Received: by 10.223.176.5 with SMTP id f5csp505267wra; Tue, 6 Feb 2018 02:44:15 -0800 (PST) X-Google-Smtp-Source: AH8x225c/jsIi+emyOVA+bV9y++WTBrPEQSEsHlv2RZZcSZwETQwWO5mvxlmMczc7WLp/PkWyiBp X-Received: by 10.99.181.13 with SMTP id y13mr1609656pge.196.1517913855754; Tue, 06 Feb 2018 02:44:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517913855; cv=none; d=google.com; s=arc-20160816; b=EZiKR4G3Dsi2JM/lby5DUDKnb1E8XXV7eq8S6/A3PgHhGBfZzdwaXLHl9oibG9SCqF gNy3o9b7WvL+7PkLH3Y63isxM6SJgwfbRxPxgYognEZZPHMIsOquXdsL5zzPUBq/rTee b9Qr4QrpwHcVLm7oH2lN7uNqdgPO5o3/Ldfqrb25YmpUvAdZ8fH1m+NJ8Gszrps2ZSx2 ONtcNWwscNEWVQG3qUnQ2hjshYBYz2nLdoJquB9iJ1uk1RJRQW2AHCn9NcZYGLdr18ne pec2++hZR/VOe45Cs+hqUzXgg9Ym98HYaFlXdDI2Cu/TQtUmzrGaeeQSsNQoNDJ/OCD9 tUYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=P4cSberP3h1jMxnY04d1HEXioMeMOeoVpJKtriD5djs=; b=A8MehVHr31JUdd/WR15OWizZR7ETwjndk874/yvJ0jBV/a8Sg6C4TZfcex6TqTKZZR K5qB9HKAU5atsgz94uEImtJdUMdQTaOuzJMpFo03Rl0i06bQx2UXabjQH1Xec8JJVXnz cIEV3EK5RyEN970IRwwgAr1pckd3s53Yg8//qVdmC0ufjrB9KL7U5GNJIqZXgeYctLIW zegj0VLh2MA0FR3ukkC9D7gFl01oB1Nj/rzgyvtGX7gdvgpMI7tQ/xBjKw80MiUTb6KS KbWruaLw7Odu9a9qr6PhDbYzQ6dFINVI2QQOzPoIxWjlw1jULsMDFp4uKtpG6jnhxkAc kvMw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Olou6w7R; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 37-v6si1277005plc.215.2018.02.06.02.44.01; Tue, 06 Feb 2018 02:44:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Olou6w7R; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752680AbeBFKmh (ORCPT + 99 others); Tue, 6 Feb 2018 05:42:37 -0500 Received: from mail-qk0-f196.google.com ([209.85.220.196]:42999 "EHLO mail-qk0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752572AbeBFKmc (ORCPT ); Tue, 6 Feb 2018 05:42:32 -0500 Received: by mail-qk0-f196.google.com with SMTP id f68so1634034qke.9; Tue, 06 Feb 2018 02:42:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=P4cSberP3h1jMxnY04d1HEXioMeMOeoVpJKtriD5djs=; b=Olou6w7RTFyZPGYZc13VtSpFfjKQf24BTJSJ+1K4YnhwYoj7Fd5dtrdSSVBklex6ZZ O+j7NPYcW9SUIyvIh4+TKrBLvGh9kjLV4X9zubSVGxnPumblC3A8slpGjkIKwGvrwCZo sS6uem6aqMef9LhfD7nmEzw5e4aFz19JL9yEW7H17NItra2XHqoCCfz0zeCh7D3AwGHA 39+VTC3h1eAfX4fCOj9XTmBkEPjJMQzLOUMHDxGxMjiRelteNtrrWe56gbgfIFQmtw73 KHkYQiOInMpidrxOjptW2ApvDZFnpF4STjvX4/u7MVA7vY5FKthxJIeU1I0x7Oe9jXRB RkcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=P4cSberP3h1jMxnY04d1HEXioMeMOeoVpJKtriD5djs=; b=P5QhR8axQlMpiuheL/1f2TL2K7Jnaful64AEAecTKZ6Ciwb0O2jhQaoAenVwXOe0Z5 dCqq7cH/FTk69aQLiDMuTGfotgS2/pO/P6clfZrr+umxUX/XSJeZ6Ak+MzHzDrJjIf25 UxqvgT6tqk11qcVfLyOYiSrSYsJcwaspeV3MTuSQeGaUIPHEuWYbBO3heZOiSFq4FSAb gL3/OQ+t3P2rTgrP4YtN64QNbEYnU1tcZyKyOGauRUnWuoy4NY9CZL3TKmULlk83MOUL 6A7kKzWlCrxDsR8DG4aNqPvQ7yZD9dD4xcxXth3xC/Q6Fkdi0gS2ilKRGink0VeHvuny C/TA== X-Gm-Message-State: APf1xPDvLzcv5DC+yo7hiVfzSrQgZ+TBolgnyg2MtEkgkpZFBMUXkOo5 irr9YDv24sbQehUAITL8dpr/B2yzAtmgcTHOYQU= X-Received: by 10.55.42.145 with SMTP id q17mr2632096qkq.87.1517913751191; Tue, 06 Feb 2018 02:42:31 -0800 (PST) MIME-Version: 1.0 Received: by 10.140.36.203 with HTTP; Tue, 6 Feb 2018 02:42:30 -0800 (PST) In-Reply-To: <4eedae3f4cb14e178c073c183ef134c6@AcuMS.aculab.com> References: <20180203180015.29073-1-alexander.levin@microsoft.com> <20180203180015.29073-19-alexander.levin@microsoft.com> <4eedae3f4cb14e178c073c183ef134c6@AcuMS.aculab.com> From: