* [PATCH net-next v4] ipv6: Fix signed integer overflow in __ip6_append_data
@ 2022-06-01 8:48 Wang Yufen
2022-06-02 10:38 ` Paolo Abeni
0 siblings, 1 reply; 7+ messages in thread
From: Wang Yufen @ 2022-06-01 8:48 UTC (permalink / raw)
To: davem, yoshfuji, dsahern, edumazet, kuba, pabeni, ast, daniel,
andrii, kafai, songliubraving, yhs, john.fastabend, kpsingh
Cc: netdev, bpf
Resurrect ubsan overflow checks and ubsan report this warning,
fix it by change the variable [length] type to size_t.
UBSAN: signed-integer-overflow in net/ipv6/ip6_output.c:1489:19
2147479552 + 8567 cannot be represented in type 'int'
CPU: 0 PID: 253 Comm: err Not tainted 5.16.0+ #1
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x214/0x230
show_stack+0x30/0x78
dump_stack_lvl+0xf8/0x118
dump_stack+0x18/0x30
ubsan_epilogue+0x18/0x60
handle_overflow+0xd0/0xf0
__ubsan_handle_add_overflow+0x34/0x44
__ip6_append_data.isra.48+0x1598/0x1688
ip6_append_data+0x128/0x260
udpv6_sendmsg+0x680/0xdd0
inet6_sendmsg+0x54/0x90
sock_sendmsg+0x70/0x88
____sys_sendmsg+0xe8/0x368
___sys_sendmsg+0x98/0xe0
__sys_sendmmsg+0xf4/0x3b8
__arm64_sys_sendmmsg+0x34/0x48
invoke_syscall+0x64/0x160
el0_svc_common.constprop.4+0x124/0x300
do_el0_svc+0x44/0xc8
el0_svc+0x3c/0x1e8
el0t_64_sync_handler+0x88/0xb0
el0t_64_sync+0x16c/0x170
Changes since v1:
-Change the variable [length] type to unsigned, as Eric Dumazet suggested.
Changes since v2:
-Don't change exthdrlen type in ip6_make_skb, as Paolo Abeni suggested.
Changes since v3:
-Don't change ulen type in udpv6_sendmsg and l2tp_ip6_sendmsg, as
Jakub Kicinski suggested.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
---
include/net/ipv6.h | 4 ++--
net/ipv6/ip6_output.c | 6 +++---
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/include/net/ipv6.h b/include/net/ipv6.h
index 5b38bf1a586b..de9dcc5652c4 100644
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -1063,7 +1063,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr);
int ip6_append_data(struct sock *sk,
int getfrag(void *from, char *to, int offset, int len,
int odd, struct sk_buff *skb),
- void *from, int length, int transhdrlen,
+ void *from, size_t length, int transhdrlen,
struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
struct rt6_info *rt, unsigned int flags);
@@ -1079,7 +1079,7 @@ struct sk_buff *__ip6_make_skb(struct sock *sk, struct sk_buff_head *queue,
struct sk_buff *ip6_make_skb(struct sock *sk,
int getfrag(void *from, char *to, int offset,
int len, int odd, struct sk_buff *skb),
- void *from, int length, int transhdrlen,
+ void *from, size_t length, int transhdrlen,
struct ipcm6_cookie *ipc6,
struct rt6_info *rt, unsigned int flags,
struct inet_cork_full *cork);
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 4081b12a01ff..77e3f5970ce4 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1450,7 +1450,7 @@ static int __ip6_append_data(struct sock *sk,
struct page_frag *pfrag,
int getfrag(void *from, char *to, int offset,
int len, int odd, struct sk_buff *skb),
- void *from, int length, int transhdrlen,
+ void *from, size_t length, int transhdrlen,
unsigned int flags, struct ipcm6_cookie *ipc6)
{
struct sk_buff *skb, *skb_prev = NULL;
@@ -1798,7 +1798,7 @@ static int __ip6_append_data(struct sock *sk,
int ip6_append_data(struct sock *sk,
int getfrag(void *from, char *to, int offset, int len,
int odd, struct sk_buff *skb),
- void *from, int length, int transhdrlen,
+ void *from, size_t length, int transhdrlen,
struct ipcm6_cookie *ipc6, struct flowi6 *fl6,
struct rt6_info *rt, unsigned int flags)
{
@@ -1995,7 +1995,7 @@ EXPORT_SYMBOL_GPL(ip6_flush_pending_frames);
struct sk_buff *ip6_make_skb(struct sock *sk,
int getfrag(void *from, char *to, int offset,
int len, int odd, struct sk_buff *skb),
- void *from, int length, int transhdrlen,
+ void *from, size_t length, int transhdrlen,
struct ipcm6_cookie *ipc6, struct rt6_info *rt,
unsigned int flags, struct inet_cork_full *cork)
{
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH net-next v4] ipv6: Fix signed integer overflow in __ip6_append_data
2022-06-01 8:48 [PATCH net-next v4] ipv6: Fix signed integer overflow in __ip6_append_data Wang Yufen
@ 2022-06-02 10:38 ` Paolo Abeni
2022-06-02 16:02 ` Jakub Kicinski
0 siblings, 1 reply; 7+ messages in thread
From: Paolo Abeni @ 2022-06-02 10:38 UTC (permalink / raw)
To: Wang Yufen, davem, yoshfuji, dsahern, edumazet, kuba, ast,
daniel, andrii, kafai, songliubraving, yhs, john.fastabend,
kpsingh
Cc: netdev, bpf
On Wed, 2022-06-01 at 16:48 +0800, Wang Yufen wrote:
> Resurrect ubsan overflow checks and ubsan report this warning,
> fix it by change the variable [length] type to size_t.
