Thread (5 messages) 5 messages, 4 authors, 2025-01-21

Re: [PATCH net] net/rose: prevent integer overflows in rose_setsockopt()

From: Nikita Zhandarovich <hidden>
Date: 2025-01-16 12:38:05
Also in: kernel-janitors, linux-hams, lkml, stable

Hello,

On 1/15/25 18:04, Su Hui wrote:
On 2025/1/16 07:29, David Laight wrote:
quoted
On Wed, 15 Jan 2025 08:42:20 -0800
Nikita Zhandarovich [off-list ref] wrote:
quoted
In case of possible unpredictably large arguments passed to
rose_setsockopt() and multiplied by extra values on top of that,
integer overflows may occur.

Do the safest minimum and fix these issues by checking the
contents of 'opt' and returning -EINVAL if they are too large. Also,
switch to unsigned int and remove useless check for negative 'opt'
in ROSE_IDLE case.

Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Nikita Zhandarovich <redacted>
---
  net/rose/af_rose.c | 16 ++++++++--------
  1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 59050caab65c..72c65d938a15 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -397,15 +397,15 @@ static int rose_setsockopt(struct socket *sock,
int level, int optname,
  {
      struct sock *sk = sock->sk;
      struct rose_sock *rose = rose_sk(sk);
-    int opt;
+    unsigned int opt;
        if (level != SOL_ROSE)
          return -ENOPROTOOPT;
  -    if (optlen < sizeof(int))
+    if (optlen < sizeof(unsigned int))
          return -EINVAL;
  -    if (copy_from_sockptr(&opt, optval, sizeof(int)))
+    if (copy_from_sockptr(&opt, optval, sizeof(unsigned int)))
Shouldn't all those be 'sizeof (opt)' ?

    David
Agreed, but my thinking was to keep it somewhat symmetrical to other
similar checks in XXX_setsockopt(). For instance, in net/ax25/af_ax25.c,
courtesy of commit 7b75c5a8c41 ("net: pass a sockptr_t into
->setsockopt") an explicit type is used.

I don't mind sending v2, as it would be a bit neater.
quoted
quoted
          return -EFAULT;
        switch (optname) {
@@ -414,31 +414,31 @@ static int rose_setsockopt(struct socket *sock,
int level, int optname,
          return 0;
        case ROSE_T1:
-        if (opt < 1)
+        if (opt < 1 || opt > UINT_MAX / HZ)
'rose->t1' is unsigned long, how about 'opt > ULONG_MAX / HZ' ?

BTW, I think only in 32bit or 16bit machine when 'sizeof(int) ==
sizeof(unsigned long)',
this integer overflows may occur..

Su Hui
Here I was influenced by commits dc35616e6c29 ("netrom: fix api breakage
in nr_setsockopt()") and 9371937092d5 ("ax25: uninitialized variable in
ax25_setsockopt()") that essentially state that we only copy 4 bytes
from userspace so opt being ulong is not desired. Even if the result of
* HZ ends up stored in ulong 'XXX->t1'.

I may be wrong but I think same principle applies to rose_setsockopt().

All we need to do here is to enable a sanity check that there is no
int/uint overflow in right hand expression before the result gets stored
in ulong.
quoted
quoted
              return -EINVAL;
          rose->t1 = opt * HZ;
          return 0;
        case ROSE_T2:
-        if (opt < 1)
+        if (opt < 1 || opt > UINT_MAX / HZ)
              return -EINVAL;
          rose->t2 = opt * HZ;
          return 0;
        case ROSE_T3:
-        if (opt < 1)
+        if (opt < 1 || opt > UINT_MAX / HZ)
              return -EINVAL;
          rose->t3 = opt * HZ;
          return 0;
        case ROSE_HOLDBACK:
-        if (opt < 1)
+        if (opt < 1 || opt > UINT_MAX / HZ)
              return -EINVAL;
          rose->hb = opt * HZ;
          return 0;
        case ROSE_IDLE:
-        if (opt < 0)
+        if (opt > UINT_MAX / (60 * HZ))
              return -EINVAL;
          rose->idle = opt * 60 * HZ;
          return 0;
Regards,
Nikita
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help