Xin Long Date: Tue, 6 Feb 2018 18:42:30 +0800 Message-ID: Subject: Re: [PATCH AUTOSEL for 4.14 019/110] sctp: fix the issue that a __u16 variable may overflow in sctp_ulpq_renege To: David Laight Cc: Sasha Levin , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" , "David S . Miller" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Feb 5, 2018 at 7:35 PM, David Laight wrote: > From: Sasha Levin >> Sent: 03 February 2018 18:01 >> [ Upstream commit 5c468674d17056148da06218d4da5d04baf22eac ] >> >> Now when reneging events in sctp_ulpq_renege(), the variable freed >> could be increased by a __u16 value twice while freed is of __u16 >> type. It means freed may overflow at the second addition. >> >> This patch is to fix it by using __u32 type for 'freed', while at >> it, also to remove 'if (chunk)' check, as all renege commands are >> generated in sctp_eat_data and it can't be NULL. >> >> Reported-by: Marcelo Ricardo Leitner >> Signed-off-by: Xin Long >> Acked-by: Neil Horman >> Signed-off-by: David S. Miller >> Signed-off-by: Sasha Levin >> --- >> net/sctp/ulpqueue.c | 24 ++++++++---------------- >> 1 file changed, 8 insertions(+), 16 deletions(-) >> >> diff --git a/net/sctp/ulpqueue.c b/net/sctp/ulpqueue.c >> index a71be33f3afe..e36ec5dd64c6 100644 >> --- a/net/sctp/ulpqueue.c >> +++ b/net/sctp/ulpqueue.c >> @@ -1084,29 +1084,21 @@ void sctp_ulpq_partial_delivery(struct sctp_ulpq *ulpq, >> void sctp_ulpq_renege(struct sctp_ulpq *ulpq, struct sctp_chunk *chunk, >> gfp_t gfp) >> { >> - struct sctp_association *asoc; >> - __u16 needed, freed; >> - >> - asoc = ulpq->asoc; >> + struct sctp_association *asoc = ulpq->asoc; >> + __u32 freed = 0; >> + __u16 needed; >> >> - if (chunk) { >> - needed = ntohs(chunk->chunk_hdr->length); >> - needed -= sizeof(struct sctp_data_chunk); >> - } else >> - needed = SCTP_DEFAULT_MAXWINDOW; >> - >> - freed = 0; >> + needed = ntohs(chunk->chunk_hdr->length) - >> + sizeof(struct sctp_data_chunk); >> >> if (skb_queue_empty(&asoc->base.sk->sk_receive_queue)) { >> freed = sctp_ulpq_renege_order(ulpq, needed); >> - if (freed < needed) { >> + if (freed < needed) >> freed += sctp_ulpq_renege_frags(ulpq, needed - freed); >> - } >> } >> /* If able to free enough room, accept this chunk. */ >> - if (chunk && (freed >= needed)) { >> - int retval; >> - retval = sctp_ulpq_tail_data(ulpq, chunk, gfp); >> + if (freed >= needed) { >> + int retval = sctp_ulpq_tail_data(ulpq, chunk, gfp); >> /* >> * Enter partial delivery if chunk has not been >> * delivered; otherwise, drain the reassembly queue. > > Hmmm... > ISTM that all the maths should be done using 'unsigned int' to avoid horrid > masking operations on many cpus.... You meant 'if (u32 >= u16)' is not good ? If so, I did some tests: # x.c int main() { unsigned int a = 1; unsigned short b = 1; if (a > b) <---- a++; } # y.c int main() { unsigned int a = 1; unsigned int b = 1; if (a > b) <---- a++; } # x.s movl $1, -4(%rbp) movw $1, -6(%rbp) movzwl -6(%rbp), %eax cmpl -4(%rbp), %eax # y.s movl $1, -4(%rbp) movl $1, -8(%rbp) movl -4(%rbp), %eax cmpl -8(%rbp), %eax So looks like x.c vs y.c is: movzwl vs movl does it matter?