Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Kirjanov <dkirjanov@suse.com>2019-05-02 13:49:28 +0200
committerDenis Kirjanov <dkirjanov@suse.com>2019-05-02 13:49:55 +0200
commit2e1ed0672762228739f6f67d2b3df054e3cbf7c6 (patch)
tree26f603b45fcd5336c26889304bcaf7bfb049052d
parent43fe477fbb41af9854ecd58b9298f15d0d3e4bf6 (diff)
tcp: fix TCP_REPAIR_QUEUE bound checking (git-fixes).
-rw-r--r--patches.fixes/0014-tcp-fix-TCP_REPAIR_QUEUE-bound-checking.patch51
-rw-r--r--series.conf1
2 files changed, 52 insertions, 0 deletions
diff --git a/patches.fixes/0014-tcp-fix-TCP_REPAIR_QUEUE-bound-checking.patch b/patches.fixes/0014-tcp-fix-TCP_REPAIR_QUEUE-bound-checking.patch
new file mode 100644
index 0000000000..8e040f33f1
--- /dev/null
+++ b/patches.fixes/0014-tcp-fix-TCP_REPAIR_QUEUE-bound-checking.patch
@@ -0,0 +1,51 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: tcp: fix TCP_REPAIR_QUEUE bound checking
+Patch-mainline: v4.17-rc4
+Git-commit: bf2acc943a45d2b2e8a9f1a5ddff6b6e43cc69d9
+References: git-fixes
+
+syzbot is able to produce a nasty WARN_ON() in tcp_verify_left_out()
+with following C-repro :
+
+socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
+setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
+setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
+bind(3, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
+sendto(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
+ 1242, MSG_FASTOPEN, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("127.0.0.1")}, 16) = 1242
+setsockopt(3, SOL_TCP, TCP_REPAIR_WINDOW, "\4\0\0@+\205\0\0\377\377\0\0\377\377\377\177\0\0\0\0", 20) = 0
+writev(3, [{"\270", 1}], 1) = 1
+setsockopt(3, SOL_TCP, TCP_REPAIR_OPTIONS, "\10\0\0\0\0\0\0\0\0\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 386) = 0
+writev(3, [{"\210v\r[\226\320t\231qwQ\204\264l\254\t\1\20\245\214p\350H\223\254;\\\37\345\307p$"..., 3144}], 1) = 3144
+
+The 3rd system call looks odd :
+setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
+
+This patch makes sure bound checking is using an unsigned compare.
+
+Fixes: ee9952831cfd ("tcp: Initial repair mode")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Cc: Pavel Emelyanov <xemul@parallels.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/tcp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
+index f348ad7e1a1b..e8408fdd2a01 100644
+--- a/net/ipv4/tcp.c
++++ b/net/ipv4/tcp.c
+@@ -2444,7 +2444,7 @@ static int do_tcp_setsockopt(struct sock *sk, int level,
+ case TCP_REPAIR_QUEUE:
+ if (!tp->repair)
+ err = -EPERM;
+- else if (val < TCP_QUEUES_NR)
++ else if ((unsigned int)val < TCP_QUEUES_NR)
+ tp->repair_queue = val;
+ else
+ err = -EINVAL;
+--
+2.12.3
+
diff --git a/series.conf b/series.conf
index 262c1f7a8b..b8349bfaea 100644
--- a/series.conf
+++ b/series.conf
@@ -15872,6 +15872,7 @@
patches.suse/net-support-compat-64-bit-time-in-s-g-etsockopt.patch
patches.suse/bridge-check-iface-upper-dev-when-setting-master-via.patch
patches.drivers/qed-fix-spelling-mistake-checksumed-checksummed.patch
+ patches.fixes/0014-tcp-fix-TCP_REPAIR_QUEUE-bound-checking.patch
patches.suse/net-ethernet-ti-cpsw-fix-packet-leaking-in-dual_mac-.patch
patches.suse/tcp_bbr-fix-to-zero-idle_restart-only-upon-S-ACKed-d.patch
patches.suse/sctp-use-the-old-asoc-when-making-the-cookie-ack-chu.patch