[Patch net] ptr_ring: wrap back ->producer in __ptr_ring_swap

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [Patch net] ptr_ring: wrap back ->producer in __ptr_ring_swap_queue()
@ 2018-12-30 20:43 Cong Wang
  2018-12-31  0:52 ` Michael S. Tsirkin
  2019-01-01 19:59 ` David Miller
  0 siblings, 2 replies; 4+ messages in thread
From: Cong Wang @ 2018-12-30 20:43 UTC (permalink / raw)
  To: netdev; +Cc: Cong Wang, Michael S. Tsirkin, John Fastabend, Jason Wang

__ptr_ring_swap_queue() tries to move pointers from the old
ring to the new one, but it forgets to check if ->producer
is beyond the new size at the end of the operation. This leads
to an out-of-bound access in __ptr_ring_produce() as reported
by syzbot.

Reported-by: syzbot+8993c0fa96d57c399735@syzkaller.appspotmail.com
Fixes: 5d49de532002 ("ptr_ring: resize support")
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jason Wang <jasowang@redhat.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 include/linux/ptr_ring.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
index 6894976b54e3..186cd8e970c7 100644
--- a/include/linux/ptr_ring.h
+++ b/include/linux/ptr_ring.h
@@ -573,6 +573,8 @@ static inline void **__ptr_ring_swap_queue(struct ptr_ring *r, void **queue,
 		else if (destroy)
 			destroy(ptr);
 
+	if (producer >= size)
+		producer = 0;
 	__ptr_ring_set_size(r, size);
 	r->producer = producer;
 	r->consumer_head = 0;
-- 
2.19.2

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [Patch net] ptr_ring: wrap back ->producer in __ptr_ring_swap_queue()
  2018-12-30 20:43 [Patch net] ptr_ring: wrap back ->producer in __ptr_ring_swap_queue() Cong Wang
@ 2018-12-31  0:52 ` Michael S. Tsirkin
  2019-01-01 18:58   ` Cong Wang
  2019-01-01 19:59 ` David Miller
  1 sibling, 1 reply; 4+ messages in thread
From: Michael S. Tsirkin @ 2018-12-31  0:52 UTC (permalink / raw)
  To: Cong Wang; +Cc: netdev, John Fastabend, Jason Wang

On Sun, Dec 30, 2018 at 12:43:42PM -0800, Cong Wang wrote:
> __ptr_ring_swap_queue() tries to move pointers from the old
> ring to the new one, but it forgets to check if ->producer
> is beyond the new size at the end of the operation. This leads
> to an out-of-bound access in __ptr_ring_produce() as reported
> by syzbot.
> 
> Reported-by: syzbot+8993c0fa96d57c399735@syzkaller.appspotmail.com
> Fixes: 5d49de532002 ("ptr_ring: resize support")
> Cc: "Michael S. Tsirkin" <mst@redhat.com>
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Jason Wang <jasowang@redhat.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> ---
>  include/linux/ptr_ring.h | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/include/linux/ptr_ring.h b/include/linux/ptr_ring.h
> index 6894976b54e3..186cd8e970c7 100644
> --- a/include/linux/ptr_ring.h
> +++ b/include/linux/ptr_ring.h
> @@ -573,6 +573,8 @@ static inline void **__ptr_ring_swap_queue(struct ptr_ring *r, void **queue,
>  		else if (destroy)
>  			destroy(ptr);
>  
> +	if (producer >= size)
> +		producer = 0;
>  	__ptr_ring_set_size(r, size);
>  	r->producer = producer;
>  	r->consumer_head = 0;
> -- 
> 2.19.2

To clarify the commit log a little bit:

               if (producer < size)
                        queue[producer++] = ptr;

if the new size is smaller than the old one, we
producer can end up being equal to the new size thus
pointing one beyond the end of the array.

So when we allocated one extra entry it was fine, thus maybe we should rather list:

Fixes: 9fb582b67072 ("Revert "net: ptr_ring: otherwise safe empty checks can overrun array bounds"")


The patch itself is good though. So

Acked-by: Michael S. Tsirkin <mst@redhat.com>

and pls queue this for stable.

-- 
MST

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Patch net] ptr_ring: wrap back ->producer in __ptr_ring_swap_queue()
  2018-12-31  0:52 ` Michael S. Tsirkin
@ 2019-01-01 18:58   ` Cong Wang
  0 siblings, 0 replies; 4+ messages in thread
From: Cong Wang @ 2019-01-01 18:58 UTC (permalink / raw)
  To: Michael S. Tsirkin
  Cc: Linux Kernel Network Developers, John Fastabend, Jason Wang

On Sun, Dec 30, 2018 at 4:52 PM Michael S. Tsirkin <mst@redhat.com> wrote:
> So when we allocated one extra entry it was fine, thus maybe we should rather list:
>
> Fixes: 9fb582b67072 ("Revert "net: ptr_ring: otherwise safe empty checks can overrun array bounds"")
>
>

Good point, I totally forgot we once allocated one extra entry.

However, prior to commit bcecb4bbf88a which introduced the
extra one entry, this bug exists too, IIUC. Commit bcecb4bbf88a
is merged 18 months after commit 5d49de532002 which is
supposed to the one introduced this bug.

On the other hand, it does not harm even if we backport this
to a kernel release with commit bcecb4bbf88a.

Thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Patch net] ptr_ring: wrap back ->producer in __ptr_ring_swap_queue()
  2018-12-30 20:43 [Patch net] ptr_ring: wrap back ->producer in __ptr_ring_swap_queue() Cong Wang
  2018-12-31  0:52 ` Michael S. Tsirkin
@ 2019-01-01 19:59 ` David Miller
  1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2019-01-01 19:59 UTC (permalink / raw)
  To: xiyou.wangcong; +Cc: netdev, mst, john.fastabend, jasowang

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Sun, 30 Dec 2018 12:43:42 -0800

> __ptr_ring_swap_queue() tries to move pointers from the old
> ring to the new one, but it forgets to check if ->producer
> is beyond the new size at the end of the operation. This leads
> to an out-of-bound access in __ptr_ring_produce() as reported
> by syzbot.
> 
> Reported-by: syzbot+8993c0fa96d57c399735@syzkaller.appspotmail.com
> Fixes: 5d49de532002 ("ptr_ring: resize support")
> Cc: "Michael S. Tsirkin" <mst@redhat.com>
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Jason Wang <jasowang@redhat.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Applied and queued up for -stable.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-01-01 19:59 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-12-30 20:43 [Patch net] ptr_ring: wrap back ->producer in __ptr_ring_swap_queue() Cong Wang
2018-12-31  0:52 ` Michael S. Tsirkin
2019-01-01 18:58   ` Cong Wang
2019-01-01 19:59 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).