Re: [PATCH] net: qrtr: fix 32-bit integer overflow in qrtr_endpoint_post()

Next message: Catalin Marinas: "Re: [PATCH v2] mm/kmemleak: avoid soft lockup when scanning task stacks"
Previous message: Alexei Starovoitov: "Re: [PATCH bpf-next v3 0/7] bpf, skmsg: some fixes for skmsg"
In reply to: Michael Bommarito: "[PATCH] net: qrtr: fix 32-bit integer overflow in qrtr_endpoint_post()"
Next in thread: patchwork-bot+netdevbpf: "Re: [PATCH] net: qrtr: fix 32-bit integer overflow in qrtr_endpoint_post()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Simon Horman

Date: Fri Jun 12 2026 - 13:12:31 EST

On Thu, Jun 11, 2026 at 08:54:55AM -0400, Michael Bommarito wrote:
> qrtr_endpoint_post() validates an incoming packet with
>
> if (!size || len != ALIGN(size, 4) + hdrlen)
> goto err;
>
> where size comes from the wire. On 32-bit, size_t is 32 bits and
> ALIGN(size, 4) wraps to 0 for size >= 0xfffffffd, so the check
> passes and skb_put_data(skb, data + hdrlen, size) writes past the
> hdrlen-sized skb and oopses the kernel. 64-bit is unaffected.
>
> This is the 32-bit residual of ad9d24c9429e2 ("net: qrtr: fix OOB
> Read in qrtr_endpoint_post"), which fixed only the 64-bit case.
>
> Reject any size that cannot fit the buffer before the ALIGN.
>
> Fixes: ad9d24c9429e2 ("net: qrtr: fix OOB Read in qrtr_endpoint_post")
> Cc: stable@xxxxxxxxxxxxxxx
> Assisted-by: Claude:claude-opus-4-8
> Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
> ---
> 32-bit only; reachable via /dev/qrtr-tun (CONFIG_QRTR_TUN) or a QMI modem.
> Reproduced on i386 (a 32-byte write with size 0xfffffffd faults; well-formed
> writes are unaffected). QRTR mostly runs on 64-bit now, so this is a
> correctness fix completing ad9d24c9429e2, not a high-severity bug.

Reviewed-by: Simon Horman <horms@xxxxxxxxxx>