diff --git a/patches.kernel.org/6.2.12-051-tcp-restrict-net.ipv4.tcp_app_win.patch b/patches.kernel.org/6.2.12-051-tcp-restrict-net.ipv4.tcp_app_win.patch new file mode 100644 index 0000000..b6f3e8d --- /dev/null +++ b/patches.kernel.org/6.2.12-051-tcp-restrict-net.ipv4.tcp_app_win.patch @@ -0,0 +1,75 @@ +From: YueHaibing +Date: Thu, 6 Apr 2023 14:34:50 +0800 +Subject: [PATCH] tcp: restrict net.ipv4.tcp_app_win +References: bsc#1012628 +Patch-mainline: 6.2.12 +Git-commit: dc5110c2d959c1707e12df5f792f41d90614adaa + +[ Upstream commit dc5110c2d959c1707e12df5f792f41d90614adaa ] + +UBSAN: shift-out-of-bounds in net/ipv4/tcp_input.c:555:23 +shift exponent 255 is too large for 32-bit type 'int' +CPU: 1 PID: 7907 Comm: ssh Not tainted 6.3.0-rc4-00161-g62bad54b26db-dirty #206 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 +Call Trace: + + dump_stack_lvl+0x136/0x150 + __ubsan_handle_shift_out_of_bounds+0x21f/0x5a0 + tcp_init_transfer.cold+0x3a/0xb9 + tcp_finish_connect+0x1d0/0x620 + tcp_rcv_state_process+0xd78/0x4d60 + tcp_v4_do_rcv+0x33d/0x9d0 + __release_sock+0x133/0x3b0 + release_sock+0x58/0x1b0 + +'maxwin' is int, shifting int for 32 or more bits is undefined behaviour. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: YueHaibing +Reviewed-by: Eric Dumazet +Reviewed-by: Kuniyuki Iwashima +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Jiri Slaby +--- + Documentation/networking/ip-sysctl.rst | 2 ++ + net/ipv4/sysctl_net_ipv4.c | 3 +++ + 2 files changed, 5 insertions(+) + +diff --git a/Documentation/networking/ip-sysctl.rst b/Documentation/networking/ip-sysctl.rst +index 7fbd060d..afed4928 100644 +--- a/Documentation/networking/ip-sysctl.rst ++++ b/Documentation/networking/ip-sysctl.rst +@@ -337,6 +337,8 @@ tcp_app_win - INTEGER + Reserve max(window/2^tcp_app_win, mss) of window for application + buffer. Value 0 is special, it means that nothing is reserved. + ++ Possible values are [0, 31], inclusive. ++ + Default: 31 + + tcp_autocorking - BOOLEAN +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 0d0cc4ef..40fe70fc 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -25,6 +25,7 @@ static int ip_local_port_range_min[] = { 1, 1 }; + static int ip_local_port_range_max[] = { 65535, 65535 }; + static int tcp_adv_win_scale_min = -31; + static int tcp_adv_win_scale_max = 31; ++static int tcp_app_win_max = 31; + static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS; + static int tcp_min_snd_mss_max = 65535; + static int ip_privileged_port_min; +@@ -1198,6 +1199,8 @@ static struct ctl_table ipv4_net_table[] = { + .maxlen = sizeof(u8), + .mode = 0644, + .proc_handler = proc_dou8vec_minmax, ++ .extra1 = SYSCTL_ZERO, ++ .extra2 = &tcp_app_win_max, + }, + { + .procname = "tcp_adv_win_scale", +-- +2.35.3 + diff --git a/series.conf b/series.conf index 9baafe6..bbd6575 100644 --- a/series.conf +++ b/series.conf @@ -2278,6 +2278,7 @@ patches.kernel.org/6.2.12-048-bpf-arm64-Fixed-a-BTI-error-on-returning-to-pa.patch patches.kernel.org/6.2.12-049-KVM-arm64-Advertise-ID_AA64PFR0_EL1.CSV2-3-to-.patch patches.kernel.org/6.2.12-050-niu-Fix-missing-unwind-goto-in-niu_alloc_chann.patch + patches.kernel.org/6.2.12-051-tcp-restrict-net.ipv4.tcp_app_win.patch ######################################################## # Build fixes that apply to the vanilla kernel too.