From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
"David S. Miller" <davem@davemloft.net>
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Robin Holt <holt@sgi.com>, Willy Tarreau <w@1wt.eu>,
netdev@vger.kernel.org, linux-sctp@vger.kernel.org,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
"Pekka Savola (ipv6)" <pekkas@netcore.fi>,
James Morris <jmorris@namei.org>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Patrick McHardy <kaber@trash.net>,
Vlad Yasevich <vladislav.yasevich@hp.com>,
Sridhar Samudrala <sri@us.ibm.com>
Subject: [34/44] Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows.
Date: Tue, 07 Dec 2010 16:04:33 -0800 [thread overview]
Message-ID: <20101208000642.975564500@clark.site> (raw)
In-Reply-To: <20101208003205.GA4286@kroah.com>
2.6.27-stable review patch. If anyone has any objections, please let us know.
------------------
From: Robin Holt <holt@sgi.com>
[ Problem was fixed differently upstream. -DaveM ]
On a 16TB x86_64 machine, sysctl_tcp_mem[2], sysctl_udp_mem[2], and
sysctl_sctp_mem[2] can integer overflow. Set limit such that they are
maximized without overflowing.
Signed-off-by: Robin Holt <holt@sgi.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: Willy Tarreau <w@1wt.eu>
Cc: linux-kernel@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-sctp@vger.kernel.org
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi>
Cc: James Morris <jmorris@namei.org>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
Cc: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv4/tcp.c | 4 +++-
net/ipv4/udp.c | 4 +++-
net/sctp/protocol.c | 4 +++-
3 files changed, 9 insertions(+), 3 deletions(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2754,12 +2754,14 @@ void __init tcp_init(void)
/* Set the pressure threshold to be a fraction of global memory that
* is up to 1/2 at 256 MB, decreasing toward zero with the amount of
- * memory, with a floor of 128 pages.
+ * memory, with a floor of 128 pages, and a ceiling that prevents an
+ * integer overflow.
*/
nr_pages = totalram_pages - totalhigh_pages;
limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
limit = max(limit, 128UL);
+ limit = min(limit, INT_MAX * 4UL / 3 / 2);
sysctl_tcp_mem[0] = limit / 4 * 3;
sysctl_tcp_mem[1] = limit;
sysctl_tcp_mem[2] = sysctl_tcp_mem[0] * 2;
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1722,11 +1722,13 @@ void __init udp_init(void)
/* Set the pressure threshold up by the same strategy of TCP. It is a
* fraction of global memory that is up to 1/2 at 256 MB, decreasing
- * toward zero with the amount of memory, with a floor of 128 pages.
+ * toward zero with the amount of memory, with a floor of 128 pages,
+ * and a ceiling that prevents an integer overflow.
*/
limit = min(nr_all_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
limit = (limit * (nr_all_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
limit = max(limit, 128UL);
+ limit = min(limit, INT_MAX * 4UL / 3 / 2);
sysctl_udp_mem[0] = limit / 4 * 3;
sysctl_udp_mem[1] = limit;
sysctl_udp_mem[2] = sysctl_udp_mem[0] * 2;
--- a/net/sctp/protocol.c
+++ b/net/sctp/protocol.c
@@ -1179,7 +1179,8 @@ SCTP_STATIC __init int sctp_init(void)
/* Set the pressure threshold to be a fraction of global memory that
* is up to 1/2 at 256 MB, decreasing toward zero with the amount of
- * memory, with a floor of 128 pages.
+ * memory, with a floor of 128 pages, and a ceiling that prevents an
+ * integer overflow.
* Note this initalizes the data in sctpv6_prot too
* Unabashedly stolen from tcp_init
*/
@@ -1187,6 +1188,7 @@ SCTP_STATIC __init int sctp_init(void)
limit = min(nr_pages, 1UL<<(28-PAGE_SHIFT)) >> (20-PAGE_SHIFT);
limit = (limit * (nr_pages >> (20-PAGE_SHIFT))) >> (PAGE_SHIFT-11);
limit = max(limit, 128UL);
+ limit = min(limit, INT_MAX * 4UL / 3 / 2);
sysctl_sctp_mem[0] = limit / 4 * 3;
sysctl_sctp_mem[1] = limit;
sysctl_sctp_mem[2] = sysctl_sctp_mem[0] * 2;
next prev parent reply other threads:[~2010-12-08 0:34 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-08 0:32 [00/44] 2.6.27.57-stable review Greg KH
2010-12-08 0:04 ` [01/44] block: check for proper length of iov entries in blk_rq_map_user_iov() Greg KH
2010-12-08 0:04 ` [02/44] irda: Fix parameter extraction stack overflow Greg KH
2010-12-08 0:04 ` [03/44] irda: Fix heap memory corruption in iriap.c Greg KH
