[v2,net,0/3] udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX.

Message ID	20250325195826.52385-1-kuniyu@amazon.com (mailing list archive)
Headers	show Received: from smtp-fw-52004.amazon.com (smtp-fw-52004.amazon.com [52.119.213.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 09BDB19F42C for <netdev@vger.kernel.org>; Tue, 25 Mar 2025 19:58:43 +0000 (UTC) From: Kuniyuki Iwashima <kuniyu@amazon.com> To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>, "David S. Miller" <davem@davemloft.net>, David Ahern <dsahern@kernel.org>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com> CC: Simon Horman <horms@kernel.org>, Kuniyuki Iwashima <kuniyu@amazon.com>, Kuniyuki Iwashima <kuni1840@gmail.com>, <netdev@vger.kernel.org> Subject: [PATCH v2 net 0/3] udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX. Date: Tue, 25 Mar 2025 12:58:12 -0700 Message-ID: <20250325195826.52385-1-kuniyu@amazon.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX. \| expand [v2,net,0/3] udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX. [v2,net,1/3] udp: Fix multiple wraparounds of sk->sk_rmem_alloc. [v2,net,2/3] udp: Fix memory accounting leak. [v2,net,3/3] selftest: net: Check wraparounds for sk->sk_rmem_alloc.

Message ID

20250325195826.52385-1-kuniyu@amazon.com (mailing list archive)

Headers

From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>, "David S. Miller"
	<davem@davemloft.net>, David Ahern <dsahern@kernel.org>, Eric Dumazet
	<edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni
	<pabeni@redhat.com>
CC: Simon Horman <horms@kernel.org>, Kuniyuki Iwashima <kuniyu@amazon.com>,
	Kuniyuki Iwashima <kuni1840@gmail.com>, <netdev@vger.kernel.org>
Subject: [PATCH v2 net 0/3] udp: Fix two integer overflows when sk->sk_rcvbuf
 is close to INT_MAX.
Date: Tue, 25 Mar 2025 12:58:12 -0700
Message-ID: <20250325195826.52385-1-kuniyu@amazon.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX. | expand

Message

Kuniyuki Iwashima March 25, 2025, 7:58 p.m. UTC

I got a report that UDP mem usage in /proc/net/sockstat did not
drop even after an application was terminated.

The issue could happen if sk->sk_rmem_alloc wraps around due
to a large sk->sk_rcvbuf, which was INT_MAX in our case.

The patch 2 fixes the issue, and the patch 1 fixes yet another
overflow I found while investigating the issue.


v2:
  * Patch 1
    * Define rmem and rcvbuf as unsigned int (Eric)
    * Take skb->truesize into account for sk with large rcvbuf (Willem)

  * Patch 3
    * Add a comment

v1: https://lore.kernel.org/netdev/20250323231016.74813-1-kuniyu@amazon.com/


Kuniyuki Iwashima (3):
  udp: Fix multiple wraparounds of sk->sk_rmem_alloc.
  udp: Fix memory accounting leak.
  selftest: net: Check wraparounds for sk->sk_rmem_alloc.

 net/ipv4/udp.c                          |  40 +++---
 tools/testing/selftests/net/.gitignore  |   1 +
 tools/testing/selftests/net/Makefile    |   2 +-
 tools/testing/selftests/net/so_rcvbuf.c | 181 ++++++++++++++++++++++++
 4 files changed, 206 insertions(+), 18 deletions(-)
 create mode 100644 tools/testing/selftests/net/so_rcvbuf.c

Comments

Jakub Kicinski March 27, 2025, 7:51 p.m. UTC | #1

On Tue, 25 Mar 2025 12:58:12 -0700 Kuniyuki Iwashima wrote:
> I got a report that UDP mem usage in /proc/net/sockstat did not
> drop even after an application was terminated.
> 
> The issue could happen if sk->sk_rmem_alloc wraps around due
> to a large sk->sk_rcvbuf, which was INT_MAX in our case.
> 
> The patch 2 fixes the issue, and the patch 1 fixes yet another
> overflow I found while investigating the issue.

Selftest doesn't apply after the net-next PR :(

Kuniyuki Iwashima March 27, 2025, 8:17 p.m. UTC | #2

From: Jakub Kicinski <kuba@kernel.org>
Date: Thu, 27 Mar 2025 12:51:19 -0700
> On Tue, 25 Mar 2025 12:58:12 -0700 Kuniyuki Iwashima wrote:
> > I got a report that UDP mem usage in /proc/net/sockstat did not
> > drop even after an application was terminated.
> > 
> > The issue could happen if sk->sk_rmem_alloc wraps around due
> > to a large sk->sk_rcvbuf, which was INT_MAX in our case.
> > 
> > The patch 2 fixes the issue, and the patch 1 fixes yet another
> > overflow I found while investigating the issue.
> 
> Selftest doesn't apply after the net-next PR :(

Will send v3 shortly with so_rcv_listener sorted.

Thanks!