>
> UBSAN: signed-integer-overflow in net/ipv6/ip6_output.c:1489:19
> 2147479552 + 8567 cannot be represented in type 'int'
> CPU: 0 PID: 253 Comm: err Not tainted 5.16.0+ #1
> Hardware name: linux,dummy-virt (DT)
> Call trace:
> dump_backtrace+0x214/0x230
> show_stack+0x30/0x78
> dump_stack_lvl+0xf8/0x118
> dump_stack+0x18/0x30
> ubsan_epilogue+0x18/0x60
> handle_overflow+0xd0/0xf0
> __ubsan_handle_add_overflow+0x34/0x44
> __ip6_append_data.isra.48+0x1598/0x1688
> ip6_append_data+0x128/0x260
> udpv6_sendmsg+0x680/0xdd0
> inet6_sendmsg+0x54/0x90
> sock_sendmsg+0x70/0x88
> ____sys_sendmsg+0xe8/0x368
> ___sys_sendmsg+0x98/0xe0
> __sys_sendmmsg+0xf4/0x3b8
> __arm64_sys_sendmmsg+0x34/0x48
> invoke_syscall+0x64/0x160
> el0_svc_common.constprop.4+0x124/0x300
> do_el0_svc+0x44/0xc8
> el0_svc+0x3c/0x1e8
> el0t_64_sync_handler+0x88/0xb0
> el0t_64_sync+0x16c/0x170
>
> Changes since v1:
> -Change the variable [length] type to unsigned, as Eric Dumazet suggested.
> Changes since v2:
> -Don't change exthdrlen type in ip6_make_skb, as Paolo Abeni suggested.
> Changes since v3:
> -Don't change ulen type in udpv6_sendmsg and l2tp_ip6_sendmsg, as
> Jakub Kicinski suggested.
I'm sorry for the multiple incremental feedback on this patch. It's
somewhat tricky.
AFAICS Jakub mentioned only udpv6_sendmsg(). In l2tp_ip6_sendmsg() we
can have an overflow:
int transhdrlen = 4; /* zero session-id */
int ulen = len + transhdrlen;
when len >= INT_MAX - 4. That will be harmless, but I guess it could
still trigger a noisy UBSAN splat.
Paolo
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net-next v4] ipv6: Fix signed integer overflow in __ip6_append_data
2022-06-02 10:38 ` Paolo Abeni
@ 2022-06-02 16:02 ` Jakub Kicinski
2022-06-03 8:58 ` Paolo Abeni
0 siblings, 1 reply; 7+ messages in thread
From: Jakub Kicinski @ 2022-06-02 16:02 UTC (permalink / raw)
To: Paolo Abeni
Cc: Wang Yufen, davem, yoshfuji, dsahern, edumazet, ast, daniel,
andrii, kafai, songliubraving, yhs, john.fastabend, kpsingh,
netdev, bpf
On Thu, 02 Jun 2022 12:38:10 +0200 Paolo Abeni wrote:
> I'm sorry for the multiple incremental feedback on this patch. It's
> somewhat tricky.
>
> AFAICS Jakub mentioned only udpv6_sendmsg(). In l2tp_ip6_sendmsg() we
> can have an overflow:
>
> int transhdrlen = 4; /* zero session-id */
> int ulen = len + transhdrlen;
>
> when len >= INT_MAX - 4. That will be harmless, but I guess it could
> still trigger a noisy UBSAN splat.
Good point, I wonder if that's a separate issue. Should we
follow what UDP does and subtract the transhdr from the max?
My gut feeling is that stricter checks are cleaner than just
bumping variable sizes.
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index c6ff8bf9b55f..9dbd801ddb98 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -504,14 +504,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
struct ipcm6_cookie ipc6;
int addr_len = msg->msg_namelen;
int transhdrlen = 4; /* zero session-id */
- int ulen = len + transhdrlen;
+ int ulen;
int err;
/* Rough check on arithmetic overflow,
* better check is made in ip6_append_data().
*/
- if (len > INT_MAX)
+ if (len > INT_MAX - transhdrlen)
return -EMSGSIZE;
+ ulen = len + transhdrlen;
/* Mirror BSD error message compatibility */
if (msg->msg_flags & MSG_OOB)
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH net-next v4] ipv6: Fix signed integer overflow in __ip6_append_data
2022-06-02 16:02 ` Jakub Kicinski
@ 2022-06-03 8:58 ` Paolo Abeni
2022-06-06 2:03 ` wangyufen
0 siblings, 1 reply; 7+ messages in thread
From: Paolo Abeni @ 2022-06-03 8:58 UTC (permalink / raw)
To: Jakub Kicinski
Cc: Wang Yufen, davem, yoshfuji, dsahern, edumazet, ast, daniel,
andrii, kafai, songliubraving, yhs, john.fastabend, kpsingh,
netdev, bpf
On Thu, 2022-06-02 at 09:02 -0700, Jakub Kicinski wrote:
> On Thu, 02 Jun 2022 12:38:10 +0200 Paolo Abeni wrote:
> > I'm sorry for the multiple incremental feedback on this patch. It's
> > somewhat tricky.
> >
> > AFAICS Jakub mentioned only udpv6_sendmsg(). In l2tp_ip6_sendmsg() we
> > can have an overflow:
> >
> > int transhdrlen = 4; /* zero session-id */
> > int ulen = len + transhdrlen;
> >
> > when len >= INT_MAX - 4. That will be harmless, but I guess it could
> > still trigger a noisy UBSAN splat.
>
> Good point, I wonder if that's a separate issue. Should we
> follow what UDP does and subtract the transhdr from the max?
> My gut feeling is that stricter checks are cleaner than just
> bumping variable sizes.
>
> diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
> index c6ff8bf9b55f..9dbd801ddb98 100644
> --- a/net/l2tp/l2tp_ip6.c
> +++ b/net/l2tp/l2tp_ip6.c
> @@ -504,14 +504,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
> struct ipcm6_cookie ipc6;
> int addr_len = msg->msg_namelen;
> int transhdrlen = 4; /* zero session-id */
> - int ulen = len + transhdrlen;
> + int ulen;
> int err;
>
> /* Rough check on arithmetic overflow,
> * better check is made in ip6_append_data().
> */
> - if (len > INT_MAX)
> + if (len > INT_MAX - transhdrlen)
> return -EMSGSIZE;
> + ulen = len + transhdrlen;
>
> /* Mirror BSD error message compatibility */
> if (msg->msg_flags & MSG_OOB)
>
LGTM. Imho this can even land in a separated patch (whatever is easier)
Thanks!
Paolo
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net-next v4] ipv6: Fix signed integer overflow in __ip6_append_data
2022-06-03 8:58 ` Paolo Abeni
@ 2022-06-06 2:03 ` wangyufen
2022-06-06 14:24 ` Jakub Kicinski
0 siblings, 1 reply; 7+ messages in thread
From: wangyufen @ 2022-06-06 2:03 UTC (permalink / raw)
To: Paolo Abeni, Jakub Kicinski
Cc: davem, yoshfuji, dsahern, edumazet, ast, daniel, andrii, kafai,
songliubraving, yhs, john.fastabend, kpsingh, netdev, bpf
在 2022/6/3 16:58, Paolo Abeni 写道:
> On Thu, 2022-06-02 at 09:02 -0700, Jakub Kicinski wrote:
>> On Thu, 02 Jun 2022 12:38:10 +0200 Paolo Abeni wrote:
>>> I'm sorry for the multiple incremental feedback on this patch. It's
>>> somewhat tricky.