2010-12-08 0:04 ` [04/44] percpu: fix list_head init bug in __percpu_counter_init() Greg KH
2010-12-08 0:04 ` [05/44] um: fix global timer issue when using CONFIG_NO_HZ Greg KH
2010-12-08 0:04 ` [06/44] numa: fix slab_node(MPOL_BIND) Greg KH
2010-12-08 3:03 ` Lee Schermerhorn
2010-12-08 3:03 ` Lee Schermerhorn
2010-12-08 4:17 ` Greg KH
2010-12-08 4:37 ` Eric Dumazet
2010-12-08 13:54 ` Lee Schermerhorn
2010-12-08 4:33 ` Eric Dumazet
2010-12-08 5:07 ` Eric Dumazet
2010-12-08 13:53 ` Lee Schermerhorn
2010-12-08 0:04 ` [07/44] mm: fix return value of scan_lru_pages in memory unplug Greg KH
2010-12-08 0:04 ` [08/44] mm: fix is_mem_section_removable() page_order BUG_ON check Greg KH
2010-12-08 0:04 ` [09/44] ipc: initialize structure memory to zero for compat functions Greg KH
2010-12-08 0:04 ` [10/44] ipc: shm: fix information leak to userland Greg KH
2010-12-08 0:04 ` [11/44] sys_semctl: fix kernel stack leakage Greg KH
2010-12-08 0:04 ` [12/44] drivers/char/vt_ioctl.c: fix VT_OPENQRY error value Greg KH
2010-12-08 0:04 ` [13/44] eCryptfs: Clear LOOKUP_OPEN flag when creating lower file Greg KH
2010-12-08 0:04 ` [14/44] bio: take care not overflow page count when mapping/copying user data Greg KH
2010-12-08 0:04 ` [15/44] libata: fix NULL sdev dereference race in atapi_qc_complete() Greg KH
2010-12-08 0:04 ` [16/44] usb: misc: sisusbvga: fix information leak to userland Greg KH
2010-12-08 0:04 ` [17/44] usb: misc: iowarrior: " Greg KH
2010-12-08 0:04 ` [18/44] usb: core: " Greg KH
2010-12-08 0:04 ` [19/44] USB: EHCI: fix obscure race in ehci_endpoint_disable Greg KH
2010-12-08 0:04 ` [20/44] USB: storage: sierra_ms: fix sysfs file attribute Greg KH
2010-12-08 0:04 ` [21/44] USB: atm: ueagle-atm: fix up some permissions on the sysfs files Greg KH
2010-12-08 0:04 ` [22/44] USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions Greg KH
2010-12-08 0:04 ` [23/44] USB: misc: usbled: " Greg KH
2010-12-08 0:04 ` [24/44] USB: misc: trancevibrator: fix up a sysfs attribute permission Greg KH
2010-12-08 0:04 ` [25/44] acpi-cpufreq: fix a memleak when unloading driver Greg KH
2010-12-08 0:04 ` [26/44] do_exit(): make sure that we run with get_fs() == USER_DS Greg KH
2010-12-08 0:04 ` [27/44] DECnet: dont leak uninitialized stack byte Greg KH
2010-12-08 0:04 ` [28/44] ARM: 6482/2: Fix find_next_zero_bit and related assembly Greg KH
2010-12-08 0:04 ` [29/44] net: clear heap allocations for privileged ethtool actions Greg KH
2010-12-08 0:04 ` [30/44] xfrm4: strip ECN and IP Precedence bits in policy lookup Greg KH
2010-12-08 0:04 ` [31/44] net: Fix IPv6 PMTU disc. w/ asymmetric routes Greg KH
2010-12-08 0:04 ` [32/44] rose: Fix signedness issues wrt. digi count Greg KH
2010-12-08 0:04 ` [33/44] net: Fix the condition passed to sk_wait_event() Greg KH
2010-12-08 0:04 ` Greg KH [this message]
2010-12-08 1:22 ` [34/44] Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows Linus Torvalds
2010-12-08 4:16 ` Greg KH
2010-12-08 5:50 ` Eric Dumazet
2010-12-08 16:25 ` David Miller
2010-12-08 23:13 ` Greg KH
2010-12-08 0:04 ` [35/44] tcp: Fix race in tcp_poll Greg KH
2010-12-08 0:04 ` [36/44] net: Truncate recvfrom and sendto length to INT_MAX Greg KH
2010-12-08 0:04 ` [37/44] ipv6: conntrack: Add member of user to nf_ct_frag6_queue structure Greg KH
2010-12-08 0:04 ` [38/44] x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet Greg KH
2010-12-08 0:04 ` [39/44] memory corruption in X.25 facilities parsing Greg KH
2010-12-08 0:04 ` [40/44] can-bcm: fix minor heap overflow Greg KH
2010-12-08 0:04 ` [41/44] V4L/DVB: ivtvfb: prevent reading uninitialized stack memory Greg KH
2010-12-08 0:04 ` [42/44] x25: Prevent crashing when parsing bad X.25 facilities Greg KH
2010-12-08 0:04 ` [43/44] econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849 Greg KH
2010-12-08 0:04 ` [44/44] econet: fix CVE-2010-3850 Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101208000642.975564500@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=holt@sgi.com \
--cc=jmorris@namei.org \
--cc=kaber@trash.net \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pekkas@netcore.fi \
--cc=sri@us.ibm.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=vladislav.yasevich@hp.com \
--cc=w@1wt.eu \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox