[v3,net,0/3] udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX.

Message ID	20250327202722.63756-1-kuniyu@amazon.com (mailing list archive)
Headers	show Received: from smtp-fw-80006.amazon.com (smtp-fw-80006.amazon.com [99.78.197.217]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C2F191D54E9 for <netdev@vger.kernel.org>; Thu, 27 Mar 2025 20:27:35 +0000 (UTC) From: Kuniyuki Iwashima <kuniyu@amazon.com> To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>, "David S. Miller" <davem@davemloft.net>, David Ahern <dsahern@kernel.org>, Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com> CC: Simon Horman <horms@kernel.org>, Kuniyuki Iwashima <kuniyu@amazon.com>, Kuniyuki Iwashima <kuni1840@gmail.com>, <netdev@vger.kernel.org> Subject: [PATCH v3 net 0/3] udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX. Date: Thu, 27 Mar 2025 13:26:52 -0700 Message-ID: <20250327202722.63756-1-kuniyu@amazon.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain
Series	udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX. \| expand [v3,net,0/3] udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX. [v3,net,1/3] udp: Fix multiple wraparounds of sk->sk_rmem_alloc. [v3,net,2/3] udp: Fix memory accounting leak. [v3,net,3/3] selftest: net: Check wraparounds for sk->sk_rmem_alloc.

Message ID

20250327202722.63756-1-kuniyu@amazon.com (mailing list archive)

Headers

From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>, "David S. Miller"
	<davem@davemloft.net>, David Ahern <dsahern@kernel.org>, Eric Dumazet
	<edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>, Paolo Abeni
	<pabeni@redhat.com>
CC: Simon Horman <horms@kernel.org>, Kuniyuki Iwashima <kuniyu@amazon.com>,
	Kuniyuki Iwashima <kuni1840@gmail.com>, <netdev@vger.kernel.org>
Subject: [PATCH v3 net 0/3] udp: Fix two integer overflows when sk->sk_rcvbuf
 is close to INT_MAX.
Date: Thu, 27 Mar 2025 13:26:52 -0700
Message-ID: <20250327202722.63756-1-kuniyu@amazon.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain

Series

udp: Fix two integer overflows when sk->sk_rcvbuf is close to INT_MAX. | expand

Message

Kuniyuki Iwashima March 27, 2025, 8:26 p.m. UTC

I got a report that UDP mem usage in /proc/net/sockstat did not
drop even after an application was terminated.

The issue could happen if sk->sk_rmem_alloc wraps around due
to a large sk->sk_rcvbuf, which was INT_MAX in our case.

The patch 2 fixes the issue, and the patch 1 fixes yet another
overflow I found while investigating the issue.


v3:
  * Rebase
  * Add Willem's tags

v2: https://lore.kernel.org/netdev/20250325195826.52385-1-kuniyu@amazon.com/
  * Patch 1
    * Define rmem and rcvbuf as unsigned int (Eric)
    * Take skb->truesize into account for sk with large rcvbuf (Willem)

  * Patch 3
    * Add a comment

v1: https://lore.kernel.org/netdev/20250323231016.74813-1-kuniyu@amazon.com/


Kuniyuki Iwashima (3):
  udp: Fix multiple wraparounds of sk->sk_rmem_alloc.
  udp: Fix memory accounting leak.
  selftest: net: Check wraparounds for sk->sk_rmem_alloc.

 net/ipv4/udp.c                          |  40 +++---
 tools/testing/selftests/net/.gitignore  |   3 +-
 tools/testing/selftests/net/Makefile    |   2 +-
 tools/testing/selftests/net/so_rcvbuf.c | 181 ++++++++++++++++++++++++
 4 files changed, 207 insertions(+), 19 deletions(-)
 create mode 100644 tools/testing/selftests/net/so_rcvbuf.c

Comments

Jakub Kicinski March 29, 2025, 2:53 p.m. UTC | #1

On Thu, 27 Mar 2025 13:26:52 -0700 Kuniyuki Iwashima wrote:
> I got a report that UDP mem usage in /proc/net/sockstat did not
> drop even after an application was terminated.
> 
> The issue could happen if sk->sk_rmem_alloc wraps around due
> to a large sk->sk_rcvbuf, which was INT_MAX in our case.
> 
> The patch 2 fixes the issue, and the patch 1 fixes yet another
> overflow I found while investigating the issue.

Test fails in the CI, unfortunately:

# 0.00 [+0.00] TAP version 13
# 0.00 [+0.00] 1..2
# 0.00 [+0.00] # Starting 2 tests from 2 test cases.
# 0.00 [+0.00] #  RUN           so_rcvbuf.udp_ipv4.rmem_max ...
# 0.00 [+0.00] # so_rcvbuf.c:150:rmem_max:Expected get_prot_pages(_metadata, variant) (49) == 0 (0)
# 0.01 [+0.00] # rmem_max: Test terminated by assertion
# 0.01 [+0.00] #          FAIL  so_rcvbuf.udp_ipv4.rmem_max
# 0.01 [+0.00] not ok 1 so_rcvbuf.udp_ipv4.rmem_max
# 0.01 [+0.00] #  RUN           so_rcvbuf.udp_ipv6.rmem_max ...
# 0.01 [+0.00] # so_rcvbuf.c:150:rmem_max:Expected get_prot_pages(_metadata, variant) (49) == 0 (0)
# 0.01 [+0.00] # rmem_max: Test terminated by assertion
# 0.01 [+0.00] #          FAIL  so_rcvbuf.udp_ipv6.rmem_max
# 0.01 [+0.00] not ok 2 so_rcvbuf.udp_ipv6.rmem_max
# 0.02 [+0.00] # FAILED: 0 / 2 tests passed.
# 0.02 [+0.00] # Totals: pass:0 fail:2 xfail:0 xpass:0 skip:0 error:0
not ok 1 selftests: net: so_rcvbuf # exit=1

Kuniyuki Iwashima March 29, 2025, 5:41 p.m. UTC | #2

From: Jakub Kicinski <kuba@kernel.org>
Date: Sat, 29 Mar 2025 07:53:15 -0700
> On Thu, 27 Mar 2025 13:26:52 -0700 Kuniyuki Iwashima wrote:
> > I got a report that UDP mem usage in /proc/net/sockstat did not
> > drop even after an application was terminated.
> > 
> > The issue could happen if sk->sk_rmem_alloc wraps around due
> > to a large sk->sk_rcvbuf, which was INT_MAX in our case.
> > 
> > The patch 2 fixes the issue, and the patch 1 fixes yet another
> > overflow I found while investigating the issue.
> 
> Test fails in the CI, unfortunately:
> 
> # 0.00 [+0.00] TAP version 13
> # 0.00 [+0.00] 1..2
> # 0.00 [+0.00] # Starting 2 tests from 2 test cases.
> # 0.00 [+0.00] #  RUN           so_rcvbuf.udp_ipv4.rmem_max ...
> # 0.00 [+0.00] # so_rcvbuf.c:150:rmem_max:Expected get_prot_pages(_metadata, variant) (49) == 0 (0)

Almost..!

I'll use sleep with a loop.

Thanks!