Received-SPF: pass (google.com: domain of linux-kernel+bounces-20675-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3;
Message-ID: <tencent_146C309740E8F6ECD2CC5C7ADA6E202D450A@qq.com>
From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+f2977222e0e95cec15c8@syzkaller.appspotmail.com
Cc: andrii@kernel.org,
	ast@kernel.org,
	borisp@nvidia.com,
	bpf@vger.kernel.org,
	daniel@iogearbox.net,
	davem@davemloft.net,
	dhowells@redhat.com,
	edumazet@google.com,
	jakub@cloudflare.com,
	john.fastabend@gmail.com,
	kuba@kernel.org,
	linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org,
	pabeni@redhat.com,
	syzkaller-bugs@googlegroups.com
Subject: [PATCH] tls: fix WARNING in __sk_msg_free
Date: Tue,  9 Jan 2024 17:32:35 +0800
In-Reply-To: <000000000000aa2f41060e363b2b@google.com>
References: <000000000000aa2f41060e363b2b@google.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Syzbot constructed 32 scatterlists, and the data members in struct sk_msg_sg 
can only store a maximum of MAX_MSG_FRAGS scatterlists.
However, the value of MAX_MSG_FRAGS=CONFIG_MAX_SKB_FRAG is less than 32, which
leads to the warning reported here.

Prevent similar issues from occurring by checking whether sg.end is greater 
than MAX_MSG_FRAGS.

Reported-and-tested-by: syzbot+f2977222e0e95cec15c8@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 net/tls/tls_sw.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index e37b4d2e2acd..68dbe821f61d 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1016,6 +1016,8 @@ static int tls_sw_sendmsg_locked(struct sock *sk, struct msghdr *msg,
 
 		msg_pl = &rec->msg_plaintext;
 		msg_en = &rec->msg_encrypted;
+		if (msg_pl->sg.end >= MAX_MSG_FRAGS)
+			return -EINVAL;
 
 		orig_size = msg_pl->sg.size;
 		full_record = false;
-- 
2.43.0