Patch "net/rose: prevent integer overflows in rose_setsockopt()" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 2 Feb 2025 09:21:46 -0500

This is a note to let you know that I've just added the patch titled

    net/rose: prevent integer overflows in rose_setsockopt()

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     net-rose-prevent-integer-overflows-in-rose_setsockop.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 7acef0819b373e707157d77dc2cf5dc2aa98666f
Author: Nikita Zhandarovich <n.zhandarovich@xxxxxxxxxx>
Date:   Wed Jan 15 08:42:20 2025 -0800

    net/rose: prevent integer overflows in rose_setsockopt()
    
    [ Upstream commit d640627663bfe7d8963c7615316d7d4ef60f3b0b ]
    
    In case of possible unpredictably large arguments passed to
    rose_setsockopt() and multiplied by extra values on top of that,
    integer overflows may occur.
    
    Do the safest minimum and fix these issues by checking the
    contents of 'opt' and returning -EINVAL if they are too large. Also,
    switch to unsigned int and remove useless check for negative 'opt'
    in ROSE_IDLE case.
    
    Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
    Signed-off-by: Nikita Zhandarovich <n.zhandarovich@xxxxxxxxxx>
    Link: https://patch.msgid.link/20250115164220.19954-1-n.zhandarovich@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c
index 1d95ff34b13c9..65fd5b99f9dea 100644
--- a/net/rose/af_rose.c
+++ b/net/rose/af_rose.c
@@ -396,15 +396,15 @@ static int rose_setsockopt(struct socket *sock, int level, int optname,
 {
 	struct sock *sk = sock->sk;
 	struct rose_sock *rose = rose_sk(sk);
-	int opt;
+	unsigned int opt;
 
 	if (level != SOL_ROSE)
 		return -ENOPROTOOPT;
 
-	if (optlen < sizeof(int))
+	if (optlen < sizeof(unsigned int))
 		return -EINVAL;
 
-	if (copy_from_sockptr(&opt, optval, sizeof(int)))
+	if (copy_from_sockptr(&opt, optval, sizeof(unsigned int)))
 		return -EFAULT;
 
 	switch (optname) {
@@ -413,31 +413,31 @@ static int rose_setsockopt(struct socket *sock, int level, int optname,
 		return 0;
 
 	case ROSE_T1:
-		if (opt < 1)
+		if (opt < 1 || opt > UINT_MAX / HZ)
 			return -EINVAL;
 		rose->t1 = opt * HZ;
 		return 0;
 
 	case ROSE_T2:
-		if (opt < 1)
+		if (opt < 1 || opt > UINT_MAX / HZ)
 			return -EINVAL;
 		rose->t2 = opt * HZ;
 		return 0;
 
 	case ROSE_T3:
-		if (opt < 1)
+		if (opt < 1 || opt > UINT_MAX / HZ)
 			return -EINVAL;
 		rose->t3 = opt * HZ;
 		return 0;
 
 	case ROSE_HOLDBACK:
-		if (opt < 1)
+		if (opt < 1 || opt > UINT_MAX / HZ)
 			return -EINVAL;
 		rose->hb = opt * HZ;
 		return 0;
 
 	case ROSE_IDLE:
-		if (opt < 0)
+		if (opt > UINT_MAX / (60 * HZ))
 			return -EINVAL;
 		rose->idle = opt * 60 * HZ;
 		return 0;