>>>
>>> AFAICS Jakub mentioned only udpv6_sendmsg(). In l2tp_ip6_sendmsg() we
>>> can have an overflow:
>>>
>>> int transhdrlen = 4; /* zero session-id */
>>> int ulen = len + transhdrlen;
>>>
>>> when len >= INT_MAX - 4. That will be harmless, but I guess it could
>>> still trigger a noisy UBSAN splat.
>> Good point, I wonder if that's a separate issue. Should we
>> follow what UDP does and subtract the transhdr from the max?
>> My gut feeling is that stricter checks are cleaner than just
>> bumping variable sizes.
>>
>> diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
>> index c6ff8bf9b55f..9dbd801ddb98 100644
>> --- a/net/l2tp/l2tp_ip6.c
>> +++ b/net/l2tp/l2tp_ip6.c
>> @@ -504,14 +504,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
>> struct ipcm6_cookie ipc6;
>> int addr_len = msg->msg_namelen;
>> int transhdrlen = 4; /* zero session-id */
>> - int ulen = len + transhdrlen;
>> + int ulen;
>> int err;
>>
>> /* Rough check on arithmetic overflow,
>> * better check is made in ip6_append_data().
>> */
>> - if (len > INT_MAX)
>> + if (len > INT_MAX - transhdrlen)
>> return -EMSGSIZE;
>> + ulen = len + transhdrlen;
>>
>> /* Mirror BSD error message compatibility */
>> if (msg->msg_flags & MSG_OOB)
>>
> LGTM. Imho this can even land in a separated patch (whatever is easier)
Thanks for all the feedback.
So, Jakub will send a new patch to fix the l2tp_ip6_sendmsg issue?
Thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net-next v4] ipv6: Fix signed integer overflow in __ip6_append_data
2022-06-06 2:03 ` wangyufen
@ 2022-06-06 14:24 ` Jakub Kicinski
2022-06-07 1:16 ` wangyufen
0 siblings, 1 reply; 7+ messages in thread
From: Jakub Kicinski @ 2022-06-06 14:24 UTC (permalink / raw)
To: wangyufen
Cc: Paolo Abeni, davem, yoshfuji, dsahern, edumazet, ast, daniel,
andrii, kafai, songliubraving, yhs, john.fastabend, kpsingh,
netdev, bpf
On Mon, 6 Jun 2022 10:03:27 +0800 wangyufen wrote:
> > LGTM. Imho this can even land in a separated patch (whatever is easier)
>
> Thanks for all the feedback.
> So, Jakub will send a new patch to fix the l2tp_ip6_sendmsg issue?
That was just a suggestion, if possible I'd prefer if you double
checked the analysis, tested that or similar code, wrote a commit
message etc. and sent it.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net-next v4] ipv6: Fix signed integer overflow in __ip6_append_data
2022-06-06 14:24 ` Jakub Kicinski
@ 2022-06-07 1:16 ` wangyufen
0 siblings, 0 replies; 7+ messages in thread
From: wangyufen @ 2022-06-07 1:16 UTC (permalink / raw)
To: Jakub Kicinski
Cc: Paolo Abeni, davem, yoshfuji, dsahern, edumazet, ast, daniel,
andrii, kafai, songliubraving, yhs, john.fastabend, kpsingh,
netdev, bpf
在 2022/6/6 22:24, Jakub Kicinski 写道:
> On Mon, 6 Jun 2022 10:03:27 +0800 wangyufen wrote:
>>> LGTM. Imho this can even land in a separated patch (whatever is easier)
>> Thanks for all the feedback.
>> So, Jakub will send a new patch to fix the l2tp_ip6_sendmsg issue?
> That was just a suggestion, if possible I'd prefer if you double
> checked the analysis, tested that or similar code, wrote a commit
> message etc. and sent it.
> .
OK, thanks. will send in v5.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-06-07 1:16 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-01 8:48 [PATCH net-next v4] ipv6: Fix signed integer overflow in __ip6_append_data Wang Yufen
2022-06-02 10:38 ` Paolo Abeni
2022-06-02 16:02 ` Jakub Kicinski
2022-06-03 8:58 ` Paolo Abeni
2022-06-06 2:03 ` wangyufen
2022-06-06 14:24 ` Jakub Kicinski
2022-06-07 1:16 ` wangyufen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.