• Eric Dumazet's avatar
    tcp: fix TCP_REPAIR_QUEUE bound checking · 2071f49e
    Eric Dumazet authored
    BugLink: http://bugs.launchpad.net/bugs/1774173
    
    commit bf2acc94 upstream.
    
    syzbot is able to produce a nasty WARN_ON() in tcp_verify_left_out()
    with following C-repro :
    
    socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
    setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
    setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
    bind(3, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
    sendto(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
    	1242, MSG_FASTOPEN, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("127.0.0.1")}, 16) = 1242
    setsockopt(3, SOL_TCP, TCP_REPAIR_WINDOW, "\4\0\0@+\205\0\0\377\377\0\0\377\377\377\177\0\0\0\0", 20) = 0
    writev(3, [{"\270", 1}], 1)             = 1
    setsockopt(3, SOL_TCP, TCP_REPAIR_OPTIONS, "\10\0\0\0\0\0\0\0\0\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 386) = 0
    writev(3, [{"\210v\r[\226\320t\231qwQ\204\264l\254\t\1\20\245\214p\350H\223\254;\\\37\345\307p$"..., 3144}], 1) = 3144
    
    The 3rd system call looks odd :
    setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
    
    This patch makes sure bound checking is using an unsigned compare.
    
    Fixes: ee995283 ("tcp: Initial repair mode")
    Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
    Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
    Cc: Pavel Emelyanov <xemul@parallels.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
    Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
    2071f49e
tcp.c 83.2 KB