From patchwork Wed Mar 12 23:18:10 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14014050 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2676D1F0E51; Wed, 12 Mar 2025 23:18:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741821504; cv=none; b=qsmM4HoLKxsjm2LcIywHS94LZ3e6172SArpApvW9PLlY1xpI+0y7l6fzOncKSE0kXmotq4kVADAUAxlyCdKhIfoFRlmBtLb/3bn6qqxlaEjmt49TSQ5YmMpfKqjVyOEb9LSne29jTy3TZhxVmlppnRDU+KHkKD7Q8A+9k5oFcoA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741821504; c=relaxed/simple; bh=U25XPuZChGih5sMqbblu+4+hSDFhayuJxQqCvl0h7+Q=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=lj+T07oiCQZn/BPby1LyTDZP6hY6aKQPsSTVJ3gviI4W59RtzW6EiNKQyiIhZD0IVbtfnf+zFLKBj63pj2CzsSgihm1EzvXJaWGeOwbQ93+sSMPRw8ZVwfvSDu22ajHRTNdnz/h6AFLJy81iNzm4gsDf98hbCIHYl6AEIOsZnQY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=DF7w9czB; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=cqiB4q4a; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="DF7w9czB"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="cqiB4q4a" Received: by mail.netfilter.org (Postfix, from userid 109) id C35F46028B; Thu, 13 Mar 2025 00:18:21 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1741821501; bh=s+Y/PTpwDLFLlDO+a9HwUA8HkC9QAepkO6/zuXcY8HE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DF7w9czBYe8ammjyohI7D1Tfb8eQtp6LfrDV0Xi+0X4ox0Y/39YHb+gckoxVGHUtF F6Cyl7zMy30X60AKonIFjAqiwYsh6BxCR7TiDbpSIyrcSkRYfF3J2sl4rSsKtU2A25 vwod2nBarvCFrfxyN4EQFPEbME70g27XmWAgaz2MCt6gSLZQrNZP87URXFKkS2FgWj nj8y63LkuzyLGvIH0X5932VmQ4ZL/pbWMM0h3vTr7N6cF+yxO4iRBeg4dCGNYieSXh nWh8M0nNDN7RDRahTTY8rtV26xHI4AO2+54Bg/fMwWE+RtGALXOkEllI+dlaTyMuTr Ak9ht1a6ZWXIw== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id 7DE6F6029E; Thu, 13 Mar 2025 00:18:20 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1741821500; bh=s+Y/PTpwDLFLlDO+a9HwUA8HkC9QAepkO6/zuXcY8HE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=cqiB4q4aj416mTimypX/Y5b+YRkE+swbY2LC09sAV1o1DHXlx4ua4rb0vKpfTmkNL iChG0qTpkfH0pXFxasCUZFuR3hk3GUoRFMd/5m81HXGRuVyvDbZqHNcnUj8DiTVpKA +cGyuKZiovIP7P3hJYTQngAL6AfjMXURArnirCQxE5MLaDZbaiZuSW9GOUIUbetoNO M3tlQJvhcrIITl5cSR+wcueyJC/2kHjByQXklbKtMSkbUbhqsGVJhjmSz6+vUYk+Yh rHvhu8PEjZAYgOf3kICNKRQ2BtMaaaVGNntb0mvKR6HheM3RnRQXgYatO4WeO2+L/3 GhkbMAe6CcsUg== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net 1/3] netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Date: Thu, 13 Mar 2025 00:18:10 +0100 Message-Id: <20250312231812.4091-2-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250312231812.4091-1-pablo@netfilter.org> References: <20250312231812.4091-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Kohei Enju Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"), `cpu` and `jiffies32` were introduced to the struct nf_conncount_tuple. The commit made nf_conncount_add() initialize `conn->cpu` and `conn->jiffies32` when allocating the struct. In contrast, count_tree() was not changed to initialize them. By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal"), count_tree() was split and the relevant allocation code now resides in insert_tree(). Initialize `conn->cpu` and `conn->jiffies32` in insert_tree(). BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline] BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 find_or_evict net/netfilter/nf_conncount.c:117 [inline] __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 count_tree net/netfilter/nf_conncount.c:438 [inline] nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669 __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline] __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983 __netif_receive_skb_list net/core/dev.c:6035 [inline] netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126 netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178 xdp_recv_frames net/bpf/test_run.c:280 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316 bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813 __do_sys_bpf kernel/bpf/syscall.c:5902 [inline] __se_sys_bpf kernel/bpf/syscall.c:5900 [inline] __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900 ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4121 [inline] slab_alloc_node mm/slub.c:4164 [inline] kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171 insert_tree net/netfilter/nf_conncount.c:372 [inline] count_tree net/netfilter/nf_conncount.c:450 [inline] nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669 __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline] __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983 __netif_receive_skb_list net/core/dev.c:6035 [inline] netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126 netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178 xdp_recv_frames net/bpf/test_run.c:280 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316 bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813 __do_sys_bpf kernel/bpf/syscall.c:5902 [inline] __se_sys_bpf kernel/bpf/syscall.c:5900 [inline] __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900 ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Reported-by: syzbot+83fed965338b573115f7@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=83fed965338b573115f7 Fixes: b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race") Signed-off-by: Kohei Enju Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conncount.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c index ebe38ed2e6f4..913ede2f57f9 100644 --- a/net/netfilter/nf_conncount.c +++ b/net/netfilter/nf_conncount.c @@ -377,6 +377,8 @@ insert_tree(struct net *net, conn->tuple = *tuple; conn->zone = *zone; + conn->cpu = raw_smp_processor_id(); + conn->jiffies32 = (u32)jiffies; memcpy(rbconn->key, key, sizeof(u32) * data->keylen); nf_conncount_list_init(&rbconn->list); From patchwork Wed Mar 12 23:18:11 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14014051 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBE921F2365; Wed, 12 Mar 2025 23:18:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741821509; cv=none; b=Xkj2H8DUnWrcWElizto7rkt2DX+ZTyZTMOEq57X9grayhHw773h8RwiMaoxbqJ6kVPd8PiRvaXjJ12iwcWcw/naegQQcoMDX4Nz9bRb5r3mch8XgKQtpr1hUUHlGEGXG3Fv2O0rJ8nqB+Mpl0CQE73b/39v98lmJpqVw+zJOdX4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741821509; c=relaxed/simple; bh=jwDLIPRDw7fhdn/k6p9BtqhraUokmqVoEtgSeZtpe6c=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=jQKYjs/6bPUq2HKMjtZvF1Fk0CXqcnuvZLNgqyMh61fOshO91Qi15C3R0yLAz7nsvVnqW5OBdR4musyh95YvWmVvqsUjvl8zDgJwO6DjosZyMA8u6vR1+KHKp+cjFVY7UzgY5pSlxTyEPhDIAKjfcb5fKA8YtnSABG3L33y6a+E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=RW5lar1/; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=aYivw0U0; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="RW5lar1/"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="aYivw0U0" Received: by mail.netfilter.org (Postfix, from userid 109) id 7EF53602A2; Thu, 13 Mar 2025 00:18:25 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1741821505; bh=e0AmXukwq9P57vmpf7gE0yMY2x9P0bff4+QdRRFXZkA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RW5lar1/0So7Ime/myTrD3r31Tu0111CoDvpUZikuZpRSD3IEKzDwRIowiRo4x3ZD UMFZsg8a0cYqPwXPtXCk1FXqk16+ebXUFYSKm9RpKZCUd/it79A7KNlPz7C0L3FRXo cs2v3sUOLyqCNoOPULJVVa/Vpl4EtvQeGMAvqgu5wstykjgKHMbb2KXoREVeVZYQTQ vzZF8a12KM+XTClVZFqXYiGka8+sX5gN78CtQW3XAFXep0Av4XE6V9E/9QK+t8rGIo YdYoCnXmvTxoZsnhJsd8Ss/RjGEl5PHM00S/ttwOOZ610l1gct7/gdp7fWhmFpgA1G YGTuWWVASxnBA== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id 