Thread (7 messages) 7 messages, 3 authors, 2025-01-15

Re: [PATCH net] nfp: bpf: prevent integer overflow in nfp_bpf_event_output()

From: Alexander Lobakin <aleksander.lobakin@intel.com>
Date: 2025-01-14 17:18:01
Also in: bpf, kernel-janitors, lkml

From: Dan Carpenter <redacted>
Date: Tue, 14 Jan 2025 13:45:04 +0300
[ I tried to send this email yesterday but apparently gmail blocked
  it for security reasons?  So weird. - dan ]

On Mon, Jan 13, 2025 at 01:32:11PM +0100, Alexander Lobakin wrote:
quoted
From: Dan Carpenter <redacted>
Date: Mon, 13 Jan 2025 09:18:39 +0300
quoted
The "sizeof(struct cmsg_bpf_event) + pkt_size + data_size" math could
potentially have an integer wrapping bug on 32bit systems.  Check for
Not in practice I suppose? Do we need to fix "never" bugs?
No, this is from static analysis.  We don't need to fix never bugs.

This is called from nfp_bpf_ctrl_msg_rx() and nfp_bpf_ctrl_msg_rx_raw()
and I assumed that since pkt_size and data_size come from skb->data on
the rx path then they couldn't be trusted.
skbs are always valid and skb->len could never cross INT_MAX to provoke
an overflow.
Where is the bounds checking?

regards,
dan carpenter
Thanks,
Olek
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help