From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, YueHaibing <yuehaibing@huawei.com>,
Eric Dumazet <edumazet@google.com>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 28/91] tcp: restrict net.ipv4.tcp_app_win
Date: Tue, 18 Apr 2023 14:21:32 +0200 [thread overview]
Message-ID: <20230418120306.566342112@linuxfoundation.org> (raw)
In-Reply-To: <20230418120305.520719816@linuxfoundation.org>
From: YueHaibing <yuehaibing@huawei.com>
[ Upstream commit dc5110c2d959c1707e12df5f792f41d90614adaa ]
UBSAN: shift-out-of-bounds in net/ipv4/tcp_input.c:555:23
shift exponent 255 is too large for 32-bit type 'int'
CPU: 1 PID: 7907 Comm: ssh Not tainted 6.3.0-rc4-00161-g62bad54b26db-dirty #206
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x136/0x150
__ubsan_handle_shift_out_of_bounds+0x21f/0x5a0
tcp_init_transfer.cold+0x3a/0xb9
tcp_finish_connect+0x1d0/0x620
tcp_rcv_state_process+0xd78/0x4d60
tcp_v4_do_rcv+0x33d/0x9d0
__release_sock+0x133/0x3b0
release_sock+0x58/0x1b0
'maxwin' is int, shifting int for 32 or more bits is undefined behaviour.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/networking/ip-sysctl.rst | 2 ++
net/ipv4/sysctl_net_ipv4.c | 3 +++
2 files changed, 5 insertions(+)
diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst
index ba0e8e6337c0a..7890b395e629b 100644
--- a/Documentation/networking/ip-sysctl.rst
+++ b/Documentation/networking/ip-sysctl.rst
@@ -322,6 +322,8 @@ tcp_app_win - INTEGER
Reserve max(window/2^tcp_app_win, mss) of window for application
buffer. Value 0 is special, it means that nothing is reserved.
+ Possible values are [0, 31], inclusive.
+
Default: 31
tcp_autocorking - BOOLEAN
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 495c58e442e2a..1f22e72074fdc 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -38,6 +38,7 @@ static int ip_local_port_range_min[] = { 1, 1 };
static int ip_local_port_range_max[] = { 65535, 65535 };
static int tcp_adv_win_scale_min = -31;
static int tcp_adv_win_scale_max = 31;
+static int tcp_app_win_max = 31;
static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS;
static int tcp_min_snd_mss_max = 65535;
static int ip_privileged_port_min;
@@ -1168,6 +1169,8 @@ static struct ctl_table ipv4_net_table[] = {
.maxlen = sizeof(u8),
.mode = 0644,
.proc_handler = proc_dou8vec_minmax,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = &tcp_app_win_max,
},
{
.procname = "tcp_adv_win_scale",
--
2.39.2
next prev parent reply other threads:[~2023-04-18 12:38 UTC|newest]
Thread overview: 105+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-18 12:21 [PATCH 5.15 00/91] 5.15.108-rc1 review Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 01/91] Revert "pinctrl: amd: Disable and mask interrupts on resume" Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 02/91] ALSA: emu10k1: fix capture interrupt handler unlinking Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 03/91] ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 04/91] ALSA: i2c/cs8427: fix iec958 mixer control deactivation Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 05/91] ALSA: firewire-tascam: add missing unwind goto in snd_tscm_stream_start_duplex() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 06/91] ALSA: emu10k1: dont create old pass-through playback device on Audigy Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 07/91] ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 08/91] Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp} Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 09/91] Bluetooth: Fix race condition in hidp_session_thread Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 10/91] btrfs: print checksum type and implementation at mount time Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 11/91] btrfs: fix fast csum implementation detection Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 12/91] fbmem: Reject FB_ACTIVATE_KD_TEXT from userspace Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 13/91] mtdblock: tolerate corrected bit-flips Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 14/91] mtd: rawnand: meson: fix bitmask for length in command word Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 15/91] mtd: rawnand: stm32_fmc2: remove unsupported EDO mode Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 16/91] mtd: rawnand: stm32_fmc2: use timings.mode instead of checking tRC_min Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 17/91] KVM: arm64: PMU: Restore the guests EL0 event counting after migration Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 18/91] drm/i915/dsi: fix DSS CTL register offsets for TGL+ Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 19/91] clk: sprd: set max_register according to mapping range Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 20/91] RDMA/irdma: Fix memory leak of PBLE objects Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 21/91] RDMA/irdma: Increase iWARP CM default rexmit count Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 22/91] RDMA/irdma: Add ipv4 check to irdma_find_listener() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 23/91] IB/mlx5: Add support for 400G_8X lane speed Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 24/91] RDMA/cma: Allow UD qp_type to join multicast only Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 25/91] bpf: tcp: Use sock_gen_put instead of sock_put in bpf_iter_tcp Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 26/91] 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 27/91] niu: Fix missing unwind goto in niu_alloc_channels() Greg Kroah-Hartman
2023-04-18 12:21 ` Greg Kroah-Hartman [this message]
2023-04-18 12:21 ` [PATCH 5.15 29/91] drm/armada: Fix a potential double free in an error handling path Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 30/91] qlcnic: check pci_reset_function result Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 31/91] net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 32/91] sctp: fix a potential overflow in sctp_ifwdtsn_skip Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 33/91] RDMA/core: Fix GID entry ref leak when create_ah fails Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 34/91] udp6: fix potential access to stale information Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 35/91] net: macb: fix a memory corruption in extended buffer descriptor mode Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 36/91] skbuff: Fix a race between coalescing and releasing SKBs Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 37/91] libbpf: Fix single-line struct definition output in btf_dump Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 38/91] ARM: 9290/1: uaccess: Fix KASAN false-positives Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 39/91] power: supply: cros_usbpd: reclassify "default case!" as debug Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 40/91] wifi: mwifiex: mark OF related data as maybe unused Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 41/91] i2c: imx-lpi2c: clean rx/tx buffers upon new message Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 42/91] i2c: hisi: Avoid redundant interrupts Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 43/91] efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 44/91] drm: panel-orientation-quirks: Add quirk for Lenovo Yoga Book X90F Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 45/91] verify_pefile: relax wrapper length check Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 46/91] asymmetric_keys: log on fatal failures in PE/pkcs7 Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 47/91] wifi: iwlwifi: mvm: fix mvmtxq->stopped handling Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 48/91] ACPI: resource: Add Medion S17413 to IRQ override quirk Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 49/91] counter: stm32-lptimer-cnt: Provide defines for clock polarities Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 50/91] counter: stm32-timer-cnt: Provide defines for slave mode selection Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 51/91] counter: Internalize sysfs interface code Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 52/91] counter: 104-quad-8: Fix Synapse action reported for Index signals Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 53/91] tracing: Add trace_array_puts() to write into instance Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 54/91] tracing: Have tracing_snapshot_instance_cond() write errors to the appropriate instance Greg Kroah-Hartman
2023-04-18 12:21 ` [PATCH 5.15 55/91] i915/perf: Replace DRM_DEBUG with driver specific drm_dbg call Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 56/91] drm/i915: fix race condition UAF in i915_perf_add_config_ioctl Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 57/91] riscv: Do not set initial_boot_params to the linear address of the dtb Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 58/91] riscv: add icache flush for nommu sigreturn trampoline Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 59/91] net: sfp: initialize sfp->i2c_block_size at sfp allocation Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 60/91] net: phy: nxp-c45-tja11xx: add remove callback Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 61/91] net: phy: nxp-c45-tja11xx: fix unsigned long multiplication overflow Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 62/91] scsi: ses: Handle enclosure with just a primary component gracefully Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 63/91] x86/PCI: Add quirk for AMD XHCI controller that loses MSI-X state in D3hot Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 64/91] cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach() Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 65/91] mptcp: use mptcp_schedule_work instead of open-coding it Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 66/91] mptcp: stricter state check in mptcp_worker Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 67/91] ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 68/91] ubi: Fix deadlock caused by recursively holding work_sem Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 69/91] powerpc/papr_scm: Update the NUMA distance table for the target node Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 70/91] sched/fair: Move calculate of avg_load to a better location Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 71/91] sched/fair: Fix imbalance overflow Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 72/91] x86/rtc: Remove __init for runtime functions Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 73/91] i2c: ocores: generate stop condition after timeout in polling mode Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 74/91] sh: remove meaningless archclean line Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 75/91] kbuild: use more subdir- for visiting subdirectories while cleaning Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 76/91] purgatory: fix disabling debug info Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 77/91] nvme-pci: add NVME_QUIRK_BOGUS_NID for ADATA XPG GAMMIX S50 Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 78/91] nvme-pci: avoid the deepest sleep state on ZHITAI TiPro7000 SSDs Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 79/91] nvme-pci: Crucial P2 has bogus namespace ids Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 80/91] nvme-pci: add NVME_QUIRK_BOGUS_NID for Lexar NM610 Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 81/91] nvme-pci: add NVME_QUIRK_BOGUS_NID for Lexar NM760 Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 82/91] nvme-pci: mark Lexar NM760 as IGNORE_DEV_SUBNQN Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 83/91] nvme-pci: add NVME_QUIRK_BOGUS_NID for T-FORCE Z330 SSD Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 84/91] cgroup/cpuset: Skip spread flags update on v2 Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 85/91] cgroup/cpuset: Make cpuset_fork() handle CLONE_INTO_CGROUP properly Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 86/91] cgroup/cpuset: Add cpuset_can_fork() and cpuset_cancel_fork() methods Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 87/91] kexec: turn all kexec_mutex acquisitions into trylocks Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 88/91] panic, kexec: make __crash_kexec() NMI safe Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 89/91] counter: fix docum. build problems after filename change Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 90/91] counter: Add the necessary colons and indents to the comments of counter_compi Greg Kroah-Hartman
2023-04-18 12:22 ` [PATCH 5.15 91/91] nvme-pci: avoid the deepest sleep state on ZHITAI TiPro5000 SSDs Greg Kroah-Hartman
2023-04-18 14:47 ` [PATCH 5.15 00/91] 5.15.108-rc1 review Naresh Kamboju
2023-04-18 16:17 ` Harshit Mogalapalli
2023-04-18 16:51 ` Tom Saeger
2023-04-19 4:18 ` Bagas Sanjaya
2023-04-19 4:56 ` Yu Zhao
2023-04-19 7:22 ` Greg Kroah-Hartman
2023-04-19 8:44 ` Pavel Machek
2023-04-19 15:09 ` Tom Saeger
2023-04-19 7:24 ` Greg Kroah-Hartman
2023-04-18 20:37 ` Florian Fainelli
2023-04-18 21:26 ` Shuah Khan
2023-04-19 3:54 ` Guenter Roeck
2023-04-19 4:23 ` Bagas Sanjaya
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230418120306.566342112@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuniyu@amazon.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).