From patchwork Wed Dec 21 18:50:59 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xi Wang X-Patchwork-Id: 132706 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id BD233B7132 for ; Thu, 22 Dec 2011 05:53:03 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753912Ab1LUSwm (ORCPT ); Wed, 21 Dec 2011 13:52:42 -0500 Received: from mail-qw0-f53.google.com ([209.85.216.53]:45820 "EHLO mail-qw0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751754Ab1LUSwl (ORCPT ); Wed, 21 Dec 2011 13:52:41 -0500 Received: by qadb15 with SMTP id b15so4909787qad.19 for ; Wed, 21 Dec 2011 10:52:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=from:to:cc:subject:date:message-id:x-mailer; bh=NbgR5mTDcl3xCLumX22eFu+Qx2pobxRvvNK/Ut3rfw8=; b=bMVMgEWNwzyCKP4BPNpl757Yha9O8Q4LWeFf2cG8kBirhQuTMjPMZnmUgylLoLdTQz eg1aesihzp/t/RWJT9DHvXpt3xz+pNs+Z0PfEqrnQyEwWApcLXTvoBJDAsK9qez8o6y9 CtVOJn1hhgwSmJR6Rk59U1j7eQ0vaxfs1MRLA= Received: by 10.224.105.196 with SMTP id u4mr10007568qao.47.1324493561162; Wed, 21 Dec 2011 10:52:41 -0800 (PST) Received: from localhost.localdomain (hchen.csail.mit.edu. [18.26.5.5]) by mx.google.com with ESMTPS id dj9sm12118328qab.18.2011.12.21.10.52.39 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 21 Dec 2011 10:52:40 -0800 (PST) From: Xi Wang To: Tom Herbert , "David S. Miller" Cc: netdev@vger.kernel.org, Xi Wang Subject: [PATCH] rps: fix insufficient bounds checking in store_rps_dev_flow_table_cnt() Date: Wed, 21 Dec 2011 13:50:59 -0500 Message-Id: <1324493459-19764-1-git-send-email-xi.wang@gmail.com> X-Mailer: git-send-email 1.7.5.4 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Setting a large rps_flow_cnt like 1073741824 (1 << 30) on 32-bit platform will cause a kernel oops due to insufficient bounds checking. if (count > 1<<30) { /* Enforce a limit to prevent overflow */ return -EINVAL; } count = roundup_pow_of_two(count); table = vmalloc(RPS_DEV_FLOW_TABLE_SIZE(count)); Note that the macro RPS_DEV_FLOW_TABLE_SIZE(count) is defined as: ... + (count * sizeof(struct rps_dev_flow)) where sizeof(struct rps_dev_flow) is 8. (1 << 30) * 8 will overflow 32 bits. This patch changes the upper bound to (1 << 28). Signed-off-by: Xi Wang --- net/core/net-sysfs.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c index c71c434..f53a947 100644 --- a/net/core/net-sysfs.c +++ b/net/core/net-sysfs.c @@ -665,7 +665,7 @@ static ssize_t store_rps_dev_flow_table_cnt(struct netdev_rx_queue *queue, if (count) { int i; - if (count > 1<<30) { + if (count > 1<<28) { /* Enforce a limit to prevent overflow */ return -EINVAL; }