern@...nel.org>, <edumazet@...gle.com>,
        <imagedong@...cent.com>, <kuba@...nel.org>, <kuniyu@...zon.com>,
        <linux-kernel@...r.kernel.org>, <martin.lau@...nel.org>,
        <ncardwell@...gle.com>, <netdev@...r.kernel.org>,
        <pabeni@...hat.com>, <yoshfuji@...ux-ipv6.org>
Subject: Re: [PATCH net,v3] tcp: fix a signed-integer-overflow bug in tcp_add_backlog()

From:   Lu Wei <luwei32@...wei.com>
Date:   Fri, 21 Oct 2022 12:06:22 +0800
> The type of sk_rcvbuf and sk_sndbuf in struct sock is int, and
> in tcp_add_backlog(), the variable limit is caculated by adding
> sk_rcvbuf, sk_sndbuf and 64 * 1024, it may exceed the max value
> of int and overflow. This patch reduces the limit budget by
> halving the sndbuf to solve this issue since ACK packets are much
> smaller than the payload.
> 
> Fixes: c9c3321257e1 ("tcp: add tcp_add_backlog()")
> Signed-off-by: Lu Wei <luwei32@...wei.com>

Acked-by: Kuniyuki Iwashima <kuniyu@...zon.com>


> ---
>  net/ipv4/tcp_ipv4.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
> index 7a250ef9d1b7..87d440f47a70 100644
> --- a/net/ipv4/tcp_ipv4.c
> +++ b/net/ipv4/tcp_ipv4.c
> @@ -1874,11 +1874,13 @@ bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb,
>  	__skb_push(skb, hdrlen);
>  
>  no_coalesce:
> +	limit = (u32)READ_ONCE(sk->sk_rcvbuf) + (u32)(READ_ONCE(sk->sk_sndbuf) >> 1);
> +
>  	/* Only socket owner can try to collapse/prune rx queues
>  	 * to reduce memory overhead, so add a little headroom here.
>  	 * Few sockets backlog are possibly concurrently non empty.
>  	 */
> -	limit = READ_ONCE(sk->sk_rcvbuf) + READ_ONCE(sk->sk_sndbuf) + 64*1024;
> +	limit += 64 * 1024;
>  
>  	if (unlikely(sk_add_backlog(sk, skb, limit))) {
>  		bh_unlock_sock(sk);
> -- 
> 2.31.1

Powered by blists - more mailing lists