From: Dan Carpenter <dan.carpenter@linaro.org>
To: Alexander Lobakin <aleksander.lobakin@intel.com>
Cc: Jakub Kicinski <kuba@kernel.org>,
Louis Peens <louis.peens@corigine.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Paolo Abeni <pabeni@redhat.com>, Quentin Monnet <qmo@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
bpf@vger.kernel.org, oss-drivers@corigine.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: Re: [PATCH net] nfp: bpf: prevent integer overflow in nfp_bpf_event_output()
Date: Tue, 14 Jan 2025 13:45:04 +0300 [thread overview]
Message-ID: <Z4ZAMCRQW8iiYXAb@stanley.mountain> (raw)
In-Reply-To: <1ba87a40-5851-4877-a539-e065c3a8a433@intel.com>
[ I tried to send this email yesterday but apparently gmail blocked
it for security reasons? So weird. - dan ]
On Mon, Jan 13, 2025 at 01:32:11PM +0100, Alexander Lobakin wrote:
> From: Dan Carpenter <dan.carpenter@linaro.org>
> Date: Mon, 13 Jan 2025 09:18:39 +0300
>
> > The "sizeof(struct cmsg_bpf_event) + pkt_size + data_size" math could
> > potentially have an integer wrapping bug on 32bit systems. Check for
>
> Not in practice I suppose? Do we need to fix "never" bugs?
>
No, this is from static analysis. We don't need to fix never bugs.
This is called from nfp_bpf_ctrl_msg_rx() and nfp_bpf_ctrl_msg_rx_raw()
and I assumed that since pkt_size and data_size come from skb->data on
the rx path then they couldn't be trusted.
Where is the bounds checking?
regards,
dan carpenter
next prev parent reply other threads:[~2025-01-14 10:45 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-13 6:18 [PATCH net] nfp: bpf: prevent integer overflow in nfp_bpf_event_output() Dan Carpenter
2025-01-13 12:32 ` Alexander Lobakin
2025-01-14 10:45 ` Dan Carpenter [this message]
2025-01-14 17:17 ` Alexander Lobakin
2025-01-14 18:43 ` Dan Carpenter
2025-01-15 10:22 ` Alexander Lobakin
2025-01-14 23:10 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z4ZAMCRQW8iiYXAb@stanley.mountain \
--to=dan.carpenter@linaro.org \
--cc=aleksander.lobakin@intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=louis.peens@corigine.com \
--cc=netdev@vger.kernel.org \
--cc=oss-drivers@corigine.com \
--cc=pabeni@redhat.com \
--cc=qmo@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.