From: Sabrina Dubroca <sd@queasysnail.net>
To: Jacob Keller <jacob.e.keller@intel.com>
Cc: Nate Karstens <nate.karstens@garmin.com>,
davem@davemloft.net, edumazet@google.com, horms@kernel.org,
john.fastabend@gmail.com, kuba@kernel.org,
linux-kernel@vger.kernel.org, linux@treblig.org, mrpre@163.com,
nate.karstens@gmail.com, netdev@vger.kernel.org,
pabeni@redhat.com, stable@vger.kernel.org, tom@quantonium.net
Subject: Re: [PATCH] strparser: Fix signed/unsigned mismatch bug
Date: Thu, 6 Nov 2025 16:22:53 +0100 [thread overview]
Message-ID: <aQy9TZm4rpP3ZB4b@krikkit> (raw)
In-Reply-To: <f1f2c082-0597-4130-91d2-2059df3ba72f@intel.com>
2025-11-05, 15:47:00 -0800, Jacob Keller wrote:
>
>
> On 11/5/2025 3:12 PM, Nate Karstens wrote:
> > Thanks, Jake!
> >
> >> So, without the ssize_t, I guess everything switches back to unsigned
> >> here when subtracting skb->len..
> >
> > That's right. In C, if there is a mix of signed an unsigned, then signed are converted to unsigned and unsigned arithmetic is used.
Not if the signed type is bigger than the unsigned?
on x86_64 (with long = s64 and unsigned int = u32):
(long)1 - (unsigned int)100 < 0
(int)1 - (unsigned int)100 > 0
Are you testing on some 32b arch? Otherwise ssize_t would be s64 and
int/unsigned int should be 32b so the missing cast would not matter?
> >> I don't quite recall the signed vs unsigned rules for this. Is
> >> stm.strp.offset also unsigned? which means that after head->len -
> >> skb->len resolves to unsigned 0 then we underflow?
> >
> > Here is a summary of the types for the variables involved:
> >
> > len => ssize_t (signed)
> > (ssize_t)head->len => unsigned int cast to ssize_t
> > skb->len => unsigned int, causes the whole comparison to use unsigned arithmetic
> > stm->strp.offset => int (see struct strp_msg)
> >
>
> Ah, right so if we don't cast skb->len then the entire thing uses
> unsigned arithmetic which results in the bad outcome for certain values
> of input.
>
> Casting would fix this. Another alternative would be to re-write the
> checks so that they don't fail when using unsigned arithmetic.
>
> Given that we already cast one to ssize_t, it does seem reasonable to
> just add the other cast as your patch did.
Agree. And adding a summary of the information in this thread to the
commit message would be really useful (clearly, this stuff is not so
obvious :)).
> >> If we don't actually use the strparser code anywhere then it could be
> >> dropped
> >
> > It is still used elsewhere, and ktls still uses some of the data structures.
> >
>
> Right. Fixing it makes the most sense, so that other users don't
> accidentally behave unexpectedly.
Agree. I didn't mean to dismiss the presence of a bug, sorry if it
sounded like that. But I was a bit unclear on the conditions, this
discussion is helpful.
--
Sabrina
next prev parent reply other threads:[~2025-11-06 15:22 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-04 17:42 [PATCH] strparser: Fix signed/unsigned mismatch bug Nate Karstens
2025-11-04 23:28 ` Sabrina Dubroca
2025-11-05 17:34 ` Nate Karstens
2025-11-05 22:29 ` Jacob Keller
2025-11-05 23:12 ` Nate Karstens
2025-11-05 23:47 ` Jacob Keller
2025-11-06 15:22 ` Sabrina Dubroca [this message]
2025-11-06 16:36 ` Nate Karstens
2025-11-06 16:51 ` [PATCH net v2] " Nate Karstens
2025-11-06 22:22 ` Jakub Kicinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQy9TZm4rpP3ZB4b@krikkit \
--to=sd@queasysnail.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jacob.e.keller@intel.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@treblig.org \
--cc=mrpre@163.com \
--cc=nate.karstens@garmin.com \
--cc=nate.karstens@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=tom@quantonium.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox