Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3324744pxf; Mon, 15 Mar 2021 07:10:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyiTGhaR6sSl6L9kyU7NG55fUg2oIHxRB/P4tXq7365jn4wOkqfYeteYrjiH7G68ZOmVQXo X-Received: by 2002:a05:6402:34c8:: with SMTP id w8mr31370395edc.235.1615817401524; Mon, 15 Mar 2021 07:10:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1615817401; cv=none; d=google.com; s=arc-20160816; b=KuDMtz/FpFTKTeAWMYgkQccSSaZIo6gBJcNtRPfJZ+B2l0GYBERFdCbhbLRdAN/Fv7 6Z1Ib3JsAFn11YPjesE6lxWxwxw86NyZYGjzxbWdz1yBqrqbM6zrcUPwiqlax6lW1lAe aYhW+jgAnF0BAYXV0V1RVEXT476HqakRRi5B+Lp4e4h6Y3PhgU4oMOdjDG/KTKguZVpe 5A5IbMbHrZAjXCLvUJS/sUHcyAE+xanmfDiaEiPmZZb8X1Uu6ijY9RhXwByRH3dss1vw b86ef0hzK2Iyjocr58i1vkG2MjnKVtozUrCkz2Z0ECFaEJJycwX294A4fiYmj8pIaFP9 0bfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=XHVqgIUWtxTabWtfEH/pm4l2SbEU693livPT/UKhHCQ=; b=Oyw61VX/nCwc49ht02Stx2kn7xPRic4lYmUZOFtS2d00tX+j8+3WPRO/jf4QOsyHdX u030o35YoH4EkwwJAaAxO8/D2rrhdMiOW6XhVD90c7OGHurPCkhQBOywu/Or2X8hIaD3 hzqyqKX/7pwe9+eE04EphJvEexv54QPE9tjOnkIzB+p1HcaUfTvOfmdIsfju2OxK5sO1 2NFhFPEdDq01i2NAbUjI614jFmhpSCJhwHVsoGNuFnr3SM1EFB7aZxMbJ7IMHVnZhXA/ pIfuqjIZLrla8sMyjNKGwc6112TVmLq5HtKc4JR815C0mVggdO0hd58yC/Dd5HJeBJUp Vf/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=sB9M6bDh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id gv29si1690142ejc.61.2021.03.15.07.09.38; Mon, 15 Mar 2021 07:10:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=sB9M6bDh; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234336AbhCOODP (ORCPT + 99 others); Mon, 15 Mar 2021 10:03:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:34054 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231181AbhCON5I (ORCPT ); Mon, 15 Mar 2021 09:57:08 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A22FA64EED; Mon, 15 Mar 2021 13:56:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1615816617; bh=YFrVHkSmnBUXIH4k+iOLP0UXegrJ1zI1zz5bKlhSZvs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sB9M6bDhEZH+s58O2rtKB/rrXQ2lSRceWwCDcLP1v6trikGVxdc0w/My8LAa20+SQ 23iic83kksoxxstibJe3yFvccTOc8eXs9SIQyxzOrbejyesiyRBzBCg8uTs6Zpx2Wc UewFLWyFzjrWF7NMNWtHOeGCjTnfeFe/mJRTAxgQ= From: gregkh@linuxfoundation.org To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, kernel test robot , Dan Carpenter , Arjun Roy , Jakub Kicinski Subject: [PATCH 5.11 023/306] tcp: Fix sign comparison bug in getsockopt(TCP_ZEROCOPY_RECEIVE) Date: Mon, 15 Mar 2021 14:51:26 +0100 Message-Id: <20210315135508.410372732@linuxfoundation.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210315135507.611436477@linuxfoundation.org> References: <20210315135507.611436477@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Greg Kroah-Hartman From: Arjun Roy commit 2107d45f17bedd7dbf4178462da0ac223835a2a7 upstream. getsockopt(TCP_ZEROCOPY_RECEIVE) has a bug where we read a user-provided "len" field of type signed int, and then compare the value to the result of an "offsetofend" operation, which is unsigned. Negative values provided by the user will be promoted to large positive numbers; thus checking that len < offsetofend() will return false when the intention was that it return true. Note that while len is originally checked for negative values earlier on in do_tcp_getsockopt(), subsequent calls to get_user() re-read the value from userspace which may have changed in the meantime. Therefore, re-add the check for negative values after the call to get_user in the handler code for TCP_ZEROCOPY_RECEIVE. Fixes: c8856c051454 ("tcp-zerocopy: Return inq along with tcp receive zerocopy.") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Arjun Roy Link: https://lore.kernel.org/r/20210225232628.4033281-1-arjunroy.kdev@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/ipv4/tcp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c @@ -4088,7 +4088,8 @@ static int do_tcp_getsockopt(struct sock if (get_user(len, optlen)) return -EFAULT; - if (len < offsetofend(struct tcp_zerocopy_receive, length)) + if (len < 0 || + len < offsetofend(struct tcp_zerocopy_receive, length)) return -EINVAL; if (len > sizeof(zc)) { len = sizeof(zc);