Message ID | 20220607120028.845916-1-wangyufen@huawei.com (mailing list archive) |
---|---|
State | Accepted |
Commit | f93431c86b631bbca5614c66f966bf3ddb3c2803 |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [net-next,v5,1/2] ipv6: Fix signed integer overflow in __ip6_append_data | expand |
Hello: This series was applied to netdev/net.git (master) by Jakub Kicinski <kuba@kernel.org>: On Tue, 7 Jun 2022 20:00:27 +0800 you wrote: > Resurrect ubsan overflow checks and ubsan report this warning, > fix it by change the variable [length] type to size_t. > > UBSAN: signed-integer-overflow in net/ipv6/ip6_output.c:1489:19 > 2147479552 + 8567 cannot be represented in type 'int' > CPU: 0 PID: 253 Comm: err Not tainted 5.16.0+ #1 > Hardware name: linux,dummy-virt (DT) > Call trace: > dump_backtrace+0x214/0x230 > show_stack+0x30/0x78 > dump_stack_lvl+0xf8/0x118 > dump_stack+0x18/0x30 > ubsan_epilogue+0x18/0x60 > handle_overflow+0xd0/0xf0 > __ubsan_handle_add_overflow+0x34/0x44 > __ip6_append_data.isra.48+0x1598/0x1688 > ip6_append_data+0x128/0x260 > udpv6_sendmsg+0x680/0xdd0 > inet6_sendmsg+0x54/0x90 > sock_sendmsg+0x70/0x88 > ____sys_sendmsg+0xe8/0x368 > ___sys_sendmsg+0x98/0xe0 > __sys_sendmmsg+0xf4/0x3b8 > __arm64_sys_sendmmsg+0x34/0x48 > invoke_syscall+0x64/0x160 > el0_svc_common.constprop.4+0x124/0x300 > do_el0_svc+0x44/0xc8 > el0_svc+0x3c/0x1e8 > el0t_64_sync_handler+0x88/0xb0 > el0t_64_sync+0x16c/0x170 > > [...] Here is the summary with links: - [net-next,v5,1/2] ipv6: Fix signed integer overflow in __ip6_append_data https://git.kernel.org/netdev/net/c/f93431c86b63 - [net-next,v5,2/2] ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg https://git.kernel.org/netdev/net/c/f638a84afef3 You are awesome, thank you!
diff --git a/include/net/ipv6.h b/include/net/ipv6.h index 5b38bf1a586b..de9dcc5652c4 100644 --- a/include/net/ipv6.h +++ b/include/net/ipv6.h @@ -1063,7 +1063,7 @@ int ip6_find_1stfragopt(struct sk_buff *skb, u8 **nexthdr); int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb), - void *from, int length, int transhdrlen, + void *from, size_t length, int transhdrlen, struct ipcm6_cookie *ipc6, struct flowi6 *fl6, struct rt6_info *rt, unsigned int flags); @@ -1079,7 +1079,7 @@ struct sk_buff *__ip6_make_skb(struct sock *sk, struct sk_buff_head *queue, struct sk_buff *ip6_make_skb(struct sock *sk, int getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb), - void *from, int length, int transhdrlen, + void *from, size_t length, int transhdrlen, struct ipcm6_cookie *ipc6, struct rt6_info *rt, unsigned int flags, struct inet_cork_full *cork); diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 4081b12a01ff..77e3f5970ce4 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1450,7 +1450,7 @@ static int __ip6_append_data(struct sock *sk, struct page_frag *pfrag, int getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb), - void *from, int length, int transhdrlen, + void *from, size_t length, int transhdrlen, unsigned int flags, struct ipcm6_cookie *ipc6) { struct sk_buff *skb, *skb_prev = NULL; @@ -1798,7 +1798,7 @@ static int __ip6_append_data(struct sock *sk, int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb), - void *from, int length, int transhdrlen, + void *from, size_t length, int transhdrlen, struct ipcm6_cookie *ipc6, struct flowi6 *fl6, struct rt6_info *rt, unsigned int flags) { @@ -1995,7 +1995,7 @@ EXPORT_SYMBOL_GPL(ip6_flush_pending_frames); struct sk_buff *ip6_make_skb(struct sock *sk, int getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb), - void *from, int length, int transhdrlen, + void *from, size_t length, int transhdrlen, struct ipcm6_cookie *ipc6, struct rt6_info *rt, unsigned int flags, struct inet_cork_full *cork) {
Resurrect ubsan overflow checks and ubsan report this warning, fix it by change the variable [length] type to size_t. UBSAN: signed-integer-overflow in net/ipv6/ip6_output.c:1489:19 2147479552 + 8567 cannot be represented in type 'int' CPU: 0 PID: 253 Comm: err Not tainted 5.16.0+ #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x214/0x230 show_stack+0x30/0x78 dump_stack_lvl+0xf8/0x118 dump_stack+0x18/0x30 ubsan_epilogue+0x18/0x60 handle_overflow+0xd0/0xf0 __ubsan_handle_add_overflow+0x34/0x44 __ip6_append_data.isra.48+0x1598/0x1688 ip6_append_data+0x128/0x260 udpv6_sendmsg+0x680/0xdd0 inet6_sendmsg+0x54/0x90 sock_sendmsg+0x70/0x88 ____sys_sendmsg+0xe8/0x368 ___sys_sendmsg+0x98/0xe0 __sys_sendmmsg+0xf4/0x3b8 __arm64_sys_sendmmsg+0x34/0x48 invoke_syscall+0x64/0x160 el0_svc_common.constprop.4+0x124/0x300 do_el0_svc+0x44/0xc8 el0_svc+0x3c/0x1e8 el0t_64_sync_handler+0x88/0xb0 el0t_64_sync+0x16c/0x170 Changes since v1: -Change the variable [length] type to unsigned, as Eric Dumazet suggested. Changes since v2: -Don't change exthdrlen type in ip6_make_skb, as Paolo Abeni suggested. Changes since v3: -Don't change ulen type in udpv6_sendmsg and l2tp_ip6_sendmsg, as Jakub Kicinski suggested. Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wang Yufen <wangyufen@huawei.com> --- include/net/ipv6.h | 4 ++-- net/ipv6/ip6_output.c | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-)