Received: by 2002:a05:7208:13ce:b0:7f:395a:35b6 with SMTP id r14csp1214231rbe; Fri, 1 Mar 2024 07:30:07 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCX+KrTiqcPKAPX1TqmyKBYLt6WgE8pB0Kw2hTdtL8C6ik6hn9MiSvy63xSVjNJFNmnCLIBP5qBsm8TMFzRyTmZ1+npYXd9jmVxXtHbVAA== X-Google-Smtp-Source: AGHT+IEkxrEennfvLo0fISWIIzRbUAkw0UjFYpr11hOZccxsOjM730jL8A/2nsF/iiBOr9EKyTb8 X-Received: by 2002:a17:906:a28b:b0:a44:415d:fa61 with SMTP id i11-20020a170906a28b00b00a44415dfa61mr1381730ejz.28.1709307007838; Fri, 01 Mar 2024 07:30:07 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1709307007; cv=pass; d=google.com; s=arc-20160816; b=YqitZtmupVhanuPbnjwTELPrtF4sWScm4NlgW4MaskXyYarPjNY2cVoZUEdvDUzUGu zaSOFeHGHB5AL9pJlCBPVlo2lzxv9QVHltTveoexsNr2lcvKI8/Dyx2OgpQFWT0ntCik EL8nRYdE0IoRa3uKIoU1Efg0e/ab3tu2wgF3lQo9SB/gMnkaKjYTAPkhmm9Wrv4t4go5 MPRU38W/A/UnhU5Wa74QOA5eO+q85I7Juzd5AmSG5EUjr5CDEJ3NxkIk/hIy7Fo0sxvT 4kR59IzrkXByT2x5tLaZIhHAoZjNo5C0KA5Twp/Pz9vgWAK3h6EJl9Uh5FrzVvpjXII5 /LIw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:message-id:subject:cc:to:from :date:dkim-signature; bh=A9xdheLv/6a2bwYercXwXyeHsHuRfad0YKjyOjEInbQ=; fh=Hqu2fbcJEg2JzAkUipdwJB+GnU+uM9YGwMT6kk1YLRQ=; b=Nv22ljBZP4ooeajmQtnnsnHigg3Q6IAwzjfpoiZa5gZoEr19oUartznATFzAYTT609 TR3mjmx6yOhhMo+3V5pem4KBRvJQ8LvjGZ/8a8jEMR0UfWhHO0t0kW9zEkT/6DmprgYJ GGScYgUMFZZQZ4Oi0LxNzPl0RjyIahNWqMOK45j6eTfXbVZh81urmW08pWCeHN1hh7fC miEnNXOfFUvbCuLQZll8hqW6Ft4ZGwRZghmf5XDBkYdtEeZFDhU0NUYBqCBzDLMcyR4D ITC9qNPAc3cCWp39wdSFm1JONhxt451MD4LkAtpNkkI69Sd0G1WE3JFU7pyWBPDNSS9S y2Xg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="q0+ZC4T/"; arc=pass (i=1 spf=pass spfdomain=linaro.org dkim=pass dkdomain=linaro.org dmarc=pass fromdomain=linaro.org); spf=pass (google.com: domain of linux-kernel+bounces-88623-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-88623-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id 26-20020a170906301a00b00a43ffa23b14si1509651ejz.344.2024.03.01.07.30.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Mar 2024 07:30:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-88623-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="q0+ZC4T/"; arc=pass (i=1 spf=pass spfdomain=linaro.org dkim=pass dkdomain=linaro.org dmarc=pass fromdomain=linaro.org); spf=pass (google.com: domain of linux-kernel+bounces-88623-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-88623-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 960C71F26A46 for ; Fri, 1 Mar 2024 15:30:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 86D2A6E60B; Fri, 1 Mar 2024 15:29:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="q0+ZC4T/" Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0721B6E5EB for ; Fri, 1 Mar 2024 15:29:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709306986; cv=none; b=QTuEyxuoBJAtsQZYFYkOV8ygvam6uLYhNpXblJqsMKtyzIcE3EMjMkTnh7JcevkDgBL0PZm4zk6ES3+YFvZS8DX+iE4YyYNmhnJ0fR4SEIRnN5ZLMYGJ42prXqvjz9MlnZ2ArQ+d39Vt0TkhZ32IXHvUvGHECnXDgr0q+o2gp20= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709306986; c=relaxed/simple; bh=5ZdVDMXs3mwTr4vWqpROwmQUzW0VeWSwZH0+3nB9a6A=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition:In-Reply-To; b=ZPhZ9ekPg27Q8G6pjsGLlvcY5RfwPflPSo9LiAI/675Sdbp5hnhrsMvZFNefhHddEDWSTiaZ1tdEEqrvRnuvZqDm79Vhg2SY+ts67pN12KNzWpAG2SbOo9Y/m5LCsLe7xGbFjHQdJKjVK7zsYHOfsWvrEHK9t7JXcv64GCob0jg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org; spf=pass smtp.mailfrom=linaro.