diff mbox series

mptcp: fix possible integer overflow in mptcp_reset_tout_timer

Message ID 20241107103657.1560536-1-d.kandybka@gmail.com (mailing list archive)
State Accepted
Commit b169e76ebad22cbd055101ee5aa1a7bed0e66606
Delegated to: Netdev Maintainers
Headers show
Series mptcp: fix possible integer overflow in mptcp_reset_tout_timer | expand

Checks

Context Check Description
netdev/series_format warning Single patches do not need cover letters; Target tree name not specified in the subject
netdev/tree_selection success Guessed tree name to be net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 3 this patch: 3
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 6 maintainers not CCed: martineau@kernel.org horms@kernel.org geliang@kernel.org edumazet@google.com pabeni@redhat.com kuba@kernel.org
netdev/build_clang success Errors and warnings before: 3 this patch: 3
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 5 this patch: 5
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 10 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-11-07--12-00 (tests: 787)

Commit Message

Dmitry Kandybka Nov. 7, 2024, 10:36 a.m. UTC 
In 'mptcp_reset_tout_timer', promote 'probe_timestamp' to unsigned long
to avoid possible integer overflow. Compile tested only.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
---
 net/mptcp/protocol.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Matthieu Baerts (NGI0) Nov. 8, 2024, 11:43 a.m. UTC | #1 
Hi Dmitry,

On 07/11/2024 11:36, Dmitry Kandybka wrote:
> In 'mptcp_reset_tout_timer', promote 'probe_timestamp' to unsigned long
> to avoid possible integer overflow. Compile tested only.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
> ---
>  net/mptcp/protocol.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
> index e978e05ec8d1..ff2b8a2bfe18 100644
> --- a/net/mptcp/protocol.c
> +++ b/net/mptcp/protocol.c
> @@ -2722,8 +2722,8 @@ void mptcp_reset_tout_timer(struct mptcp_sock *msk, unsigned long fail_tout)
>  	if (!fail_tout && !inet_csk(sk)->icsk_mtup.probe_timestamp)
>  		return;
>  
> -	close_timeout = inet_csk(sk)->icsk_mtup.probe_timestamp - tcp_jiffies32 + jiffies +
> -			mptcp_close_timeout(sk);
> +	close_timeout = (unsigned long)inet_csk(sk)->icsk_mtup.probe_timestamp -
> +			tcp_jiffies32 + jiffies + mptcp_close_timeout(sk);

If I'm not mistaken, "jiffies" is an "unsigned long", which makes this
modification not necessary, no?

Cheers,
Matt
Fedor Pchelkin Nov. 8, 2024, 9:42 p.m. UTC | #2 
Hi,

Cc'ing more people.

On Fri, 08. Nov 12:43, Matthieu Baerts wrote:
> Hi Dmitry,
> 
> On 07/11/2024 11:36, Dmitry Kandybka wrote:
> > In 'mptcp_reset_tout_timer', promote 'probe_timestamp' to unsigned long
> > to avoid possible integer overflow. Compile tested only.
> > 
> > Found by Linux Verification Center (linuxtesting.org) with SVACE.
> > 
> > Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
> > ---
> >  net/mptcp/protocol.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
> > index e978e05ec8d1..ff2b8a2bfe18 100644
> > --- a/net/mptcp/protocol.c
> > +++ b/net/mptcp/protocol.c
> > @@ -2722,8 +2722,8 @@ void mptcp_reset_tout_timer(struct mptcp_sock *msk, unsigned long fail_tout)
> >  	if (!fail_tout && !inet_csk(sk)->icsk_mtup.probe_timestamp)
> >  		return;
> >  
> > -	close_timeout = inet_csk(sk)->icsk_mtup.probe_timestamp - tcp_jiffies32 + jiffies +
> > -			mptcp_close_timeout(sk);
> > +	close_timeout = (unsigned long)inet_csk(sk)->icsk_mtup.probe_timestamp -
> > +			tcp_jiffies32 + jiffies + mptcp_close_timeout(sk);
> 
> If I'm not mistaken, "jiffies" is an "unsigned long", which makes this
> modification not necessary, no?

inet_csk(sk)->icsk_mtup.probe_timestamp and tcp_jiffies32 are both of u32
type.