6DBCA6028A; Thu, 13 Mar 2025 00:18:21 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1741821501; bh=e0AmXukwq9P57vmpf7gE0yMY2x9P0bff4+QdRRFXZkA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=aYivw0U0sw9o8MXvkyiLbv2vE/tJvCa3HySiiCx/8Xj0NfCjSxEHHtz82YJvCH9Zr CVpIEmaAEaucTUmc1MnxIicu2AvgVSCDZs15k/nQhpYm/UKrErC9q/PlvO2yw1hfZl A4Az48FEDtVKvS4K7lQ1X3FcmdNhum29+UbQqYr/p+Wa+XOaxaIPdRQuXQYpnC3JGU BNtEowcPbuVz7JvMrAPby1nCBM86xid3GrBUxk6JsVnJbQ5yYCiGfVS9oyu09GWUal +OwLWhTVpSj8ZBqo9/Nmhez5QY2rVuIFdyXj25m3nvNfUkcJxBRaq+ALz9LrqUVack bYg/XQf07ULyw== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net 2/3] selftests: netfilter: skip br_netfilter queue tests if kernel is tainted Date: Thu, 13 Mar 2025 00:18:11 +0100 Message-Id: <20250312231812.4091-3-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250312231812.4091-1-pablo@netfilter.org> References: <20250312231812.4091-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Florian Westphal These scripts fail if the kernel is tainted which leads to wrong test failure reports in CI environments when an unrelated test triggers some splat. Check taint state at start of script and SKIP if its already dodgy. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- tools/testing/selftests/net/netfilter/br_netfilter.sh | 7 +++++++ .../testing/selftests/net/netfilter/br_netfilter_queue.sh | 7 +++++++ tools/testing/selftests/net/netfilter/nft_queue.sh | 1 + 3 files changed, 15 insertions(+) diff --git a/tools/testing/selftests/net/netfilter/br_netfilter.sh b/tools/testing/selftests/net/netfilter/br_netfilter.sh index c28379a965d8..1559ba275105 100755 --- a/tools/testing/selftests/net/netfilter/br_netfilter.sh +++ b/tools/testing/selftests/net/netfilter/br_netfilter.sh @@ -13,6 +13,12 @@ source lib.sh checktool "nft --version" "run test without nft tool" +read t < /proc/sys/kernel/tainted +if [ "$t" -ne 0 ];then + echo SKIP: kernel is tainted + exit $ksft_skip +fi + cleanup() { cleanup_all_ns } @@ -165,6 +171,7 @@ if [ "$t" -eq 0 ];then echo PASS: kernel not tainted else echo ERROR: kernel is tainted + dmesg ret=1 fi diff --git a/tools/testing/selftests/net/netfilter/br_netfilter_queue.sh b/tools/testing/selftests/net/netfilter/br_netfilter_queue.sh index 6a764d70ab06..4788641717d9 100755 --- a/tools/testing/selftests/net/netfilter/br_netfilter_queue.sh +++ b/tools/testing/selftests/net/netfilter/br_netfilter_queue.sh @@ -4,6 +4,12 @@ source lib.sh checktool "nft --version" "run test without nft tool" +read t < /proc/sys/kernel/tainted +if [ "$t" -ne 0 ];then + echo SKIP: kernel is tainted + exit $ksft_skip +fi + cleanup() { cleanup_all_ns } @@ -72,6 +78,7 @@ if [ "$t" -eq 0 ];then echo PASS: kernel not tainted else echo ERROR: kernel is tainted + dmesg exit 1 fi diff --git a/tools/testing/selftests/net/netfilter/nft_queue.sh b/tools/testing/selftests/net/netfilter/nft_queue.sh index 785e3875a6da..784d1b46912b 100755 --- a/tools/testing/selftests/net/netfilter/nft_queue.sh +++ b/tools/testing/selftests/net/netfilter/nft_queue.sh @@ -593,6 +593,7 @@ EOF echo "PASS: queue program exiting while packets queued" else echo "TAINT: queue program exiting while packets queued" + dmesg ret=1 fi } From patchwork Wed Mar 12 23:18:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14014052 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DA4271F0E51; Wed, 12 Mar 2025 