From: Sabrina Dubroca <sd@queasysnail.net>
To: Jacob Keller <jacob.e.keller@intel.com>
Cc: Nate Karstens <nate.karstens@garmin.com>,
davem@davemloft.net, edumazet@google.com, horms@kernel.org,
john.fastabend@gmail.com, kuba@kernel.org,
linux-kernel@vger.kernel.org, linux@treblig.org, mrpre@163.com,
nate.karstens@gmail.com, netdev@vger.kernel.org,
pabeni@redhat.com, stable@vger.kernel.org, tom@quantonium.net
Subject: Re: [PATCH] strparser: Fix signed/unsigned mismatch bug
Date: Thu, 6 Nov 2025 16:22:53 +0100 [thread overview]
Message-ID: <aQy9TZm4rpP3ZB4b@krikkit> (raw)
In-Reply-To: <f1f2c082-0597-4130-91d2-2059df3ba72f@intel.com>
2025-11-05, 15:47:00 -0800, Jacob Keller wrote:
>
>
> On 11/5/2025 3:12 PM, Nate Karstens wrote:
> > Thanks, Jake!
> >
> >> So, without the ssize_t, I guess everything switches back to unsigned
> >> here when subtracting skb->len..
> >
> > That's right. In C, if there is a mix of signed an unsigned, then signed are converted to unsigned and unsigned arithmetic is used.
Not if the signed type is bigger than the unsigned?
on x86_64 (with long = s64 and unsigned int = u32):
(long)1 - (unsigned int)100 < 0
(int)1 - (unsigned int)100 > 0
Are you testing on some 32b arch? Otherwise ssize_t would be s64 and
int/unsigned int should be 32b so the missing cast would not matter?
> >> I don't quite recall the signed vs unsigned rules for this. Is
> >> stm.strp.offset also unsigned? which means that after head->len -
> >> skb->len resolves to unsigned 0 then we underflow?
> >
> > Here is a summary of the types for the variables involved:
> >
> > len => ssize_t (signed)
> > (ssize_t)head->len => unsigned int cast to ssize_t
> > skb->len => unsigned int, causes the whole comparison to use unsigned arithmetic
> > stm->strp.offset => int (see struct strp_msg)
> >
>
> Ah, right so if we don't cast skb->len then the entire thing uses
> unsigned arithmetic which results in the bad outcome for certain values
> of input.
>
> Casting would fix this. Another alternative would be to re-write the
> checks so that they don't fail when using unsigned arithmetic.
>
> Given that we already cast one to ssize_t, it does seem reasonable to
> just add the other cast as your patch did.
Agree. And adding a summary of the information in this thread to the
commit message would be really useful (clearly, this stuff is not so
obvious :)).
> >> If we don't actually use the strparser code anywhere then it could be
> >> dropped
> >
> > It is still used elsewhere, and ktls still uses some of the data structures.
> >
>
> Right. Fixing it makes the most sense, so that other users don't
> accidentally behave unexpectedly.
Agree. I didn't mean to dismiss the presence of a bug, sorry if it
sounded like that. But I was a bit unclear on the conditions, this
discussion is helpful.
--
Sabrina
next prev parent reply other threads:[~2025-11-06 15:22 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-04 17:42 [PATCH] strparser: Fix signed/unsigned mismatch bug Nate Karstens
2025-11-04 23:28 ` Sabrina Dubroca
2025-11-05 17:34 ` Nate Karstens
2025-11-05 22:29 ` Jacob Keller
2025-11-05 23:12 ` Nate Karstens
2025-11-05 23:47 ` Jacob Keller
2025-11-06 15:22 ` Sabrina Dubroca [this message]
2025-11-06 16:36 ` Nate Karstens
2025-11-06 16:51 ` [PATCH net v2] " Nate Karstens
2025-11-06 22:22 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQy9TZm4rpP3ZB4b@krikkit \
--to=sd@queasysnail.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jacob.e.keller@intel.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@treblig.org \
--cc=mrpre@163.com \
--cc=nate.karstens@garmin.com \
--cc=nate.karstens@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tom@quantonium.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.