'inet_csk(sk)->icsk_mtup.probe_timestamp - tcp_jiffies32' will be computed
first in u32, only then the result will be converted to unsigned long for
further calculations with 'jiffies'.

Looking at how probe_timestamp is initialized, seems it will always be less
than the current tcp_jiffies32 value.

So 'inet_csk(sk)->icsk_mtup.probe_timestamp - tcp_jiffies32' will wrap in
u32, and then converted to unsigned long. It's not clear actually whether
this is considered to be an expected behavior... Goes all the way down to
76a13b315709 ("mptcp: invoke MP_FAIL response when needed").

> 
> Cheers,
> Matt
> -- 
> Sponsored by the NGI0 Core fund.
Paolo Abeni Nov. 12, 2024, 11:55 a.m. UTC | #3 
On 11/7/24 11:36, Dmitry Kandybka wrote:
> In 'mptcp_reset_tout_timer', promote 'probe_timestamp' to unsigned long
> to avoid possible integer overflow. Compile tested only.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
> ---
>  net/mptcp/protocol.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
> index e978e05ec8d1..ff2b8a2bfe18 100644
> --- a/net/mptcp/protocol.c
> +++ b/net/mptcp/protocol.c
> @@ -2722,8 +2722,8 @@ void mptcp_reset_tout_timer(struct mptcp_sock *msk, unsigned long fail_tout)
>  	if (!fail_tout && !inet_csk(sk)->icsk_mtup.probe_timestamp)
>  		return;
>  
> -	close_timeout = inet_csk(sk)->icsk_mtup.probe_timestamp - tcp_jiffies32 + jiffies +
> -			mptcp_close_timeout(sk);
> +	close_timeout = (unsigned long)inet_csk(sk)->icsk_mtup.probe_timestamp -
> +			tcp_jiffies32 + jiffies + mptcp_close_timeout(sk);
>  
>  	/* the close timeout takes precedence on the fail one, and here at least one of
>  	 * them is active

The patch makes sense to me. Any functional effect is hard to observe as
the timeout is served by the mptcp_worker, that can and is triggered
also by other events and uses the correct expression to evaluate the
timeout occurred event.

@Mat: are you ok with the patch?

Thanks,

Paolo
patchwork-bot+netdevbpf@kernel.org Nov. 13, 2024, 5 a.m. UTC | #4 
Hello:

This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Thu,  7 Nov 2024 13:36:57 +0300 you wrote:
> In 'mptcp_reset_tout_timer', promote 'probe_timestamp' to unsigned long
> to avoid possible integer overflow. Compile tested only.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
> 
> [...]

Here is the summary with links:
  - mptcp: fix possible integer overflow in mptcp_reset_tout_timer
    https://git.kernel.org/netdev/net-next/c/b169e76ebad2

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index e978e05ec8d1..ff2b8a2bfe18 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2722,8 +2722,8 @@  void mptcp_reset_tout_timer(struct mptcp_sock *msk, unsigned long fail_tout)
 	if (!fail_tout && !inet_csk(sk)->icsk_mtup.probe_timestamp)
 		return;
 
-	close_timeout = inet_csk(sk)->icsk_mtup.probe_timestamp - tcp_jiffies32 + jiffies +
-			mptcp_close_timeout(sk);
+	close_timeout = (unsigned long)inet_csk(sk)->icsk_mtup.probe_timestamp -
+			tcp_jiffies32 + jiffies + mptcp_close_timeout(sk);
 
 	/* the close timeout takes precedence on the fail one, and here at least one of
 	 * them is active