| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Mar 2023 18:47:14 +0100
From: Alexander Lobakin <aleksander.lobakin@...el.com>
To: Kal Conley <kal.conley@...tris.com>
CC: Björn Töpel <bjorn@...nel.org>,
Magnus Karlsson <magnus.karlsson@...el.com>,
Maciej Fijalkowski <maciej.fijalkowski@...el.com>,
Jonathan Lemon <jonathan.lemon@...il.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
"Alexei Starovoitov" <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Jesper Dangaard Brouer <hawk@...nel.org>,
John Fastabend <john.fastabend@...il.com>,
<netdev@...r.kernel.org>, <bpf@...r.kernel.org>,
<linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] xsk: Add missing overflow check in xdp_umem_reg
From: Kal Conley <kal.conley@...tris.com>
Date: Tue, 7 Mar 2023 18:23:06 +0100
> The number of chunks can overflow u32. Make sure to return -EINVAL on
> overflow.
>
> Fixes: bbff2f321a86 ("xsk: new descriptor addressing scheme")
> Signed-off-by: Kal Conley <kal.conley@...tris.com>
> ---
> net/xdp/xdp_umem.c | 13 +++++++------
> 1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c
> index 4681e8e8ad94..f1aa79018ce8 100644
> --- a/net/xdp/xdp_umem.c
> +++ b/net/xdp/xdp_umem.c
> @@ -150,10 +150,11 @@ static int xdp_umem_account_pages(struct xdp_umem *umem)
>
> static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
> {
> - u32 npgs_rem, chunk_size = mr->chunk_size, headroom = mr->headroom;
> + u32 chunk_size = mr->chunk_size, headroom = mr->headroom;
> bool unaligned_chunks = mr->flags & XDP_UMEM_UNALIGNED_CHUNK_FLAG;
> - u64 npgs, addr = mr->addr, size = mr->len;
> - unsigned int chunks, chunks_rem;
> + u64 addr = mr->addr, size = mr->len;
> + u64 chunks, npgs;
> + u32 chunks_rem, npgs_rem;
The RCT declaration style is messed up in the whole block. Please move
lines around, there's nothing wrong in that.
> int err;
>
> if (chunk_size < XDP_UMEM_MIN_CHUNK_SIZE || chunk_size > PAGE_SIZE) {
> @@ -188,8 +189,8 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
> if (npgs > U32_MAX)
> return -EINVAL;
>
> - chunks = (unsigned int)div_u64_rem(size, chunk_size, &chunks_rem);
> - if (chunks == 0)
> + chunks = div_u64_rem(size, chunk_size, &chunks_rem);
> + if (chunks == 0 || chunks > U32_MAX)
You can change the first cond to `!chunks` while at it, it's more
preferred than `== 0`.
> return -EINVAL;
Do you have any particular bugs that the current code leads to? Or it's
just something that might hypothetically happen?
>
> if (!unaligned_chunks && chunks_rem)
> @@ -201,7 +202,7 @@ static int xdp_umem_reg(struct xdp_umem *umem, struct xdp_umem_reg *mr)
> umem->size = size;
> umem->headroom = headroom;
> umem->chunk_size = chunk_size;
> - umem->chunks = chunks;
> + umem->chunks = (u32)chunks;
You already checked @chunks fits into 32 bits, so the cast can be
omitted here, it's redundant.
> umem->npgs = (u32)npgs;
> umem->pgs = NULL;
> umem->user = NULL;
Thanks,
Olek
Powered by blists - more mailing lists