This is a note to let you know that I've just added the patch titled
tcp: Fix sign comparison bug in getsockopt(TCP_ZEROCOPY_RECEIVE)
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
tcp-fix-sign-comparison-bug-in-getsockopt-tcp_zerocopy_receive.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 2107d45f17bedd7dbf4178462da0ac223835a2a7 Mon Sep 17 00:00:00 2001
From: Arjun Roy <arjunroy@xxxxxxxxxx>
Date: Thu, 25 Feb 2021 15:26:28 -0800
Subject: tcp: Fix sign comparison bug in getsockopt(TCP_ZEROCOPY_RECEIVE)
From: Arjun Roy <arjunroy@xxxxxxxxxx>
commit 2107d45f17bedd7dbf4178462da0ac223835a2a7 upstream.
getsockopt(TCP_ZEROCOPY_RECEIVE) has a bug where we read a
user-provided "len" field of type signed int, and then compare the
value to the result of an "offsetofend" operation, which is unsigned.
Negative values provided by the user will be promoted to large
positive numbers; thus checking that len < offsetofend() will return
false when the intention was that it return true.
Note that while len is originally checked for negative values earlier
on in do_tcp_getsockopt(), subsequent calls to get_user() re-read the
value from userspace which may have changed in the meantime.
Therefore, re-add the check for negative values after the call to
get_user in the handler code for TCP_ZEROCOPY_RECEIVE.
Fixes: c8856c051454 ("tcp-zerocopy: Return inq along with tcp receive zerocopy.")
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Arjun Roy <arjunroy@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20210225232628.4033281-1-arjunroy.kdev@xxxxxxxxx
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/ipv4/tcp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3829,7 +3829,8 @@ static int do_tcp_getsockopt(struct sock
if (get_user(len, optlen))
return -EFAULT;
- if (len < offsetofend(struct tcp_zerocopy_receive, length))
+ if (len < 0 ||
+ len < offsetofend(struct tcp_zerocopy_receive, length))
return -EINVAL;
if (len > sizeof(zc)) {
len = sizeof(zc);
Patches currently in stable-queue which might be from arjunroy@xxxxxxxxxx are
queue-5.10/tcp-fix-sign-comparison-bug-in-getsockopt-tcp_zerocopy_receive.patch
