RE: [PATCH] tipc: validate conn_timeout to prevent divide-by-zero

[Tung Quang Nguyen]

>Subject: [PATCH] tipc: validate conn_timeout to prevent divide-by-zero
Add net branch to the subject: [PATCH net]

>
>A user can set conn_timeout to any value via
>setsockopt(TIPC_CONN_TIMEOUT), including values less than 4.  When a SYN
>is rejected with TIPC_ERR_OVERLOAD and the retry path in
>tipc_sk_filter_connect() executes:
>
>    delay %= (tsk->conn_timeout / 4);
>
>If conn_timeout is in the range [0, 3], the integer division yields 0, and the
>modulo operation triggers a divide-by-zero exception, causing a kernel
>oops/panic.
>
>Fix this by rejecting conn_timeout values less than 4 in
>tipc_setsockopt() with -EINVAL.  Values below 4ms are not meaningful as a
>connection timeout anyway.
>
>Oops: divide error: 0000 [#1] SMP KASAN NOPTI
>CPU: 0 UID: 0 PID: 119 Comm: poc-F144 Not tainted 7.0.0-rc2+
>RIP: 0010:tipc_sk_filter_rcv+0x1b99/0x3040
>Call Trace:
> tipc_sk_backlog_rcv+0xe4/0x1d0
> __release_sock+0x1ef/0x2a0
> release_sock+0x55/0x190
> tipc_connect+0x140/0x510
> __sys_connect+0x1bb/0x2e0
>
>Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket")
>Signed-off-by: Mehul Rao <mehulrao@xxxxxxxxx>
>---
> net/tipc/socket.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
>diff --git a/net/tipc/socket.c b/net/tipc/socket.c index
>4c618c2b871d..85c07b0ba0ec 100644
>--- a/net/tipc/socket.c
>+++ b/net/tipc/socket.c
>@@ -3184,6 +3184,10 @@ static int tipc_setsockopt(struct socket *sock, int lvl,
>int opt,
> 		tsk_set_unreturnable(tsk, value);
> 		break;
> 	case TIPC_CONN_TIMEOUT:
>+		if (value < 4) {
>+			res = -EINVAL;
>+			break;
>+		}
This needs to be fixed in function tipc_sk_filter_connect() like this:
tipc_sk_filter_connect()
{
...
get_random_bytes(&delay, 2);
if (tsk->conn_timeout < 4)
	tsk->conn_timeout  =  4;
delay %= (tsk->conn_timeout / 4);
...
}
> 		tipc_sk(sk)->conn_timeout = value;
> 		break;
> 	case TIPC_MCAST_BROADCAST:
>--
>2.48.1