* [PATCH][next] tls: Use size_add() in call to struct_size()
@ 2023-09-15 19:12 Gustavo A. R. Silva
2023-09-15 19:42 ` Kees Cook
2023-09-18 8:40 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Gustavo A. R. Silva @ 2023-09-15 19:12 UTC (permalink / raw)
To: Boris Pismenny, John Fastabend, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni
Cc: netdev, linux-kernel, Gustavo A. R. Silva, linux-hardening
If, for any reason, the open-coded arithmetic causes a wraparound,
the protection that `struct_size()` adds against potential integer
overflows is defeated. Fix this by hardening call to `struct_size()`
with `size_add()`.
Fixes: b89fec54fd61 ("tls: rx: wrap decrypt params in a struct")
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
---
net/tls/tls_sw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index d1fc295b83b5..270712b8d391 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1487,7 +1487,7 @@ static int tls_decrypt_sg(struct sock *sk, struct iov_iter *out_iov,
*/
aead_size = sizeof(*aead_req) + crypto_aead_reqsize(ctx->aead_recv);
aead_size = ALIGN(aead_size, __alignof__(*dctx));
- mem = kmalloc(aead_size + struct_size(dctx, sg, n_sgin + n_sgout),
+ mem = kmalloc(aead_size + struct_size(dctx, sg, size_add(n_sgin, n_sgout)),
sk->sk_allocation);
if (!mem) {
err = -ENOMEM;
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH][next] tls: Use size_add() in call to struct_size()
2023-09-15 19:12 [PATCH][next] tls: Use size_add() in call to struct_size() Gustavo A. R. Silva
@ 2023-09-15 19:42 ` Kees Cook
2023-09-18 8:40 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Kees Cook @ 2023-09-15 19:42 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: Boris Pismenny, John Fastabend, Jakub Kicinski, David S. Miller,
Eric Dumazet, Paolo Abeni, netdev, linux-kernel, linux-hardening
On Fri, Sep 15, 2023 at 01:12:38PM -0600, Gustavo A. R. Silva wrote:
> If, for any reason, the open-coded arithmetic causes a wraparound,
> the protection that `struct_size()` adds against potential integer
> overflows is defeated. Fix this by hardening call to `struct_size()`
> with `size_add()`.
>
> Fixes: b89fec54fd61 ("tls: rx: wrap decrypt params in a struct")
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
--
Kees Cook
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH][next] tls: Use size_add() in call to struct_size()
2023-09-15 19:12 [PATCH][next] tls: Use size_add() in call to struct_size() Gustavo A. R. Silva
2023-09-15 19:42 ` Kees Cook
@ 2023-09-18 8:40 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-09-18 8:40 UTC (permalink / raw)
To: Gustavo A. R. Silva
Cc: borisp, john.fastabend, kuba, davem, edumazet, pabeni, netdev,
linux-kernel, linux-hardening
Hello:
This patch was applied to netdev/net-next.git (main)
by David S. Miller <davem@davemloft.net>:
On Fri, 15 Sep 2023 13:12:38 -0600 you wrote:
> If, for any reason, the open-coded arithmetic causes a wraparound,
> the protection that `struct_size()` adds against potential integer
> overflows is defeated. Fix this by hardening call to `struct_size()`
> with `size_add()`.
>
> Fixes: b89fec54fd61 ("tls: rx: wrap decrypt params in a struct")
> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
>
> [...]
Here is the summary with links:
- [next] tls: Use size_add() in call to struct_size()
https://git.kernel.org/netdev/net-next/c/a2713257ee2b
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-09-18 8:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-09-15 19:12 [PATCH][next] tls: Use size_add() in call to struct_size() Gustavo A. R. Silva
2023-09-15 19:42 ` Kees Cook
2023-09-18 8:40 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).