From patchwork Mon Mar 15 13:51:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 401553 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER, INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8109FC2BC0E for ; Mon, 15 Mar 2021 13:58:08 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 52C4C64F23 for ; Mon, 15 Mar 2021 13:58:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232111AbhCON5r (ORCPT ); Mon, 15 Mar 2021 09:57:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:34068 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231760AbhCON5L (ORCPT ); Mon, 15 Mar 2021 09:57:11 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 06C2E64F01; Mon, 15 Mar 2021 13:56:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1615816618; bh=i5kk/hM9hB1ybFBjKO9kXNeWoWRQ6eg16y6EqfJXVAc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UnM+xPIiAhx2QllT9zRpxBi09JZ1P471G4mcuYqHWhgco8YyNfe2VpfMTIXCoVIAw BNZczvDyKwdp5dfHXeaqoUGuDQXckdpMhB5BTM+tru8SD6xJ9MGw3X6UjXy7xoY4K8 YawB1DX5SOA/Aucg1NKt5KwPhbsmSpvyZ4dae0yE= From: gregkh@linuxfoundation.org To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, kernel test robot , Dan Carpenter , Arjun Roy , Jakub Kicinski Subject: [PATCH 5.10 016/290] tcp: Fix sign comparison bug in getsockopt(TCP_ZEROCOPY_RECEIVE) Date: Mon, 15 Mar 2021 14:51:49 +0100 Message-Id: <20210315135542.489803245@linuxfoundation.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210315135541.921894249@linuxfoundation.org> References: <20210315135541.921894249@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Greg Kroah-Hartman From: Arjun Roy commit 2107d45f17bedd7dbf4178462da0ac223835a2a7 upstream. getsockopt(TCP_ZEROCOPY_RECEIVE) has a bug where we read a user-provided "len" field of type signed int, and then compare the value to the result of an "offsetofend" operation, which is unsigned. Negative values provided by the user will be promoted to large positive numbers; thus checking that len < offsetofend() will return false when the intention was that it return true. Note that while len is originally checked for negative values earlier on in do_tcp_getsockopt(), subsequent calls to get_user() re-read the value from userspace which may have changed in the meantime. Therefore, re-add the check for negative values after the call to get_user in the handler code for TCP_ZEROCOPY_RECEIVE. Fixes: c8856c051454 ("tcp-zerocopy: Return inq along with tcp receive zerocopy.") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Arjun Roy Link: https://lore.kernel.org/r/20210225232628.4033281-1-arjunroy.kdev@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/ipv4/tcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -3829,7 +3829,8 @@ static int do_tcp_getsockopt(struct sock if (get_user(len, optlen)) return -EFAULT; - if (len < offsetofend(struct tcp_zerocopy_receive, length)) + if (len < 0 || + len < offsetofend(struct tcp_zerocopy_receive, length)) return -EINVAL; if (len > sizeof(zc)) { len = sizeof(zc);