From patchwork Fri Dec 2 17:44:53 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 702082 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3tVjyt4ntbz9t14 for ; Sat, 3 Dec 2016 05:55:34 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="ijMF3azC"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753566AbcLBSzb (ORCPT ); Fri, 2 Dec 2016 13:55:31 -0500 Received: from mail-pg0-f67.google.com ([74.125.83.67]:33410 "EHLO mail-pg0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752287AbcLBSza (ORCPT ); Fri, 2 Dec 2016 13:55:30 -0500 Received: by mail-pg0-f67.google.com with SMTP id 3so8647852pgd.0 for ; Fri, 02 Dec 2016 10:55:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=RpBEFpLsmKjZzUeUmuIWLWcmLUOCeDEDfLAavfcqjMs=; b=ijMF3azC0qcHvqlY2N4jFJOgBl/k4y3I6z4pub1KSVYnEuzWIWg8FDLXNsDONhK6iG pOhoBHWtEqgTqfKH7imCPj52diSZSlDsVd76Jz/qo4/JUq5QyUIXu1s3UO66wyuX7jnO b0c8jL9HJk5RYjltZhYfZPhiK51DaQ3iiLZTviC+SnevplIgCqTS9QS3lLbfWEuHhL/V iqIBWtID5Mne1dM1YaavAX5yOW5Qmsetdin3XBEdJ+8V0HQ/ifhFYHfNwiTHftjNcBpL spMFnFG3OhBVBFTg1lxeSimsDFWXAh8LybcZc98V4FOQy8GU2BciFoV1HutrlXfg4OzE I0AA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version :content-transfer-encoding; bh=RpBEFpLsmKjZzUeUmuIWLWcmLUOCeDEDfLAavfcqjMs=; b=Yh58cRPGm5t7CGS9SUBPBElTMUbd1N/nvyNasLcAmdrNSC0pL9UsEJvUyW4u/EOyAp 0uaN6POa+MFeKYRern/DleQt+QptrLeELEdiYxK66Kj2lqUqEaDt0sX1iMDSQxHPwTjr u79H8u0YIrPK9hjgNfFKOWBKJeQbBjgKdGlDeOReYlmMZhW1gdascu6+AmIwxHuJYeUq AyDGw5Z5Q8qfh+kJGVgEEVXrxmz5a/ebLvEmlo6/ce/GqJgTEH+FIF5QcYnR/Stzp4O6 aZFPsoGeO4pDzu8f00/qrlV60EMANoeVrn/o5YlMqWDpP/Jy4PeyMdqKLFQfMDAkOS9I lmwg== X-Gm-Message-State: AKaTC02Mi4v/gAqXFp5HSGQTEuv/GEN5X1dBAnBfefMsWAXmNG3ee1zFO0SViwKj1zzjcg== X-Received: by 10.98.17.80 with SMTP id z77mr46145674pfi.166.1480700754944; Fri, 02 Dec 2016 09:45:54 -0800 (PST) Received: from [172.19.22.200] ([172.19.22.200]) by smtp.googlemail.com with ESMTPSA id q20sm9217448pgn.39.2016.12.02.09.45.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Dec 2016 09:45:54 -0800 (PST) Message-ID: <1480700693.18162.378.camel@edumazet-glaptop3.roam.corp.google.com> Subject: [PATCH net] net: avoid signed overflows for SO_{SND|RCV}BUFFORCE From: Eric Dumazet To: David Miller Cc: netdev , Andrey Konovalov Date: Fri, 02 Dec 2016 09:44:53 -0800 X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet CAP_NET_ADMIN users should not be allowed to set negative sk_sndbuf or sk_rcvbuf values, as it can lead to various memory corruptions, crashes, OOM... Note that before commit 82981930125a ("net: cleanups in sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF and SO_RCVBUF were vulnerable. This needs to be backported to all known linux kernels. Again, many thanks to syzkaller team for discovering this gem. Signed-off-by: Eric Dumazet Reported-by: Andrey Konovalov --- net/core/sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/sock.c b/net/core/sock.c index 5e3ca414357e2404db28eeacc5e9306051161493..00a074dbfe9bf169c2b81498e6ae265199745b22 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -715,7 +715,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, val = min_t(u32, val, sysctl_wmem_max); set_sndbuf: sk->sk_userlocks |= SOCK_SNDBUF_LOCK; - sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF); + sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF); /* Wake up sending tasks if we upped the value. */ sk->sk_write_space(sk); break; @@ -751,7 +751,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, * returning the value we actually used in getsockopt * is the most desirable behavior. */ - sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF); + sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF); break; case SO_RCVBUFFORCE: