[PATCH net v2 0/3] net/packet: fix multiple overflow issues in ring buffers

[PATCH net v2 0/3] net/packet: fix multiple overflow issues in ring buffers

[Andrey Konovalov]

This patchset addresses multiple overflows and signedness-related issues
in packet socket ring buffers.

Changes in v2:
- remove cleanup patches, will send in a separate patchset
- use a > UINT_MAX / b to check for a * b overflow

Andrey Konovalov (3):
  net/packet: fix overflow in check for priv area size
  net/packet: fix overflow in check for tp_frame_nr
  net/packet: fix overflow in check for tp_reserve

 net/packet/af_packet.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

-- 
2.12.2.564.g063fe858b8-goog

[PATCH net v2 1/3] net/packet: fix overflow in check for priv area size

[Andrey Konovalov]

Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).

Compare them as is instead.

Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
 net/packet/af_packet.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index a0dbe7ca8f72..2323ee35dc09 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4193,8 +4193,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 		if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
 			goto out;
 		if (po->tp_version >= TPACKET_V3 &&
-		    (int)(req->tp_block_size -
-			  BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
+		    req->tp_block_size <=
+			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
 			goto out;
 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
 					po->tp_reserve))
-- 
2.12.2.564.g063fe858b8-goog

[PATCH net v2 2/3] net/packet: fix overflow in check for tp_frame_nr

[Andrey Konovalov]

When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr <= UINT_MAX.

Since frames_per_block <= tp_block_size, the expression would
never overflow.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
 net/packet/af_packet.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 2323ee35dc09..3ac286ebb2f4 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4205,6 +4205,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 		rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
 		if (unlikely(rb->frames_per_block == 0))
 			goto out;
+		if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr))
+			goto out;
 		if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
 					req->tp_frame_nr))
 			goto out;
-- 
2.12.2.564.g063fe858b8-goog

[PATCH net v2 3/3] net/packet: fix overflow in check for tp_reserve

[Andrey Konovalov]

When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.

Fix by checking that tp_reserve <= INT_MAX on assign.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
---
 net/packet/af_packet.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 3ac286ebb2f4..8489beff5c25 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -3665,6 +3665,8 @@ packet_setsockopt(struct socket *sock, int level, int optname, char __user *optv
 			return -EBUSY;
 		if (copy_from_user(&val, optval, sizeof(val)))
 			return -EFAULT;
+		if (val > INT_MAX)
+			return -EINVAL;
 		po->tp_reserve = val;
 		return 0;
 	}
-- 
2.12.2.564.g063fe858b8-goog

Re: [PATCH net v2 1/3] net/packet: fix overflow in check for priv area size

[Eric Dumazet]

On Wed, 2017-03-29 at 16:11 +0200, Andrey Konovalov wrote:
> Subtracting tp_sizeof_priv from tp_block_size and casting to int
> to check whether one is less then the other doesn't always work
> (both of them are unsigned ints).
> 
> Compare them as is instead.
> 
> Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
> it can overflow inside BLK_PLUS_PRIV otherwise.
> 
> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
> ---

Acked-by: Eric Dumazet <edumazet@google.com>

Re: [PATCH net v2 2/3] net/packet: fix overflow in check for tp_frame_nr

[Eric Dumazet]

On Wed, 2017-03-29 at 16:11 +0200, Andrey Konovalov wrote:
> When calculating rb->frames_per_block * req->tp_block_nr the result
> can overflow.
> 
> Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
> 
> Since frames_per_block <= tp_block_size, the expression would
> never overflow.
> 
> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
> ---

Acked-by: Eric Dumazet <edumazet@google.com>

Re: [PATCH net v2 3/3] net/packet: fix overflow in check for tp_reserve

[Eric Dumazet]

On Wed, 2017-03-29 at 16:11 +0200, Andrey Konovalov wrote:
> When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
> 
> Fix by checking that tp_reserve <= INT_MAX on assign.
> 
> Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
> ---

Acked-by: Eric Dumazet <edumazet@google.com>

Thanks !

Re: [PATCH net v2 0/3] net/packet: fix multiple overflow issues in ring buffers

[David Miller]

From: Andrey Konovalov <andreyknvl@google.com>
Date: Wed, 29 Mar 2017 16:11:19 +0200

> This patchset addresses multiple overflows and signedness-related issues
> in packet socket ring buffers.
> 
> Changes in v2:
> - remove cleanup patches, will send in a separate patchset
> - use a > UINT_MAX / b to check for a * b overflow

All applied and queued up for -stable, thanks.