Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp4005612imm; Mon, 14 May 2018 00:50:55 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr7a6NSDRBINEBLMMshOmA4Cmt2tdnsAXtrMo52H9pHQmunMjaK1qET802xDmgZj+5upLcw X-Received: by 2002:a65:65d1:: with SMTP id y17-v6mr7613245pgv.270.1526284255396; Mon, 14 May 2018 00:50:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526284255; cv=none; d=google.com; s=arc-20160816; b=zw85nc6rmcugF9jDSnVJmrm9GnTNv2c+4U15B/I09MfneQ86fuCn9A9fJ9SB139/ji 2FUjG/DNotN/OLCLRXhF5+ZQBdzJhd18uDUCJhdKwFcH7yV8YOLLUYblYcnQgilhwSaj x1YW2jmtS3Aolcze4rWH5D6YxLSRyYHjvO9ter4IxaITc5cMyEe+FbO/PWQUHb/hl89L M1jyQI0dSS/VNWR0tSeSzUbBKzKCsjuHm/bGLdKOWh43/YTAE0gCm/0qhUNKZ+7SmSzt ZTyDck9kv5YoraBQYsrdCtNHVPsOd6uv7KFHxBxxklLbJ+pVrexykcss7yRD3C1/csXf yExw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=FBiGbWWyH8C+oUoWWUe7dtrWKHZmIgPT/w3PIt4e2Aw=; b=z1in0BGgXrR60S/6gznX1xspkSeKpINEPqGhbNUCOhPlKqONTJqQVAMSDTrGiYM6Ry vZa1aim1CvMWAEUA1cu55i/O7AjXXOEW+keE+ABNFEZwFDsmsi8ghMRYfWRElMmjKjxq rzya8IJu58sAVQAdk722wRFV50Ua3YVaBZZ3/Hl6Ob4V3lVNvQqlogBgOfmWVVbn3odn qHbPMXutYq1j/Z4syETckWBXoFrIzY89oqosmAYnoqVaQZ0GDMo5Nxbv5M2+mlIEHDlo 92pbb8iiQFN8mLOZNs2r9+LZJjQpO5zoYbqV5/oQDS93gErE39J3oWIimrKvyaHT6v7x 32Jw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=KLnI4ZxJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y1-v6si7180638pge.248.2018.05.14.00.50.40; Mon, 14 May 2018 00:50:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=KLnI4ZxJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752513AbeENHua (ORCPT + 99 others); Mon, 14 May 2018 03:50:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:57526 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752295AbeENGur (ORCPT ); Mon, 14 May 2018 02:50:47 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7714220834; Mon, 14 May 2018 06:50:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1526280647; bh=H+kVx5zpx/V86iYzExfIPaXO8nAlQ2rw+BOZnXr4QvA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KLnI4ZxJUND5pgeC206gD8/2DL0yQZZdHNwHQ9NSMOo/unk2OB92k7lb6jFZoWCwA O501ov0BEceNJd/8ZSXffL+utQNLh4mk9+clh/muhfFg/P9L9HgORtYfdXqc3FCRlF gUF+Rav11ia6HX3WIMHd1zT35UVkQAJkYx8+5xsA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , Pavel Emelyanov , "David S. Miller" Subject: [PATCH 3.18 18/23] tcp: fix TCP_REPAIR_QUEUE bound checking Date: Mon, 14 May 2018 08:48:47 +0200 Message-Id: <20180514064704.818700522@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180514064704.046463679@linuxfoundation.org> References: <20180514064704.046463679@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Dumazet commit bf2acc943a45d2b2e8a9f1a5ddff6b6e43cc69d9 upstream. syzbot is able to produce a nasty WARN_ON() in tcp_verify_left_out() with following C-repro : socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3 setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0 setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0 bind(3, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("0.0.0.0")}, 16) = 0 sendto(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1242, MSG_FASTOPEN, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("127.0.0.1")}, 16) = 1242 setsockopt(3, SOL_TCP, TCP_REPAIR_WINDOW, "\4\0\0@+\205\0\0\377\377\0\0\377\377\377\177\0\0\0\0", 20) = 0 writev(3, [{"\270", 1}], 1) = 1 setsockopt(3, SOL_TCP, TCP_REPAIR_OPTIONS, "\10\0\0\0\0\0\0\0\0\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 386) = 0 writev(3, [{"\210v\r[\226\320t\231qwQ\204\264l\254\t\1\20\245\214p\350H\223\254;\\\37\345\307p$"..., 3144}], 1) = 3144 The 3rd system call looks odd : setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0 This patch makes sure bound checking is using an unsigned compare. Fixes: ee9952831cfd ("tcp: Initial repair mode") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Pavel Emelyanov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/tcp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -2461,7 +2461,7 @@ static int do_tcp_setsockopt(struct sock case TCP_REPAIR_QUEUE: if (!tp->repair) err = -EPERM; - else if (val < TCP_QUEUES_NR) + else if ((unsigned int)val < TCP_QUEUES_NR) tp->repair_queue = val; else err = -EINVAL;