Re: [PATCH net] net: sock: prevent integer overflow in sock_reserve_memory()

From: Kuniyuki Iwashima

Date: Sat Jul 11 2026 - 09:14:21 EST


On Fri, Jul 10, 2026 at 6:00 PM Xiang Mei (Microsoft) <xmei5@xxxxxxx> wrote:
>
> sock_reserve_memory() adds 'pages << PAGE_SHIFT' (a plain int) to the int
> sk->sk_forward_alloc. An unprivileged SO_RESERVE_MEM caller can drive the
> accumulating counter past INT_MAX and wrap it negative, either in one
> INT_MAX request (0x80000000) or across several smaller ones.
> The corrupted sk_forward_alloc then trips WARN_ON_ONCE() in
> inet_sock_destruct() on close (a panic under panic_on_warn/oops=panic).
>
> Bound the field that overflows: compute the new sk_forward_alloc in u64 and
> reject with -EINVAL anything exceeding INT_MAX.
>
> Kernel panic - not syncing: kernel: panic_on_warn set ...
> __warn (kernel/panic.c:1054)
> ...
> RIP: 0010:inet_sock_destruct (net/ipv4/af_inet.c:161)
> __sk_destruct (net/core/sock.c:2357)
> inet_release (net/ipv4/af_inet.c:442)
> sock_close (net/socket.c:1501)
> __fput (fs/file_table.c:512)
> __x64_sys_close (fs/open.c:1511)
> do_syscall_64 (arch/x86/entry/syscall_64.c:94)
>
> Fixes: 2bb2f5fb21b0 ("net: add new socket option SO_RESERVE_MEM")
> Reported-by: AutonomousCodeSecurity@xxxxxxxxxxxxx
> Signed-off-by: Xiang Mei (Microsoft) <xmei5@xxxxxxx>

Reviewed-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>