LVS
lvs-devel
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: [PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl()

from [Julian Anastasov] [Permanent Link]
To: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Subject: Re: [PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl()
Cc: "Gustavo A. R. Silva" <gustavo@xxxxxxxxxxxxxx>, Simon Horman <horms@xxxxxxxxxxxx>, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx>, "David S. Miller" <davem@xxxxxxxxxxxxx>, Eric Dumazet <edumazet@xxxxxxxxxx>, Jakub Kicinski <kuba@xxxxxxxxxx>, Paolo Abeni <pabeni@xxxxxxxxxx>, netdev@xxxxxxxxxxxxxxx, lvs-devel@xxxxxxxxxxxxxxx, netfilter-devel@xxxxxxxxxxxxxxx, coreteam@xxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx, kernel-janitors@xxxxxxxxxxxxxxx
From: Julian Anastasov <ja@xxxxxx>
Date: Sat, 8 Mar 2025 14:06:53 +0200 (EET) 
        Hello,

On Fri, 7 Mar 2025, Dan Carpenter wrote:

> The get->num_services variable is an unsigned int which is controlled by
> the user.  The struct_size() function ensures that the size calculation
> does not overflow an unsigned long, however, we are saving the result to
> an int so the calculation can overflow.
> 
> Save the result from struct_size() type size_t to fix this integer
> overflow bug.
> 
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
>  net/netfilter/ipvs/ip_vs_ctl.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
> index 7d13110ce188..801d65fd8a81 100644
> --- a/net/netfilter/ipvs/ip_vs_ctl.c
> +++ b/net/netfilter/ipvs/ip_vs_ctl.c
> @@ -3091,12 +3091,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void 
> __user *user, int *len)
>       case IP_VS_SO_GET_SERVICES:
>       {
>               struct ip_vs_get_services *get;
> -             int size;
> +             size_t size;
>  
>               get = (struct ip_vs_get_services *)arg;
>               size = struct_size(get, entrytable, get->num_services);

        Both are GET operations. The problem that can happen only
on 64-bit platforms is that user will attempt copy_to_user() with
shorter buffer and will get EFAULT if there are so many entries to
return. On 32-bit size will be -1 and will not match *len (EINVAL).
So, I assume the issue is not critical, right?

>               if (*len != size) {
> -                     pr_err("length: %u != %u\n", *len, size);
> +                     pr_err("length: %u != %lu\n", *len, size);

        %zu, %lu fails on 32-bit platforms. Please, send v2
fixing the format.

>                       ret = -EINVAL;
>                       goto out;
>               }
> @@ -3132,12 +3132,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void 
> __user *user, int *len)
>       case IP_VS_SO_GET_DESTS:
>       {
>               struct ip_vs_get_dests *get;
> -             int size;
> +             size_t size;
>  
>               get = (struct ip_vs_get_dests *)arg;
>               size = struct_size(get, entrytable, get->num_dests);
>               if (*len != size) {
> -                     pr_err("length: %u != %u\n", *len, size);
> +                     pr_err("length: %u != %lu\n", *len, size);
>                       ret = -EINVAL;
>                       goto out;
>               }
> -- 
> 2.47.2

Regards

--
Julian Anastasov <ja@xxxxxx>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl(), Jan Engelhardt
Next by Date:  Re: [PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl(), kernel test robot
Previous by Thread:  Re: [PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl(), Jan Engelhardt
Next by Thread:  Re: [PATCH net] ipvs: prevent integer overflow in do_ip_vs_get_ctl(), kernel test robot
Indexes:  [Date] [Thread] [Top] [All Lists]