23:18:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741821509; cv=none; b=Les+YvfSzPTzOzXICEyPs2fc4t1iMEfmK9L2d3jPdUkdRvtgkFFikjndKwNozlM3r4uXyfjSBgwobhF4jaqOJrYQ8sLqAzywyp1rjLAB4OIKXBEBgBjcs/Ku8KqD99ufQDLW3fybpAkl91qNGzPXBO7xYlLqAqqIlpsNIsiSjfk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1741821509; c=relaxed/simple; bh=JpQ1k0m2Ua4J55+IfmJ9+Ez0qZ3wuKhCLFzvYd+jTnA=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=XVzUz5e22/HhzGTOTMQUSseMI2ew15ozupsl3FB0AWK7L5trZ+RJTrdBWEFLyT9l0dxOV7kwPRzG7dxFWX4DD7he/2n781sOVRiBv4SebmAo/PSGYIhPIc7EFy8aRu8Ly8YFQ1BXBjRDqdeEzDJa0Gdd9+A1xfJjtKcS7KIe78k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=LmiTpPrg; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=B07scvHS; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="LmiTpPrg"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="B07scvHS" Received: by mail.netfilter.org (Postfix, from userid 109) id 83E4E602A4; Thu, 13 Mar 2025 00:18:26 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1741821506; bh=Mid4hPZG1XPNyJ4Ty0Tl23Wc5ItlNpUl/OMG2/peWk8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LmiTpPrgcikoYrwVXT9pWL/WWa+75agOpKGDkmtN8jY9Xu1CUho1fA7SNZ7DPN8Zi TZm3pCBFZgdp4nrHAJpeNCQejUv7uuG5yVakW2kSoVYqC1uLU93xby8F3pgaEa/T9L Ue2pGuc0t9ZzZtyP2+Bw5KPNToRtfpXM3p4jq52Hkm8OkZrvYeJ7JWaj0hwqit+E4Q 63D/gMaWLb3rK4hq5+1yC9HLfMCReJjIwPOnhooMSmdasyX8s/iwi0CMX7Yp4q6J0K iwYKwdaRHN6m5OQtEzstPUgNcU+SpUwoijWWxrojNkfnWC2mcYireIRUycr1Tvin1g OlwhPOi9kZeLQ== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id 3055C6028C; Thu, 13 Mar 2025 00:18:22 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1741821502; bh=Mid4hPZG1XPNyJ4Ty0Tl23Wc5ItlNpUl/OMG2/peWk8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=B07scvHS4aZfCZVq1ZjiOT/aa2pkkJ+KPWkMOrnD8VvfkqHjsKFVgur3q759y80jT AXYbaubd4mPXEU1M2DGjLGs8oU36Subuh/WHuMYZOgIqfnXvlIrhqc3yWh240PKWq/ s5bixZMUtMJSbK4HOkOm9gXr/KyfCImGRZBpAcPUzyX00yCgfHEySvQnS261aQAlm5 686cCgJk6oMwJQEXXxykts4NkepF/0j9O9roIEYPsZ3fbhRC9mf4z7t+dvBkY9ZJTE Sq3gqK9CSi9eJoNT3UtAnMbswx5zjl/tJYr1xXWxYi3MKfULI1f+OcIoHqBJChk5kV 40D9UbrroENrg== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net 3/3] ipvs: prevent integer overflow in do_ip_vs_get_ctl() Date: Thu, 13 Mar 2025 00:18:12 +0100 Message-Id: <20250312231812.4091-4-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250312231812.4091-1-pablo@netfilter.org> References: <20250312231812.4091-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Dan Carpenter The get->num_services variable is an unsigned int which is controlled by the user. The struct_size() function ensures that the size calculation does not overflow an unsigned long, however, we are saving the result to an int so the calculation can overflow. Both "len" and "get->num_services" come from the user. This check is just a sanity check to help the user and ensure they are using the API correctly. An integer overflow here is not a big deal. This has no security impact. Save the result from struct_size() type size_t to fix this integer overflow bug. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Dan Carpenter Acked-by: Julian Anastasov Signed-off-by: Pablo Neira Ayuso --- net/netfilter/ipvs/ip_vs_ctl.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index 7d13110ce188..0633276d96bf 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -3091,12 +3091,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) case IP_VS_SO_GET_SERVICES: { struct ip_vs_get_services *get; - int size; + size_t size; get = (struct ip_vs_get_services *)arg; size = struct_size(get, entrytable, get->num_services); if (*len != size) { - pr_err("length: %u != %u\n", *len, size); + pr_err("length: %u != %zu\n", *len, size); ret = -EINVAL; goto out; } @@ -3132,12 +3132,12 @@ do_ip_vs_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) case IP_VS_SO_GET_DESTS: { struct ip_vs_get_dests *get; - int size; + size_t size; get = (struct ip_vs_get_dests *)arg; size = struct_size(get, entrytable, get->num_dests); if (*len != size) { - pr_err("length: %u != %u\n", *len, size); + pr_err("length: %u != %zu\n", *len, size); ret = -EINVAL; goto out; }