From: "Xiang Mei (Microsoft)" <xmei5@asu.edu>
To: Eric Dumazet <edumazet@google.com>,
Kuniyuki Iwashima <kuniyu@google.com>,
Paolo Abeni <pabeni@redhat.com>,
Willem de Bruijn <willemb@google.com>,
"David S . Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Simon Horman <horms@kernel.org>
Cc: Wei Wang <weiwan@google.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
AutonomousCodeSecurity@microsoft.com,
tgopinath@linux.microsoft.com, kys@microsoft.com,
"Xiang Mei (Microsoft)" <xmei5@asu.edu>
Subject: [PATCH net] net: sock: prevent integer overflow in sock_reserve_memory()
Date: Sat, 11 Jul 2026 00:59:55 +0000 [thread overview]
Message-ID: <20260711005955.1467140-1-xmei5@asu.edu> (raw)
sock_reserve_memory() adds 'pages << PAGE_SHIFT' (a plain int) to the int
sk->sk_forward_alloc. An unprivileged SO_RESERVE_MEM caller can drive the
accumulating counter past INT_MAX and wrap it negative, either in one
INT_MAX request (0x80000000) or across several smaller ones.
The corrupted sk_forward_alloc then trips WARN_ON_ONCE() in
inet_sock_destruct() on close (a panic under panic_on_warn/oops=panic).
Bound the field that overflows: compute the new sk_forward_alloc in u64 and
reject with -EINVAL anything exceeding INT_MAX.
Kernel panic - not syncing: kernel: panic_on_warn set ...
__warn (kernel/panic.c:1054)
...
RIP: 0010:inet_sock_destruct (net/ipv4/af_inet.c:161)
__sk_destruct (net/core/sock.c:2357)
inet_release (net/ipv4/af_inet.c:442)
sock_close (net/socket.c:1501)
__fput (fs/file_table.c:512)
__x64_sys_close (fs/open.c:1511)
do_syscall_64 (arch/x86/entry/syscall_64.c:94)
Fixes: 2bb2f5fb21b0 ("net: add new socket option SO_RESERVE_MEM")
Reported-by: AutonomousCodeSecurity@microsoft.com
Signed-off-by: Xiang Mei (Microsoft) <xmei5@asu.edu>
---
net/core/sock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/core/sock.c b/net/core/sock.c
index 8a59bfaa8096..2ba95bead1ae 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1042,6 +1042,9 @@ static int sock_reserve_memory(struct sock *sk, int bytes)
pages = sk_mem_pages(bytes);
+ if ((u64)sk->sk_forward_alloc + ((u64)pages << PAGE_SHIFT) > INT_MAX)
+ return -EINVAL;
+
/* pre-charge to memcg */
charged = mem_cgroup_sk_charge(sk, pages,
GFP_KERNEL | __GFP_RETRY_MAYFAIL);
--
2.43.0
next reply other threads:[~2026-07-11 0:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-11 0:59 Xiang Mei (Microsoft) [this message]
2026-07-11 13:13 ` [PATCH net] net: sock: prevent integer overflow in sock_reserve_memory() Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260711005955.1467140-1-xmei5@asu.edu \
--to=xmei5@asu.edu \
--cc=AutonomousCodeSecurity@microsoft.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=kuniyu@google.com \
--cc=kys@microsoft.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=tgopinath@linux.microsoft.com \
--cc=weiwan@google.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox