Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp1454978rwb; Thu, 19 Jan 2023 10:50:29 -0800 (PST) X-Google-Smtp-Source: AMrXdXtbuDgB1Qe84JP69u3VXifVgJbP4AAPKbrnu635SUjxDl3pXe0Z3qY0I6Oxt3gF7AmAV7QX X-Received: by 2002:a05:6a00:1d1c:b0:588:cb81:9237 with SMTP id a28-20020a056a001d1c00b00588cb819237mr12077831pfx.7.1674154228968; Thu, 19 Jan 2023 10:50:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674154228; cv=none; d=google.com; s=arc-20160816; b=XlYbGNeC9UjW6DzDalhW3SQ8Frrrz/MQsNJy174aahJtJeiS+qHS5Yb7c4m0uyw8tt U/YxU/K8ByEOivHUpQGZkqIxmXrMtLvFGS4g3x+Km8RSpRNt3DeRYdr1YY+dr+pgwH7J DmTT9WlhegxCWDqOdaaP9TdafxPflc/hkhc2oo+H2o+XsD4SehgwERJmjF9PE8Lws1ZE l2b2PnK6qCh3c8phfN7SRqykWrRqmpB/WmEA8xO9vhPz6Bk0soduCl6MnRSdNGttd83q jMcOrtptuszsCvxp2hJN2QSLDwb6OCPC94zImTxXW1cGnMrREyMgpZm+Ec3bkTWXfkMe LrxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=dFShzpWwEwG9NB2B3P9MROa6uEkl4Rlvt73pdTo8WqM=; b=ZT7EKMfApfZrUbawPTZ+nj21v5Eid9XXsO2b29L+cU7g/BgpqYtn9H8LHNSFxsKJyl xB61BlXLsZ7UkNPC+W0r+oCTPluTt8RGAXz6Ocf6FfD2ZUf6dgbKy4Pboj3txittBQtS pV0p13Nv7WXCpLpyg6ffmXCPWCwmJD9FTGAl1RCfwv7aPTBqyzfhbZtKDrBLozIB/s2M iKEB2IwXeF2x1e2L+yx2vKikXo/NlaNDcANgOMVAp7O9ef+9WumWj8vbGZGZ5hquUw5C wO48Yyaa/MBXlWS+qkecUrnhBpS+vvELwuOgZya28GdcleJfgZ0goUH7kA8bf0l/z9pi IY+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@intel.com header.s=Intel header.b=bwMRsSVF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w126-20020a627b84000000b0058bc2deac15si18721536pfc.134.2023.01.19.10.50.22; Thu, 19 Jan 2023 10:50:28 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@intel.com header.s=Intel header.b=bwMRsSVF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229917AbjASSRX (ORCPT + 45 others); Thu, 19 Jan 2023 13:17:23 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43574 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230206AbjASSRO (ORCPT ); Thu, 19 Jan 2023 13:17:14 -0500 Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 970B193721 for ; Thu, 19 Jan 2023 10:17:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1674152230; x=1705688230; h=resent-from:resent-date:resent-message-id:resent-to:from: to:cc:subject:date:message-id:in-reply-to:references: mime-version:content-transfer-encoding; bh=UJGdQbNU1p0G34DMECtmIGs9ax802RzLD9JfEvjugQM=; b=bwMRsSVF0KO8ug6TVn2JPlp5S2PutUbXS5Fw11J7gYWFtYBNgZwnojEq oDYhdBM9ReZ/40NNza2SSmwC1E9rsRxh2rmFfVKuXZn5sBV2PEWL79PqB xhqGban8oQCNdrWYzVY771uGlGJumb4kYW8I9vdROyvEu+1cjNW3Qdtl7 GxW88lhkvyiaVrpJyZfFPmmEGasiAoYvK1C0ebyIMiOZnUoFM/X4GmmBW HOZAg6MBNsuMcPcuCu33zeOHPKkxmxlw8oDwy8zyRrtjRhBQQu/x3HAko 4jdt5l3v0NWI+Nhs/4pg3KB4ZH19122EVtG4qSepLWcSfcad8hdyJ8eUH A==; X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="389888357" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="389888357" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2023 10:16:31 -0800 X-ExtLoopCount2: 2 from 10.237.72.184 X-IronPort-AV: E=McAfee;i="6500,9779,10595"; a="768338522" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="768338522" Received: from ubik.fi.intel.com (HELO ubik) ([10.237.72.184]) by fmsmga002.fm.intel.com with ESMTP; 19 Jan 2023 10:16:30 -0800 Received: from ash by ubik with local (Exim 4.96) (envelope-from ) id 1pIZSN-00EPLf-25 for linux-kernel@vger.kernel.org; Thu, 19 Jan 2023 20:16:11 +0200 X-Original-To: alexander.shishkin@linux.intel.com Received: from linux.intel.com [10.54.29.200] by ubik.fi.intel.com with IMAP (fetchmail-6.4.29) for (single-drop); Thu, 19 Jan 2023 15:59:07 +0200 (EET) Received: from fmsmga005.fm.intel.com (fmsmga005.fm.intel.com [10.253.24.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by linux.intel.com (Postfix) with ESMTPS id 3FE62580AE0; Thu, 19 Jan 2023 05:57:19 -0800 (PST) X-ExtLoop1: 1 X-IronPort-AV: E=McAfee;i="6500,9779,10594"; a="988993981" X-IronPort-AV: E=Sophos;i="5.97,229,1669104000"; d="scan'208";a="988993981" Received: from black.fi.intel.com (HELO black.fi.intel.com.) ([10.237.72.28]) by fmsmga005.fm.intel.com with ESMTP; 19 Jan 2023 05:57:15 -0800 From: Alexander Shishkin To: mst@redhat.com, jasowang@redhat.com Cc: virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, elena.reshetova@intel.com, kirill.shutemov@linux.intel.com, Alexander Shishkin , Alexei Starovoitov , Daniel Borkmann , Jesper Dangaard Brouer , John Fastabend , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni Subject: [PATCH v1 5/6] virtio_net: Guard against buffer length overflow in xdp_linearize_page() Date: Thu, 19 Jan 2023 15:57:20 +0200 Message-Id: <20230119135721.83345-6-alexander.shishkin@linux.intel.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> References: <20230119135721.83345-1-alexander.shishkin@linux.intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When reassembling incoming buffers to an xdp_page, there is a potential integer overflow in the buffer size test and trigger and out of bounds memcpy(). Fix this by reordering the test so that both sides are of the same signedness. Signed-off-by: Alexander Shishkin Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: Jesper Dangaard Brouer Cc: John Fastabend Cc: David S. Miller Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni --- drivers/net/virtio_net.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c index 7723b2a49d8e..dfa51dd95f63 100644 --- a/drivers/net/virtio_net.c +++ b/drivers/net/virtio_net.c @@ -751,8 +751,10 @@ static struct page *xdp_linearize_page(struct receive_queue *rq, /* guard against a misconfigured or uncooperative backend that * is sending packet larger than the MTU. + * At the same time, make sure that an especially uncooperative + * backend can't overflow the test by supplying a large buflen. */ - if ((page_off + buflen + tailroom) > PAGE_SIZE) { + if (buflen > PAGE_SIZE - page_off - tailroom) { put_page(p); goto err_buf; } -- 2.39.0