From: Simon Horman <horms@kernel.org>
To: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [PATCH net] xfrm: fix integer overflow in xfrm_replay_state_esn_len()
Date: Wed, 22 Jan 2025 12:39:36 +0000 [thread overview]
Message-ID: <20250122123936.GB390877@kernel.org> (raw)
In-Reply-To: <018ecf13-e371-4b39-8946-c7510baf916b@stanley.mountain>
On Tue, Jan 21, 2025 at 02:16:01PM +0300, Dan Carpenter wrote:
> The problem is that "replay_esn->bmp_len" comes from the user and it's
> a u32. The xfrm_replay_state_esn_len() function also returns a u32.
> So if we choose a ->bmp_len which very high then the total will be
> more than UINT_MAX and value will be truncated when we return. The
> returned value will be smaller than expected causing problems in the
> caller.
>
> To fix this:
> 1) Use size_add() and size_mul(). This change is necessary for 32bit
> systems.
> 2) Change the type of xfrm_replay_state_esn_len() and related variables
> from u32 to size_t.
> 3) Remove the casts to (int). The size should never be negative.
> Generally, values which come from size_add/mul() should stay as type
> size_t and not be truncated to user fewer than all the bytes in a
> unsigned long.
>
> Cc: stable@vger.kernel.org
> Fixes: 9736acf395d3 ("xfrm: Add basic infrastructure to support IPsec extended sequence numbers")
> Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
> ---
> The one caller that I didn't modify was xfrm_sa_len(). That's a bit
> complicated and also I'm kind of hoping that we don't handle user
> controlled data in that function? The place where we definitely are
> handling user data is in xfrm_alloc_replay_state_esn() and this patch
> fixes that.
Yes, that is a bit "complex".
FWIIW, my opinion is that your patch is correct and it improves things -
even if the end result may still have imperfections. And for that reason
I'm in favour of it being accepted.
Reviewed-by: Simon Horman <horms@kernel.org>
next prev parent reply other threads:[~2025-01-22 12:39 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-21 11:16 [PATCH net] xfrm: fix integer overflow in xfrm_replay_state_esn_len() Dan Carpenter
2025-01-22 12:39 ` Simon Horman [this message]
2025-01-22 13:16 ` Dan Carpenter
2025-01-22 13:50 ` Dan Carpenter
2025-01-22 16:53 ` kernel test robot
2025-01-30 8:16 ` Dan Carpenter
2025-01-31 20:28 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250122123936.GB390877@kernel.org \
--to=horms@kernel.org \
--cc=dan.carpenter@linaro.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=kernel-janitors@vger.kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.