Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2096885ybl; Thu, 30 Jan 2020 11:17:59 -0800 (PST) X-Google-Smtp-Source: APXvYqxT3cXHtBl86/zAlhRsGibGmwJoJhg62g4i7f7lA+9/cyUYL6CkByIGQk9hITG5fvQp0djO X-Received: by 2002:aca:3f43:: with SMTP id m64mr1583531oia.165.1580411879040; Thu, 30 Jan 2020 11:17:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580411879; cv=none; d=google.com; s=arc-20160816; b=nApZ1foYlFXdrRavT0UM7l6qlZbyK8FVx4ODOM0DMwzfqM/2xlKO/gNmEFHuvfSDDC 2ATDlvnKMWaEI3ePc7zp1w9S6kO/c9kXmHqS2NZkcskn+c1hMhJL+0SYnXX5PYlOm9+5 VG8wz1daG/DJJBPp9RMeATXalMzeR+ATRk6fTWYT2/dw1d0s1ZQGO7mq3Srk4Nk1JAfV bZDZND/KHVvUl+nrupvH6OWVbtI/hnQ/0e9jG4112pgzsJgX6yC3OUbL+5+srgOArfXF 8BJAsYbF8W+lG/8oMOjKzSNzIRnfNu+eTa036EDU/FtWcWkI38HpPe2zMc2ZMJ1Z1TJc IuDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Zn5mLFC06YVHb9U42vYY3vE/6X9ExrPZTV4quLQhhxU=; b=MpJr4I36pnr2DqGjx/QNFp6ID8mwyNhrUrZTAc+2oPaC8mfqdIfdNgSCdei3XeMUJp RCK2tz2MDGtSAfVACxEPdBin8pc4g7bVtETOF4/GWizPKqVov2TePpfR/76bMy3867XJ ZNakp5s4G1BKJ6cYvlUuSmUnkZtgHDm4KfzeseNHe0WTc/hvzva5g86wfyIaA6KfxFvD cXIZaAbgoARotJzApiwx7W7g38KrrV4tTx4elORsoWSekRs+9PApzOj0dr1zgxujomTB gDz76qO2/3pQzCcf6bfhd3+wsMYFQuidiWScGXQwGoowFsjbgqtU6UGSBY6adS2sCY5i nAHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MsF4os16; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i2si3379904otc.130.2020.01.30.11.17.47; Thu, 30 Jan 2020 11:17:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MsF4os16; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730755AbgA3SoD (ORCPT + 99 others); Thu, 30 Jan 2020 13:44:03 -0500 Received: from mail.kernel.org ([198.145.29.99]:52924 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730738AbgA3SoA (ORCPT ); Thu, 30 Jan 2020 13:44:00 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C8C36205F4; Thu, 30 Jan 2020 18:43:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1580409839; bh=3OppFeTIC5EGVmWme2JxnhZ9O/cxokC45JreOYg3EiA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MsF4os16gtROmUytj2LWCfD3Jv6oshYTamnDljeLJNtl9OhTkbxeqPboiBdnzmEsY Zl1Q69MENs4cw/Df4Crm24WH+8dqabPNwS3yq+2P6HhWs4a52+kR22ce4YKylXgvGC VNcIcZWhJY0jOdwu57jdpXYtbK54ClDPXslGKV9k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Andrey Shvetsov Subject: [PATCH 5.4 012/110] staging: most: net: fix buffer overflow Date: Thu, 30 Jan 2020 19:37:48 +0100 Message-Id: <20200130183615.793039722@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200130183613.810054545@linuxfoundation.org> References: <20200130183613.810054545@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Andrey Shvetsov commit 4d1356ac12f4d5180d0df345d85ff0ee42b89c72 upstream. If the length of the socket buffer is 0xFFFFFFFF (max size for an unsigned int), then payload_len becomes 0xFFFFFFF1 after subtracting 14 (ETH_HLEN). Then, mdp_len is set to payload_len + 16 (MDP_HDR_LEN) which overflows and results in a value of 2. These values for payload_len and mdp_len will pass current buffer size checks. This patch checks if derived from skb->len sum may overflow. The check is based on the following idea: For any `unsigned V1, V2` and derived `unsigned SUM = V1 + V2`, `V1 + V2` overflows iif `SUM < V1`. Reported-by: Greg Kroah-Hartman Signed-off-by: Andrey Shvetsov Cc: stable Link: https://lore.kernel.org/r/20200116172238.6046-1-andrey.shvetsov@microchip.com Signed-off-by: Greg Kroah-Hartman --- drivers/staging/most/net/net.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- a/drivers/staging/most/net/net.c +++ b/drivers/staging/most/net/net.c @@ -81,6 +81,11 @@ static int skb_to_mamac(const struct sk_ unsigned int payload_len = skb->len - ETH_HLEN; unsigned int mdp_len = payload_len + MDP_HDR_LEN; + if (mdp_len < skb->len) { + pr_err("drop: too large packet! (%u)\n", skb->len); + return -EINVAL; + } + if (mbo->buffer_length < mdp_len) { pr_err("drop: too small buffer! (%d for %d)\n", mbo->buffer_length, mdp_len); @@ -128,6 +133,11 @@ static int skb_to_mep(const struct sk_bu u8 *buff = mbo->virt_address; unsigned int mep_len = skb->len + MEP_HDR_LEN; + if (mep_len < skb->len) { + pr_err("drop: too large packet! (%u)\n", skb->len); + return -EINVAL; + } + if (mbo->buffer_length < mep_len) { pr_err("drop: too small buffer! (%d for %d)\n", mbo->buffer_length, mep_len);