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b=q0+ZC4T/; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linaro.org Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-412c780464dso6095035e9.0 for ; Fri, 01 Mar 2024 07:29:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1709306983; x=1709911783; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:message-id:subject:cc :to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=A9xdheLv/6a2bwYercXwXyeHsHuRfad0YKjyOjEInbQ=; b=q0+ZC4T/71iLdg16IhHSC/synJmVczkJseZeCNfmPn1qDFKotgzxb8wnW183Hgk3EM wiskBJl1jY28QnFeOVYfSztid724P2+7NW7Dw7pLIhaui2DD19L6Y68AwNQHsS8R7S2B igNXHQHn85NOvTSfiLaJIbOkb0eHcIPRMms1EPB/P2NrKdXjec+4BWUZn3IXtFbCF33T JyrGF8MttGt4umpZDpJ51pqEx/VTTEUuMKFF3VssQ6GX/2jfRYI1Ee0fWoaS0lwPG8h+ y5wame0LMrmTTY2bAffdGpLVH2QhiiEfkF+4HFfn+vdc2V47Zp7ArEf0WazNRuxRsaIz Znaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709306983; x=1709911783; h=in-reply-to:content-disposition:mime-version:message-id:subject:cc :to:from:date:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=A9xdheLv/6a2bwYercXwXyeHsHuRfad0YKjyOjEInbQ=; b=KvdjIxJ/JmqopI6Lj5ihxcyFrGIGTVIXNqGI++I2BFDdeoX1LUqKPbUSL22C+XXfhS xIdw9HDS4G160JqkaSMhN9ciSp3kYWOVUBtUTrILq4lFZL++WeVAqRWoHBbJAcd4QcKP GTWGKfz4hRmFUBEwramuK5cGOSHv9GC1AVguY8yyPDMMlkm7Tpeo3hjvraiJ/1AC7msb WvoAPIPvQhPBiF/vutoN19NBSCG/g08vyW/5gO02Rae38YY18DAEaMvrMNelhcuFSDri sNqlGVQdveW9wE6IT9CUmJYQT3qJxI08Y/uHRdZByQCtidwtZzvt+8VXuUIkgjw2aF7d aFig== X-Forwarded-Encrypted: i=1; AJvYcCXn6gOXi1d37mzB5ELroPq/X1Nter1Iq3yjGt+vzo4U8HrDX1hNL9eVgJV2Wj8M+wYbIbyA0KpXNxv87Heoo32Jgs/cYHoslPskjdca X-Gm-Message-State: AOJu0Yw8IDVuyS0gJ89KRxPJ2XSn/vM1epzcO98M37tn1jQ+WnOm8Kw7 6X/X9F4bSvxNyzTndiYddjkVdA9Y4fBybAFJKj8Xo55Tj8H1u9z/U7cvSwoc5pM= X-Received: by 2002:a05:600c:4f83:b0:412:268f:1fa4 with SMTP id n3-20020a05600c4f8300b00412268f1fa4mr1731633wmq.1.1709306983141; Fri, 01 Mar 2024 07:29:43 -0800 (PST) Received: from localhost ([102.222.70.76]) by smtp.gmail.com with ESMTPSA id jd20-20020a05600c68d400b004128fa77216sm8827201wmb.1.2024.03.01.07.29.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Mar 2024 07:29:42 -0800 (PST) Date: Fri, 1 Mar 2024 18:29:39 +0300 From: Dan Carpenter To: Dylan Yudaken Cc: Jens Axboe , Pavel Begunkov , io-uring@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH 1/2] io_uring/net: fix overflow check in io_recvmsg_mshot_prep() Message-ID: <138bd2e2-ede8-4bcc-aa7b-f3d9de167a37@moroto.mountain> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7f5d7887-f76e-4e68-98c2-894bfedbf292@moroto.mountain> X-Mailer: git-send-email haha only kidding The "controllen" variable is type size_t (unsigned long). Casting it to int could lead to an integer underflow. The check_add_overflow() function considers the type of the destination which is type int. If we add two positive values and the result cannot fit in an integer then that's counted as an overflow. However, if we cast "controllen" to an int and it turns negative, then negative values *can* fit into an int type so there is no overflow. Good: 100 + (unsigned long)-4 = 96 <-- overflow Bad: 100 + (int)-4 = 96 <-- no overflow I deleted the cast of the sizeof() as well. That's not a bug but the cast is unnecessary. Fixes: 9b0fc3c054ff ("io_uring: fix types in io_recvmsg_multishot_overflow") Signed-off-by: Dan Carpenter --- io_uring/net.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/io_uring/net.c b/io_uring/net.c index 926d1fb0335d..da257bf429d5 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -559,10 +559,10 @@ static int io_recvmsg_mshot_prep(struct io_kiocb *req, if (unlikely(namelen < 0)) return -EOVERFLOW; - if (check_add_overflow((int)sizeof(struct io_uring_recvmsg_out), + if (check_add_overflow(sizeof(struct io_uring_recvmsg_out), namelen, &hdr)) return -EOVERFLOW; - if (check_add_overflow(hdr, (int)controllen, &hdr)) + if (check_add_overflow(hdr, controllen, &hdr)) return -EOVERFLOW; iomsg->namelen = namelen; -- 2.43.0