| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <67e40a8bdadc2_4bb5c294e8@willemb.c.googlers.com.notmuch>
Date: Wed, 26 Mar 2025 10:09:15 -0400
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>,
Willem de Bruijn <willemdebruijn.kernel@...il.com>,
"David S. Miller" <davem@...emloft.net>,
David Ahern <dsahern@...nel.org>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>
Cc: Simon Horman <horms@...nel.org>,
Kuniyuki Iwashima <kuniyu@...zon.com>,
Kuniyuki Iwashima <kuni1840@...il.com>,
netdev@...r.kernel.org
Subject: Re: [PATCH v2 net 1/3] udp: Fix multiple wraparounds of
sk->sk_rmem_alloc.
Kuniyuki Iwashima wrote:
> __udp_enqueue_schedule_skb() has the following condition:
>
> if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
> goto drop;
>
> sk->sk_rcvbuf is initialised by net.core.rmem_default and later can
> be configured by SO_RCVBUF, which is limited by net.core.rmem_max,
> or SO_RCVBUFFORCE.
>
> If we set INT_MAX to sk->sk_rcvbuf, the condition is always false
> as sk->sk_rmem_alloc is also signed int.
>
> Then, the size of the incoming skb is added to sk->sk_rmem_alloc
> unconditionally.
>
> This results in integer overflow (possibly multiple times) on
> sk->sk_rmem_alloc and allows a single socket to have skb up to
> net.core.udp_mem[1].
>
> For example, if we set a large value to udp_mem[1] and INT_MAX to
> sk->sk_rcvbuf and flood packets to the socket, we can see multiple
> overflows:
>
> # cat /proc/net/sockstat | grep UDP:
> UDP: inuse 3 mem 7956736 <-- (7956736 << 12) bytes > INT_MAX * 15
> ^- PAGE_SHIFT
> # ss -uam
> State Recv-Q ...
> UNCONN -1757018048 ... <-- flipping the sign repeatedly
> skmem:(r2537949248,rb2147483646,t0,tb212992,f1984,w0,o0,bl0,d0)
>
> Previously, we had a boundary check for INT_MAX, which was removed by
> commit 6a1f12dd85a8 ("udp: relax atomic operation on sk->sk_rmem_alloc").
>
> A complete fix would be to revert it and cap the right operand by
> INT_MAX:
>
> rmem = atomic_add_return(size, &sk->sk_rmem_alloc);
> if (rmem > min(size + (unsigned int)sk->sk_rcvbuf, INT_MAX))
> goto uncharge_drop;
>
> but we do not want to add the expensive atomic_add_return() back just
> for the corner case.
>
> Casting rmem to unsigned int prevents multiple wraparounds, but we still
> allow a single wraparound.
>
> # cat /proc/net/sockstat | grep UDP:
> UDP: inuse 3 mem 524288 <-- (INT_MAX + 1) >> 12
>
> # ss -uam
> State Recv-Q ...
> UNCONN -2147482816 ... <-- INT_MAX + 831 bytes
> skmem:(r2147484480,rb2147483646,t0,tb212992,f3264,w0,o0,bl0,d14468947)
>
> So, let's define rmem and rcvbuf as unsigned int and check skb->truesize
> only when rcvbuf is large enough to lower the overflow possibility.
>
> Note that we still have a small chance to see overflow if multiple skbs
> to the same socket are processed on different core at the same time and
> each size does not exceed the limit but the total size does.
>
> Note also that we must ignore skb->truesize for a small buffer as
> explained in commit 363dc73acacb ("udp: be less conservative with
> sock rmem accounting").
>
> Fixes: 6a1f12dd85a8 ("udp: relax atomic operation on sk->sk_rmem_alloc")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
Reviewed-by: Willem de Bruijn <willemb@...gle.com>
Powered by blists - more mailing lists