On Mon, Jan 27, 2025 at 03:19:57PM +0100, nicolas.bouchinet@xxxxxxxxxxx wrote:
> From: Nicolas Bouchinet <nicolas.bouchinet@xxxxxxxxxxx>
>
> Hi,
>
> This patchset adds some bound checks to sysctls to avoid negative
> value writes.
>
> The patched sysctls were storing the result of the proc_dointvec
> proc_handler into an unsigned int data. proc_dointvec being able to
> parse negative value, and it return value being a signed int, this could
> lead to undefined behaviors.
> This has led to kernel crash in the past as described in commit
> 3b3376f222e3 ("sysctl.c: fix underflow value setting risk in vm_table")
>
> Most of them are now bounded between SYSCTL_ZERO and SYSCTL_INT_MAX.
> nf_conntrack_expect_max is bounded between SYSCTL_ONE and SYSCTL_INT_MAX
> as defined by its documentation.
I noticed that none of the patches have a Fixes tags. Do any of
these fix existing crashes or is this just cleanup?
I am asking because if this is cleanup then it would be "net-next"
material instead of "net" and would need to be resubmit when then
merge window has passed [1].
FWIW, I submit a similar change some time ago and it was submit to
net-next as cleanup [2].
[1]: https://lore.kernel.org/netdev/20250117182059.7ce1196f@xxxxxxxxxx/
[2]: https://lore.kernel.org/netdev/CANn89i+=HiffVo9iv2NKMC2LFT15xFLG16h7wN3MCrTiKT3zQQ@xxxxxxxxxxxxxx/T/
