From nobody Mon Sep 29 20:17:15 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF0ACC3276E for ; Tue, 16 Aug 2022 00:08:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351123AbiHPAIQ (ORCPT ); Mon, 15 Aug 2022 20:08:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46346 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352446AbiHPAAZ (ORCPT ); Mon, 15 Aug 2022 20:00:25 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D79BBC7433; Mon, 15 Aug 2022 13:20:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 752BE6104A; Mon, 15 Aug 2022 20:20:34 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6DDF7C433D7; Mon, 15 Aug 2022 20:20:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660594833; bh=u0HsNN8rMYruFAvZHEvP0r2fe53rUhzO3lCv1NuR+A8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CbhYs7zQwps/77L4XPLC+E30k1lm6iwGSP4U7qVBgd5JQLQCnTvapm980Sz1KYmiE m72geeB1v3G9qgx9STls//aD+lv9xqLDSlebHL1lhcvnRjycBNtqr8ykaufC7ADJZ1 jd7Mv99YBe12XG6Ay0dQOpp5ymuEG6rz/Kk/TtFc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Linus Torvalds , "Jason A. Donenfeld" , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.19 0573/1157] wireguard: allowedips: dont corrupt stack when detecting overflow Date: Mon, 15 Aug 2022 19:58:49 +0200 Message-Id: <20220815180502.556642003@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220815180439.416659447@linuxfoundation.org> References: <20220815180439.416659447@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="utf-8" From: Jason A. Donenfeld [ Upstream commit c31b14d86dfe7174361e8c6e5df6c2c3a4d5918c ] In case push_rcu() and related functions are buggy, there's a WARN_ON(len >=3D 128), which the selftest tries to hit by being tricky. In case it is hit, we shouldn't corrupt the kernel's stack, though; otherwise it may be hard to even receive the report that it's buggy. So conditionalize the stack write based on that WARN_ON()'s return value. Note that this never *actually* happens anyway. The WARN_ON() in the first place is bounded by IS_ENABLED(DEBUG), and isn't expected to ever actually hit. This is just a debugging sanity check. Additionally, hoist the constant 128 into a named enum, MAX_ALLOWEDIPS_BITS, so that it's clear why this value is chosen. Suggested-by: Linus Torvalds Link: https://lore.kernel.org/all/CAHk-=3DwjJZGA6w_DxA+k7Ejbqsq+uGK=3D=3Dko= Pai3sqdsfJqemvag@mail.gmail.com/ Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- drivers/net/wireguard/allowedips.c | 9 ++++++--- drivers/net/wireguard/selftest/allowedips.c | 6 +++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireguard/allowedips.c b/drivers/net/wireguard/all= owedips.c index 9a4c8ff32d9d..5bf7822c53f1 100644 --- a/drivers/net/wireguard/allowedips.c +++ b/drivers/net/wireguard/allowedips.c @@ -6,6 +6,8 @@ #include "allowedips.h" #include "peer.h" =20 +enum { MAX_ALLOWEDIPS_BITS =3D 128 }; + static struct kmem_cache *node_cache; =20 static void swap_endian(u8 *dst, const u8 *src, u8 bits) @@ -40,7 +42,8 @@ static void push_rcu(struct allowedips_node **stack, struct allowedips_node __rcu *p, unsigned int *len) { if (rcu_access_pointer(p)) { - WARN_ON(IS_ENABLED(DEBUG) && *len >=3D 128); + if (WARN_ON(IS_ENABLED(DEBUG) && *len >=3D MAX_ALLOWEDIPS_BITS)) + return; stack[(*len)++] =3D rcu_dereference_raw(p); } } @@ -52,7 +55,7 @@ static void node_free_rcu(struct rcu_head *rcu) =20 static void root_free_rcu(struct rcu_head *rcu) { - struct allowedips_node *node, *stack[128] =3D { + struct allowedips_node *node, *stack[MAX_ALLOWEDIPS_BITS] =3D { container_of(rcu, struct allowedips_node, rcu) }; unsigned int len =3D 1; =20 @@ -65,7 +68,7 @@ static void root_free_rcu(struct rcu_head *rcu) =20 static void root_remove_peer_lists(struct allowedips_node *root) { - struct allowedips_node *node, *stack[128] =3D { root }; + struct allowedips_node *node, *stack[MAX_ALLOWEDIPS_BITS] =3D { root }; unsigned int len =3D 1; =20 while (len > 0 && (node =3D stack[--len])) { diff --git a/drivers/net/wireguard/selftest/allowedips.c b/drivers/net/wire= guard/selftest/allowedips.c index e173204ae7d7..41db10f9be49 100644 --- a/drivers/net/wireguard/selftest/allowedips.c +++ b/drivers/net/wireguard/selftest/allowedips.c @@ -593,10 +593,10 @@ bool __init wg_allowedips_selftest(void) wg_allowedips_remove_by_peer(&t, a, &mutex); test_negative(4, a, 192, 168, 0, 1); =20 - /* These will hit the WARN_ON(len >=3D 128) in free_node if something - * goes wrong. + /* These will hit the WARN_ON(len >=3D MAX_ALLOWEDIPS_BITS) in free_node + * if something goes wrong. */ - for (i =3D 0; i < 128; ++i) { + for (i =3D 0; i < MAX_ALLOWEDIPS_BITS; ++i) { part =3D cpu_to_be64(~(1LLU << (i % 64))); memset(&ip, 0xff, 16); memcpy((u8 *)&ip + (i < 64) * 8, &part, 8); --=20 2.35.1