Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp674450img; Fri, 22 Mar 2019 06:21:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqyF+u6IObrGSDIIDAMvV9hwIxDiQnn3Pyi7IWkoq578Xbufhdc946Kjo+VLrIV4SOEKZh5R X-Received: by 2002:a62:ab13:: with SMTP id p19mr9033312pff.131.1553260885156; Fri, 22 Mar 2019 06:21:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553260885; cv=none; d=google.com; s=arc-20160816; b=wEIZAAewY5i3ek+j8mMvXkAW027+xdqf83Q9bmP/ZISo5jFKWBI4MMeu6ZJkL2rdNV gwEg8OKbsRkdhYtOF5dp+Tq4mFSYCJY2S83dsOSuqeGoBIWFUXC5iwQwx7/RKm4e8hRQ gfHWp3/RV8RcYUknD07yZrGqsJdt4Pyv+BAFokHDVLduIT9biy851LMirWjCAhJmYXNL pZ2K7XfGCnsEofkLVITCqxMs4xho0sKGD2lm1g+uh+C1Krik2NCm1UKV7c36y4EZIncH uDpPNOHp3Y5P/p2F3iDN0fiTl0a9HxS54cyAsUTm9eRf6vme5iz4yh2gVXkdyW/uNQgw i7Rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=cXGjrUfwOnCTYhvE4d/Sj4zaaWbJISIDUI95+1Y8fI0=; b=vgX2+hWlTb84cu3a59+UjiOgzVL9Tw5j0Ww/h7A48yB22VtX06AA83NpJH9zOf1v8i yqcwjpCliJvAk9HXHPNFKUNHSj+eWnUTJfG5T+FQMd7Fl+ZxJRSy3tSg14RoXOh7Gtrx dQfSQ6+sBnMP1bmP0N33CekTYPxssNo7eAZxFWIzrgomWl3PNjaGEEUrcHMJFetimgIj rQq7QRW3qh27KuXu1ndqiH5sFgIaNSXOhx1KQrQ2M+KzS0bykwmHrua/IvumrSccihIZ mxufbFUxHvSchViMuAJzypII1LZNWm28CsVSkOY+UBB9lQnDrISyT2qR+F6I06Rah70y 1Naw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RPigH1pJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b8si6873674plr.54.2019.03.22.06.21.10; Fri, 22 Mar 2019 06:21:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RPigH1pJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728584AbfCVLVY (ORCPT + 99 others); Fri, 22 Mar 2019 07:21:24 -0400 Received: from mail.kernel.org ([198.145.29.99]:47866 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728577AbfCVLVW (ORCPT ); Fri, 22 Mar 2019 07:21:22 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 53950218A2; Fri, 22 Mar 2019 11:21:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553253681; bh=z3iwrOaU053s6NSTozFd7Da2hEqeZWuS1oZeG+QXA1I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RPigH1pJdj9PkgRBLtPjTBNmhjGh0Tf/qczZm/BLwnsLvRc3CKNJq4dJ7fUbv8XU8 rboNSkm+YBy7kPM1TetEOlh5U0hss9poZFoBjdcqJ/0g1nf5TXXfPQFHobnbr2JV/N t5TBQfZbMswOuEGLH7Og0+P8sa39YEgoR5wB8e4E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Kal Conley , "David S. Miller" Subject: [PATCH 3.18 021/134] net/packet: fix 4gb buffer limit due to overflow check Date: Fri, 22 Mar 2019 12:13:54 +0100 Message-Id: <20190322111211.399278611@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190322111210.465931067@linuxfoundation.org> References: <20190322111210.465931067@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kal Conley [ Upstream commit fc62814d690cf62189854464f4bd07457d5e9e50 ] When calculating rb->frames_per_block * req->tp_block_nr the result can overflow. Check it for overflow without limiting the total buffer size to UINT_MAX. This change fixes support for packet ring buffers >= UINT_MAX. Fixes: 8f8d28e4d6d8 ("net/packet: fix overflow in check for tp_frame_nr") Signed-off-by: Kal Conley Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/packet/af_packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3894,7 +3894,7 @@ static int packet_set_ring(struct sock * rb->frames_per_block = req->tp_block_size/req->tp_frame_size; if (unlikely(rb->frames_per_block <= 0)) goto out; - if (unlikely(req->tp_block_size > UINT_MAX / req->tp_block_nr)) + if (unlikely(rb->frames_per_block > UINT_MAX / req->tp_block_nr)) goto out; if (unlikely((rb->frames_per_block * req->tp_block_nr) != req->tp_frame_nr))