| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250408182116.45882-1-kuniyu@amazon.com>
Date: Tue, 8 Apr 2025 11:21:14 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <zijun_hu@...oud.com>
CC: <dada1@...mosbay.com>, <davem@...emloft.net>, <edumazet@...gle.com>,
<horms@...nel.org>, <kuba@...nel.org>, <kuniyu@...zon.com>,
<linux-kernel@...r.kernel.org>, <netdev@...r.kernel.org>,
<pabeni@...hat.com>, <quic_zijuhu@...cinc.com>, <willemb@...gle.com>,
<xemul@...nvz.org>
Subject: Re: [PATCH net-next] sock: Correct error checking condition for assign|release_proto_idx()
From: Zijun Hu <zijun_hu@...oud.com>
Date: Tue, 08 Apr 2025 21:42:34 +0800
> From: Zijun Hu <quic_zijuhu@...cinc.com>
>
> assign|release_proto_idx() wrongly check find_first_zero_bit() failure
> by condition '(prot->inuse_idx == PROTO_INUSE_NR - 1)' obviously.
>
> Fix by correcting the condition to '(prot->inuse_idx == PROTO_INUSE_NR)'
> Also check @->inuse_idx before accessing @->val[] to avoid OOB.
>
> Fixes: 13ff3d6fa4e6 ("[SOCK]: Enumerate struct proto-s to facilitate percpu inuse accounting (v2).")
> Signed-off-by: Zijun Hu <quic_zijuhu@...cinc.com>
> ---
> include/net/sock.h | 5 ++++-
> net/core/sock.c | 7 +++++--
> 2 files changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/include/net/sock.h b/include/net/sock.h
> index 8daf1b3b12c607d81920682139b53fee935c9bb5..9ece93a3dd044997276b0fa37dddc7b5bbdacc43 100644
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -1421,7 +1421,10 @@ struct prot_inuse {
> static inline void sock_prot_inuse_add(const struct net *net,
> const struct proto *prot, int val)
> {
> - this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val);
> + unsigned int idx = prot->inuse_idx;
> +
> + if (likely(idx < PROTO_INUSE_NR))
> + this_cpu_add(net->core.prot_inuse->val[idx], val);
How does the else case happen ?
> }
>
> static inline void sock_inuse_add(const struct net *net, int val)
> diff --git a/net/core/sock.c b/net/core/sock.c
> index 323892066def8ba517ff59f98f2e4ab47edd4e63..92f4618c576a3120bcc8e9d03d36738b77447360 100644
> --- a/net/core/sock.c
> +++ b/net/core/sock.c
> @@ -3948,6 +3948,9 @@ int sock_prot_inuse_get(struct net *net, struct proto *prot)
> int cpu, idx = prot->inuse_idx;
> int res = 0;
>
> + if (unlikely(idx >= PROTO_INUSE_NR))
Same here.
> + return 0;
> +
> for_each_possible_cpu(cpu)
> res += per_cpu_ptr(net->core.prot_inuse, cpu)->val[idx];
>
> @@ -3999,7 +4002,7 @@ static int assign_proto_idx(struct proto *prot)
> {
> prot->inuse_idx = find_first_zero_bit(proto_inuse_idx, PROTO_INUSE_NR);
>
> - if (unlikely(prot->inuse_idx == PROTO_INUSE_NR - 1)) {
> + if (unlikely(prot->inuse_idx == PROTO_INUSE_NR)) {
> pr_err("PROTO_INUSE_NR exhausted\n");
> return -ENOSPC;
> }
> @@ -4010,7 +4013,7 @@ static int assign_proto_idx(struct proto *prot)
>
> static void release_proto_idx(struct proto *prot)
> {
> - if (prot->inuse_idx != PROTO_INUSE_NR - 1)
> + if (prot->inuse_idx != PROTO_INUSE_NR)
> clear_bit(prot->inuse_idx, proto_inuse_idx);
> }
> #else
>
> ---
> base-commit: 34a07c5b257453b5fcadc2408719c7b075844014
> change-id: 20250405-fix_net-3e8364d302ff
>
> Best regards,
> --
> Zijun Hu <quic_zijuhu@...cinc.com>
Powered by blists - more mailing lists