From patchwork Wed Mar 29 14:11:20 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andrey Konovalov <andreyknvl@google.com>
X-Patchwork-Id: 744811
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3vtV7M6gB8z9s2P
	for <patchwork-incoming@ozlabs.org>;
	Thu, 30 Mar 2017 01:11:43 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=google.com header.i=@google.com
	header.b="AajWE+oi"; dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755417AbdC2OLk (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 29 Mar 2017 10:11:40 -0400
Received: from mail-wr0-f176.google.com ([209.85.128.176]:35382 "EHLO
	mail-wr0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751868AbdC2OLi (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 29 Mar 2017 10:11:38 -0400
Received: by mail-wr0-f176.google.com with SMTP id k6so10838260wre.2
	for <netdev@vger.kernel.org>; Wed, 29 Mar 2017 07:11:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:in-reply-to:references;
	bh=jEZu25UGcKs06RK567Ssi2GGa3LxtirGgfL8tFBVmjk=;
	b=AajWE+oidF4F+56CGN5kJw45emAV0vBRSUvkf39+u9o61PU+p4PYFGzAZlLNb+veQS
	Xj/HptHRy6P9AuNEkG3nJ1qx92yBmE1J8n+yzr2gqa8f59dHw3Y8NotkYbM4F+1Gy3sN
	QvMWzVyZuaZJoWHJz1KdrBs8LaSnqtiBPV4TX/UskT1wkZHTUDXVVOri6Xg8yPCNF3BS
	0eOYaJu5lziAHBiaQdgVKzE2JabuxbeTRmTKijjqBK/BGUgri7HHu4I45OsmYTnBXVHR
	fb/OALTZp/RkTUn7ow2k/MIR8Z99DRUV2IHaypnjIJLISt6Ix2H16YC6rTgBk5YnKxW0
	3EGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:in-reply-to:references;
	bh=jEZu25UGcKs06RK567Ssi2GGa3LxtirGgfL8tFBVmjk=;
	b=GK6J8Dtt7USclZvbjy0kkrPgOipgAnDw53UDb4LzfSqy0n6Y02RLiOZoqAhxAMH/qJ
	dr4OUZCacXoH4eGCUDt6x3W+xPDVAuhDyPMLtra9aO3m1r/VsAliu0DAB1jHbQiCKcd3
	2Uw/FHA8bJqhjvu4Pw3XjdMxO6TSNIDv1M7U5Euj2dyjlcZkvh7U5RQn/m6tXPKpPr+B
	oSoU9nrzlLaZEJvNgsOz7vv0QDf6Z4AkqHXzogNARm3kSsz2kKYZwvsPObCQUzV9ScZA
	vI2rYk28GfpDOzCB7mctJcSPkcHT1oBK2UwWVFBcyLS4XOJX5ux0pQwniOtl4NfGD8UO
	nmYA==
X-Gm-Message-State: 
 AFeK/H2u/LAXddVuuFgIzLvx2vlIkypULPs9QAr6/PHweCfoVfNiDgE5+tSDVO5JTuh4squq
X-Received: by 10.28.91.1 with SMTP id p1mr1565488wmb.63.1490796695292;
	Wed, 29 Mar 2017 07:11:35 -0700 (PDT)
Received: from andreyknvl0.muc.corp.google.com
	([2a00:79e0:15:2:f4c6:e120:bb49:e30d])
	by smtp.gmail.com with ESMTPSA id
	x133sm8326984wme.22.2017.03.29.07.11.34
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 29 Mar 2017 07:11:34 -0700 (PDT)
Received: by andreyknvl0.muc.corp.google.com (Postfix, from userid 206546)
	id A22CF1809AA; Wed, 29 Mar 2017 16:11:33 +0200 (CEST)
From: Andrey Konovalov <andreyknvl@google.com>
To: "David S . Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Willem de Bruijn <willemb@google.com>, Craig Gallek <cgallek@google.com>
Cc: netdev@vger.kernel.org, Dmitry Vyukov <dvyukov@google.com>,
	Kostya Serebryany <kcc@google.com>,
	Andrey Konovalov <andreyknvl@google.com>
Subject: [PATCH net v2 1/3] net/packet: fix overflow in check for priv area
	size
Date: Wed, 29 Mar 2017 16:11:20 +0200
Message-Id: 
 <56da2aa1dec51c258eb25693ed87e4de72413463.1490796500.git.andreyknvl@google.com>
X-Mailer: git-send-email 2.12.2.564.g063fe858b8-goog
In-Reply-To: <cover.1490796500.git.andreyknvl@google.com>
References: <cover.1490796500.git.andreyknvl@google.com>
In-Reply-To: <cover.1490796500.git.andreyknvl@google.com>
References: <cover.1490796500.git.andreyknvl@google.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).

Compare them as is instead.

Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
---
 net/packet/af_packet.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index a0dbe7ca8f72..2323ee35dc09 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4193,8 +4193,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 		if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
 			goto out;
 		if (po->tp_version >= TPACKET_V3 &&
-		    (int)(req->tp_block_size -
-			  BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0)
+		    req->tp_block_size <=
+			  BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
 			goto out;
 		if (unlikely(req->tp_frame_size < po->tp_hdrlen +
 					po->tp_reserve))