net/vmw_vsock/vmci_transport.c | 4 ++++ 1 file changed, 4 insertions(+)
From: Henry Martin <bsdhenryma@tencent.com>
The vulnerability is triggered when processing a malicious VMCI datagram
with an extremely large `payload_size` value. The attack path is:
1. Attacker crafts a malicious `vmci_datagram` with `payload_size` set
to a value near `SIZE_MAX` (e.g., `SIZE_MAX - offsetof(struct
vmci_datagram, payload) + 1`)
2. The function calculates: `size = VMCI_DG_SIZE(dg)` Where
`VMCI_DG_SIZE(dg)` expands to `offsetof(struct vmci_datagram,
payload) + dg->payload_size`
3. Integer overflow occurs during this addition, making `size` smaller
than the actual datagram size
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Reported-by: TCS Robot <tcs_robot@tencent.com>
Signed-off-by: Henry Martin <bsdhenryma@tencent.com>
---
net/vmw_vsock/vmci_transport.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
index 7eccd6708d66..07079669dd09 100644
--- a/net/vmw_vsock/vmci_transport.c
+++ b/net/vmw_vsock/vmci_transport.c
@@ -630,6 +630,10 @@ static int vmci_transport_recv_dgram_cb(void *data, struct vmci_datagram *dg)
if (!vmci_transport_allow_dgram(vsk, dg->src.context))
return VMCI_ERROR_NO_ACCESS;
+ /* Validate payload size to prevent integer overflow */
+ if (dg->payload_size > SIZE_MAX - offsetof(struct vmci_datagram, payload))
+ return VMCI_ERROR_INVALID_ARGS;
+
size = VMCI_DG_SIZE(dg);
/* Attach the packet to the socket's receive queue as an sk_buff. */
--
2.41.3
在 2025/8/5 12:17, bsdhenrymartin@gmail.com 写道:
> From: Henry Martin <bsdhenryma@tencent.com>
>
> The vulnerability is triggered when processing a malicious VMCI datagram
> with an extremely large `payload_size` value. The attack path is:
>
> 1. Attacker crafts a malicious `vmci_datagram` with `payload_size` set
> to a value near `SIZE_MAX` (e.g., `SIZE_MAX - offsetof(struct
> vmci_datagram, payload) + 1`)
> 2. The function calculates: `size = VMCI_DG_SIZE(dg)` Where
> `VMCI_DG_SIZE(dg)` expands to `offsetof(struct vmci_datagram,
> payload) + dg->payload_size`
> 3. Integer overflow occurs during this addition, making `size` smaller
> than the actual datagram size
>
> Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
> Reported-by: TCS Robot <tcs_robot@tencent.com>
> Signed-off-by: Henry Martin <bsdhenryma@tencent.com>
> ---
> net/vmw_vsock/vmci_transport.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
> index 7eccd6708d66..07079669dd09 100644
> --- a/net/vmw_vsock/vmci_transport.c
> +++ b/net/vmw_vsock/vmci_transport.c
> @@ -630,6 +630,10 @@ static int vmci_transport_recv_dgram_cb(void *data, struct vmci_datagram *dg)
> if (!vmci_transport_allow_dgram(vsk, dg->src.context))
> return VMCI_ERROR_NO_ACCESS;
>
> + /* Validate payload size to prevent integer overflow */
> + if (dg->payload_size > SIZE_MAX - offsetof(struct vmci_datagram, payload))
> + return VMCI_ERROR_INVALID_ARGS;
> +
The struct vmci_datagram has no member 'payload'. Your patch may trigger
compile error.
> size = VMCI_DG_SIZE(dg);
>
> /* Attach the packet to the socket's receive queue as an sk_buff. */
On Tue, Aug 05, 2025 at 03:07:38PM +0800, Wang Liang wrote:
>
>在 2025/8/5 12:17, bsdhenrymartin@gmail.com 写道:
>>From: Henry Martin <bsdhenryma@tencent.com>
>>
>>The vulnerability is triggered when processing a malicious VMCI datagram
>>with an extremely large `payload_size` value. The attack path is:
>>
>>1. Attacker crafts a malicious `vmci_datagram` with `payload_size` set
>> to a value near `SIZE_MAX` (e.g., `SIZE_MAX - offsetof(struct
>> vmci_datagram, payload) + 1`)
>>2. The function calculates: `size = VMCI_DG_SIZE(dg)` Where
>> `VMCI_DG_SIZE(dg)` expands to `offsetof(struct vmci_datagram,
>> payload) + dg->payload_size`
>>3. Integer overflow occurs during this addition, making `size` smaller
>> than the actual datagram size
>>
>>Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
>>Reported-by: TCS Robot <tcs_robot@tencent.com>
>>Signed-off-by: Henry Martin <bsdhenryma@tencent.com>
>>---
>> net/vmw_vsock/vmci_transport.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>>diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c
>>index 7eccd6708d66..07079669dd09 100644
>>--- a/net/vmw_vsock/vmci_transport.c
>>+++ b/net/vmw_vsock/vmci_transport.c
>>@@ -630,6 +630,10 @@ static int vmci_transport_recv_dgram_cb(void *data, struct vmci_datagram *dg)
>> if (!vmci_transport_allow_dgram(vsk, dg->src.context))
>> return VMCI_ERROR_NO_ACCESS;
>>+ /* Validate payload size to prevent integer overflow */
>>+ if (dg->payload_size > SIZE_MAX - offsetof(struct vmci_datagram, payload))
>>+ return VMCI_ERROR_INVALID_ARGS;
>>+
>
>
>The struct vmci_datagram has no member 'payload'. Your patch may
>trigger compile error.
@Wang thanks for the highlight!
mmm, so this is the 3rd no-sense patch from the same author!
Last advice for the author, please fix your bot and try your patches
before submitting it!
Stefano
>
>> size = VMCI_DG_SIZE(dg);
>> /* Attach the packet to the socket's receive queue as an sk_buff. */
>
Hi,
kernel test robot noticed the following build errors:
[auto build test ERROR on net-next/main]
[also build test ERROR on net/main linus/master v6.16 next-20250806]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]
url: https://github.com/intel-lab-lkp/linux/commits/bsdhenrymartin-gmail-com/VSOCK-fix-Integer-Overflow-in-vmci_transport_recv_dgram_cb/20250806-105210
base: net-next/main
patch link: https://lore.kernel.org/r/20250805041748.1728098-1-tcs_kernel%40tencent.com
patch subject: [PATCH] VSOCK: fix Integer Overflow in vmci_transport_recv_dgram_cb()
config: x86_64-rhel-9.4 (https://download.01.org/0day-ci/archive/20250807/202508070446.83Vp7qaK-lkp@intel.com/config)
compiler: gcc-12 (Debian 12.2.0-14+deb12u1) 12.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250807/202508070446.83Vp7qaK-lkp@intel.com/reproduce)
If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202508070446.83Vp7qaK-lkp@intel.com/
All errors (new ones prefixed by >>):
In file included from include/uapi/linux/posix_types.h:5,
from include/uapi/linux/types.h:14,
from include/linux/types.h:6,
from net/vmw_vsock/vmci_transport.c:8:
net/vmw_vsock/vmci_transport.c: In function 'vmci_transport_recv_dgram_cb':
>> include/linux/stddef.h:16:33: error: 'struct vmci_datagram' has no member named 'payload'
16 | #define offsetof(TYPE, MEMBER) __builtin_offsetof(TYPE, MEMBER)
| ^~~~~~~~~~~~~~~~~~
net/vmw_vsock/vmci_transport.c:634:43: note: in expansion of macro 'offsetof'
634 | if (dg->payload_size > SIZE_MAX - offsetof(struct vmci_datagram, payload))
| ^~~~~~~~
--
In file included from include/uapi/linux/posix_types.h:5,
from include/uapi/linux/types.h:14,
from include/linux/types.h:6,
from vmci_transport.c:8:
vmci_transport.c: In function 'vmci_transport_recv_dgram_cb':
>> include/linux/stddef.h:16:33: error: 'struct vmci_datagram' has no member named 'payload'
16 | #define offsetof(TYPE, MEMBER) __builtin_offsetof(TYPE, MEMBER)
| ^~~~~~~~~~~~~~~~~~
vmci_transport.c:634:43: note: in expansion of macro 'offsetof'
634 | if (dg->payload_size > SIZE_MAX - offsetof(struct vmci_datagram, payload))
| ^~~~~~~~
vim +16 include/linux/stddef.h
6e218287432472 Richard Knutsson 2006-09-30 14
^1da177e4c3f41 Linus Torvalds 2005-04-16 15 #undef offsetof
14e83077d55ff4 Rasmus Villemoes 2022-03-23 @16 #define offsetof(TYPE, MEMBER) __builtin_offsetof(TYPE, MEMBER)
3876488444e712 Denys Vlasenko 2015-03-09 17
--
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki
© 2016 - 2025 Red Hat, Inc.