Thread (7 messages) 7 messages, 3 authors, 2025-01-15

Re: [PATCH net] nfp: bpf: prevent integer overflow in nfp_bpf_event_output()

From: Dan Carpenter <hidden>
Date: 2025-01-14 10:45:09
Also in: bpf, kernel-janitors, lkml

[ I tried to send this email yesterday but apparently gmail blocked
  it for security reasons?  So weird. - dan ]

On Mon, Jan 13, 2025 at 01:32:11PM +0100, Alexander Lobakin wrote:
From: Dan Carpenter <redacted>
Date: Mon, 13 Jan 2025 09:18:39 +0300
quoted
The "sizeof(struct cmsg_bpf_event) + pkt_size + data_size" math could
potentially have an integer wrapping bug on 32bit systems.  Check for
Not in practice I suppose? Do we need to fix "never" bugs?
No, this is from static analysis.  We don't need to fix never bugs.

This is called from nfp_bpf_ctrl_msg_rx() and nfp_bpf_ctrl_msg_rx_raw()
and I assumed that since pkt_size and data_size come from skb->data on
the rx path then they couldn't be trusted.

Where is the bounds checking?

regards,
dan carpenter
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help