From patchwork Tue Mar 28 14:00:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrey Konovalov X-Patchwork-Id: 744293 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vssy52P97z9s7K for ; Wed, 29 Mar 2017 01:01:33 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="mVJ62dyA"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752716AbdC1OBU (ORCPT ); Tue, 28 Mar 2017 10:01:20 -0400 Received: from mail-wr0-f175.google.com ([209.85.128.175]:36003 "EHLO mail-wr0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752667AbdC1OBR (ORCPT ); Tue, 28 Mar 2017 10:01:17 -0400 Received: by mail-wr0-f175.google.com with SMTP id w11so88287414wrc.3 for ; Tue, 28 Mar 2017 07:01:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :in-reply-to:references; bh=jEZu25UGcKs06RK567Ssi2GGa3LxtirGgfL8tFBVmjk=; b=mVJ62dyA6YNJaUQ9/FsSuI1ld9npOZYkCQKA9mWVsJaAJrDrOc0sTiFY2sbSzmmueg isJw62OIso5nUkDthWuJxkRMPzARFmJaAGE5PVfWt9x+z3Nc3gxhpII7G949S3XHyLSY BHoagsIH9EhbIBD2EX9nWO9Ea8e2giArOcd9yJ28tJB85/4fqi1FSL1wS6aqvcZLEWDC Y3nlXzn6QMCLXGrSSefI3KwVWUFw5jm9VIUQ025WinDVJa/+Bna0pdQyblfNOwfsKSMc iPRoHSd5l+Qk64cc7vluqUgWaTaUh5BE/V3tPvZz19uYqzWdNgUOflmjAOLMCDbW7zr3 5QUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:in-reply-to:references; bh=jEZu25UGcKs06RK567Ssi2GGa3LxtirGgfL8tFBVmjk=; b=NoG7MkWJP0tVxHz2u7Y2fA68DKOUzssF2mnZ+3PUlEf9lwMDfyevyn0wjEypc2ZPCN Q0aa45yZHoBzeo7gP1p5z/KD88t5J4ZLV2PpJ2jfDlYb/msrvDqMnOBfg9ByDyiMwGWW fC5Vru+jqe3wyvn2oWUfVxU07bFZZKwAtSQl7DJwAGgqNBKQxJHoBw3CcbJ+BMK9yYg2 n7o7MDsfudL+XtPaTW0mZZovfGQ3fY4giRR6DyGcOz061WWwQ9fhEun/X+G9b8PRK8Lt 3xkF9ar1NJDyVbc5CXOyeveGd2hLCiotuqKcaX9koNeCuymBmuHYi5cyRlj3i+7tJr6X jUXw== X-Gm-Message-State: AFeK/H0x3zIXF2S14T7Y2uJG0PYD4kFmayMFtKHuRvC1tov+bCn/C41uKn4bCNkXd3P8up9a X-Received: by 10.223.136.92 with SMTP id e28mr14745106wre.73.1490709662144; Tue, 28 Mar 2017 07:01:02 -0700 (PDT) Received: from andreyknvl0.muc.corp.google.com ([100.105.12.17]) by smtp.gmail.com with ESMTPSA id o66sm3739175wmg.33.2017.03.28.07.00.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Mar 2017 07:01:00 -0700 (PDT) Received: by andreyknvl0.muc.corp.google.com (Postfix, from userid 206546) id 430FD182D47; Tue, 28 Mar 2017 16:00:55 +0200 (CEST) From: Andrey Konovalov To: "David S . Miller" , Eric Dumazet , Willem de Bruijn , Craig Gallek Cc: netdev@vger.kernel.org, Dmitry Vyukov , Kostya Serebryany , Andrey Konovalov Subject: [PATCH 1/5] net/packet: fix overflow in check for priv area size Date: Tue, 28 Mar 2017 16:00:42 +0200 Message-Id: <56da2aa1dec51c258eb25693ed87e4de72413463.1490709552.git.andreyknvl@google.com> X-Mailer: git-send-email 2.12.2.564.g063fe858b8-goog In-Reply-To: References: In-Reply-To: References: Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Subtracting tp_sizeof_priv from tp_block_size and casting to int to check whether one is less then the other doesn't always work (both of them are unsigned ints). Compare them as is instead. Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as it can overflow inside BLK_PLUS_PRIV otherwise. Signed-off-by: Andrey Konovalov --- net/packet/af_packet.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c index a0dbe7ca8f72..2323ee35dc09 100644 --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -4193,8 +4193,8 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, if (unlikely(!PAGE_ALIGNED(req->tp_block_size))) goto out; if (po->tp_version >= TPACKET_V3 && - (int)(req->tp_block_size - - BLK_PLUS_PRIV(req_u->req3.tp_sizeof_priv)) <= 0) + req->tp_block_size <= + BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv)) goto out; if (unlikely(req->tp_frame_size < po->tp_hdrlen + po->tp_reserve))