From patchwork Wed May 3 17:35:57 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 98504 Delivered-To: patch@linaro.org Received: by 10.140.89.200 with SMTP id v66csp166268qgd; Wed, 3 May 2017 10:36:19 -0700 (PDT) X-Received: by 10.99.168.77 with SMTP id i13mr40515645pgp.148.1493832979048; Wed, 03 May 2017 10:36:19 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p20si12867632pli.35.2017.05.03.10.36.18; Wed, 03 May 2017 10:36:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753977AbdECRgS (ORCPT + 6 others); Wed, 3 May 2017 13:36:18 -0400 Received: from mail-pf0-f175.google.com ([209.85.192.175]:35231 "EHLO mail-pf0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751880AbdECRgR (ORCPT ); Wed, 3 May 2017 13:36:17 -0400 Received: by mail-pf0-f175.google.com with SMTP id v14so15825337pfd.2 for ; Wed, 03 May 2017 10:36:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ouYCUaeg0eL/1wVQb6/R9doc5O/Yr75bY2bMHrzeAl0=; b=IGF+/ZpjfOz6G0ph2+qoID2OM34USLfD+yxiG58ID97gAr/jNBBD+ZDj9KNpGlJzFW 8j3Blac+amvkgXTy3e3FdM+Du4BOfE2gQZOLnFRY6VfoeZ5C8GpjDwYZHX11JNU19xq1 FW1JrdqwUeQ1lO+MWdZbO/sHGk3ej3mYwA47I= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ouYCUaeg0eL/1wVQb6/R9doc5O/Yr75bY2bMHrzeAl0=; b=sT+ZSB8ZVz2qQkacRkaSeeAc4v/T+25iBUBI3/47FGbKEYdONTxCUIXICmXSQP3vBd 2Cn+0VDatNCJluG9BFnE1tlCy5F/PtfYbfQyvmnuvsm9w772/1XQMuC5S6BH0ScbaXOW /eH5cJWLTld4/qhMfPUSn2rM0RbM/zcywDW9FnFRD/O0nY5CBVBMv3xVM/XBrtxmMfWc 5nBdu4AgJtqrysMJGpgDo0eGQVw1Qpfw7n4Aqy+FkV/BaU5s1qGJLmyqYpMdPIokcKKm eQZqm9y97lB6NjfZwIwlvsUUrc2PkrOFe3DuMd9Ip/742I+QaAWotSm1a0ZPJZqTcFuE 32Jw== X-Gm-Message-State: AN3rC/7MYRK0mekGkGcOa9X1qRewbbFOOt3BUktZWFcOy4bdt8o0wg7n icsABcyEeW9Z2uIbecvx6w== X-Received: by 10.84.179.65 with SMTP id a59mr48776879plc.171.1493832976930; Wed, 03 May 2017 10:36:16 -0700 (PDT) Received: from localhost.localdomain ([106.51.135.126]) by smtp.gmail.com with ESMTPSA id c3sm5895206pfg.46.2017.05.03.10.36.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 03 May 2017 10:36:16 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: stable@vger.kernel.org, Eric Dumazet , "David S . Miller" Subject: [PATCH for-3.18 6/7] net: avoid signed overflows for SO_{SND|RCV}BUFFORCE Date: Wed, 3 May 2017 23:05:57 +0530 Message-Id: <1493832958-12489-7-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> References: <1493832958-12489-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Eric Dumazet CAP_NET_ADMIN users should not be allowed to set negative sk_sndbuf or sk_rcvbuf values, as it can lead to various memory corruptions, crashes, OOM... Note that before commit 82981930125a ("net: cleanups in sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF and SO_RCVBUF were vulnerable. This needs to be backported to all known linux kernels. Again, many thanks to syzkaller team for discovering this gem. Signed-off-by: Eric Dumazet Reported-by: Andrey Konovalov Signed-off-by: David S. Miller (cherry picked from commit b98b0bc8c431e3ceb4b26b0dfc8db509518fb290) Signed-off-by: Amit Pundir --- net/core/sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.7.4 diff --git a/net/core/sock.c b/net/core/sock.c index 3b3734f81e64..7bcd07e7eeed 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -733,7 +733,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, val = min_t(u32, val, sysctl_wmem_max); set_sndbuf: sk->sk_userlocks |= SOCK_SNDBUF_LOCK; - sk->sk_sndbuf = max_t(u32, val * 2, SOCK_MIN_SNDBUF); + sk->sk_sndbuf = max_t(int, val * 2, SOCK_MIN_SNDBUF); /* Wake up sending tasks if we upped the value. */ sk->sk_write_space(sk); break; @@ -769,7 +769,7 @@ set_rcvbuf: * returning the value we actually used in getsockopt * is the most desirable behavior. */ - sk->sk_rcvbuf = max_t(u32, val * 2, SOCK_MIN_RCVBUF); + sk->sk_rcvbuf = max_t(int, val * 2, SOCK_MIN_RCVBUF); break; case SO_RCVBUFFORCE: