linux

mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-11-18 12:46:50 +00:00

History

Eric Dumazet 1534ff7775 sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto syzbot reported a possible shift-out-of-bounds [1] Blamed commit added rto_alpha_max and rto_beta_max set to 1000. It is unclear if some sctp users are setting very large rto_alpha and/or rto_beta. In order to prevent user regression, perform the test at run time. Also add READ_ONCE() annotations as sysctl values can change under us. [1] UBSAN: shift-out-of-bounds in net/sctp/transport.c:509:41 shift exponent 64 is too large for 32-bit type 'unsigned int' CPU: 0 UID: 0 PID: 16704 Comm: syz.2.2320 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/02/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:233 [inline] __ubsan_handle_shift_out_of_bounds+0x27f/0x420 lib/ubsan.c:494 sctp_transport_update_rto.cold+0x1c/0x34b net/sctp/transport.c:509 sctp_check_transmitted+0x11c4/0x1c30 net/sctp/outqueue.c:1502 sctp_outq_sack+0x4ef/0x1b20 net/sctp/outqueue.c:1338 sctp_cmd_process_sack net/sctp/sm_sideeffect.c:840 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1372 [inline] Fixes: `b58537a1f5` ("net: sctp: fix permissions for rto_alpha and rto_beta knobs") Reported-by: syzbot+f8c46c8b2b7f6e076e99@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/690c81ae.050a0220.3d0d33.014e.GAE@google.com/T/#u Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Xin Long <lucien.xin@gmail.com> Link: https://patch.msgid.link/20251106111054.3288127-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org>		2025-11-10 16:21:05 -08:00
..
associola.c	sctp: Remove unused sctp_assoc_del_peer and sctp_chunk_iif	2025-05-05 16:51:12 -07:00
auth.c	sctp: Use HMAC-SHA1 and HMAC-SHA256 library for chunk authentication	2025-08-19 19:36:25 -07:00
bind_addr.c
chunk.c	sctp: Use HMAC-SHA1 and HMAC-SHA256 library for chunk authentication	2025-08-19 19:36:25 -07:00
debug.c
diag.c	sctp: Hold sock lock while iterating over address list	2025-11-03 17:09:36 -08:00
endpointola.c	sctp: Convert cookie authentication to use HMAC-SHA256	2025-08-19 19:36:26 -07:00
input.c	net: sctp: fix KMSAN uninit-value in sctp_inq_pop	2025-10-30 11:21:05 +01:00
inqueue.c	sctp: avoid NULL dereference when chunk data buffer is missing	2025-10-22 19:19:31 -07:00
ipv6.c	sctp: initialize more fields in sctp_v6_from_sk()	2025-08-27 17:15:21 -07:00
Kconfig	sctp: Convert cookie authentication to use HMAC-SHA256	2025-08-19 19:36:26 -07:00
Makefile
objcnt.c
offload.c	sctp: use skb_crc32c() instead of __skb_checksum()	2025-05-21 15:40:16 -07:00
output.c	treewide: Switch/rename to timer_delete[_sync]()	2025-04-05 10:30:12 +02:00
outqueue.c	treewide: Switch/rename to timer_delete[_sync]()	2025-04-05 10:30:12 +02:00
primitive.c
proc.c	sctp: snmp: do not use SNMP_MIB_SENTINEL anymore	2025-09-08 18:06:21 -07:00
protocol.c	ipv4: Convert ->flowi4_tos to dscp_t.	2025-08-26 17:34:31 -07:00
sm_make_chunk.c	sctp: Convert cookie authentication to use HMAC-SHA256	2025-08-19 19:36:26 -07:00
sm_sideeffect.c	treewide, timers: Rename from_timer() to timer_container_of()	2025-06-08 09:07:37 +02:00
sm_statefuns.c	net/sctp: fix a null dereference in sctp_disposition sctp_sf_do_5_1D_ce()	2025-10-06 11:07:20 -07:00
sm_statetable.c
socket.c	sctp: Convert cookie authentication to use HMAC-SHA256	2025-08-19 19:36:26 -07:00
stream.c	treewide: Switch/rename to timer_delete[_sync]()	2025-04-05 10:30:12 +02:00
stream_interleave.c
stream_sched.c
stream_sched_fc.c
stream_sched_prio.c
stream_sched_rr.c
sysctl.c	sctp: Stop accepting md5 and sha1 for net.sctp.cookie_hmac_alg	2025-08-19 19:36:26 -07:00
transport.c	sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto	2025-11-10 16:21:05 -08:00
tsnmap.c
ulpevent.c
ulpqueue.c