From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael S. Tsirkin" Subject: Re: [PATCH net-next] ptr_ring: fix integer overflow Date: Thu, 25 Jan 2018 15:45:25 +0200 Message-ID: <20180125154255-mutt-send-email-mst@kernel.org> References: <1516865502-20835-1-git-send-email-jasowang@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, John Fastabend To: Jason Wang Return-path: Content-Disposition: inline In-Reply-To: <1516865502-20835-1-git-send-email-jasowang@redhat.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org On Thu, Jan 25, 2018 at 03:31:42PM +0800, Jason Wang wrote: > We try to allocate one more entry for lockless peeking. The adding > operation may overflow which causes zero to be passed to kmalloc(). > In this case, it returns ZERO_SIZE_PTR without any notice by ptr > ring. Try to do producing or consuming on such ring will lead NULL > dereference. Fix this detect and fail early. > > Fixes: bcecb4bbf88a ("net: ptr_ring: otherwise safe empty checks can overrun array bounds") > Reported-by: syzbot+87678bcf753b44c39b67@syzkaller.appspotmail.com > Cc: John Fastabend > Signed-off-by: Jason Wang Ugh that's just way too ugly. I'll work on dropping the extra + 1 - but calling this function with -1 size is the real source of the bug. Do you know how come we do that? > --- > include/linux/ptr_ring.h | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h > index 9ca1726..3f99484 100644 > --- a/include/linux/ptr_ring.h > +++ b/include/linux/ptr_ring.h > @@ -453,6 +453,8 @@ static inline int ptr_ring_consume_batched_bh(struct ptr_ring *r, > > static inline void **__ptr_ring_init_queue_alloc(unsigned int size, gfp_t gfp) > { > + if (unlikely(size + 1 == 0)) > + return NULL; > /* Allocate an extra dummy element at end of ring to avoid consumer head > * or produce head access past the end of the array. Possible when > * producer/consumer operations and __ptr_ring_peek operations run in > -- > 2.7.4