From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id DAA5813B7A3
	for <linux-kernel@vger.kernel.org>; Fri,  1 May 2026 13:00:51 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.44
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777640453; cv=none; b=MPlb2Jrsy5+jNcmZQoLcRndfN10jd1dYg4sntQnydKznS+j+Rvjs9gpph06EgUjc1rfg7vRGH3duqg/BnqQ3kcvNC1NKNUt8/MNZi0edWtTj66otxBH3x3YhcGYtx7pQdZ/U2UiDqqM6TVHyya3rDGOex/jV404Z1lueX0wV6dM=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777640453; c=relaxed/simple;
	bh=qyIkRHi6oV5U2SmgdqpjVI5pwMUbK8zwy66lyVzRAGs=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=d6DlggM1hbhNNtsMD64VL0Ms2+DJXMqb4998Qs8t5UHsQOI3VPdJIuCdCq2FgzwN08BW0OjKUxfSIcJ5jgVfmLSiclzSbQn40z8q/UOSlPQ/B1Niy9jJH43Ypik8y6hRk2iVdkucL1fVZ+I0LEKO02rbFu2Eg2tHSj4e5iBszBo=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=UZ1AB4fb; arc=none smtp.client-ip=209.85.128.44
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="UZ1AB4fb"
Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-48984d29fe3so27985775e9.0
        for <linux-kernel@vger.kernel.org>; Fri, 01 May 2026 06:00:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777640450; x=1778245250; darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=pqhRiAzIyiH2+fYeG1xj4sXrzPXGhw3STHTuHrGU/qY=;
        b=UZ1AB4fbwLpo6HsO5504KHdSFb29QYDc7E9RPsNsQXNwn1llm38Mm00ylSnEkk3kFs
         //0wgOBBzxVAKP8E1WFS4qczuW7LIAyTxG3czvlhOPIxqQPVr6TFBWap9n9RdzzzYa9D
         O4trE/rFYCUfMIRbulzv8as9ze6FDTqcs9Cgk40an/HrUlb8B2CT5+pOAECM7mTzLl3w
         a7GJmHiVS297Ig0fQ0p5LboCPAQV7lcvMRGWp/PMUrKwN6qD5Wf2NxoAEE6V/8+9UrcK
         DxSBEHyAolyaUdq04mSsbqyoPMNw7wafaDMf8o3ZmJHEQqIQsUJmEsD+9L4kyStiQC3C
         wxXg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777640450; x=1778245250;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=pqhRiAzIyiH2+fYeG1xj4sXrzPXGhw3STHTuHrGU/qY=;
        b=asnAqBVlYu5/xKfI/Zo/+5n6FFBug+aRKQwT/ifR5GMO7sV0MZiheHBO5ik3UB+p5i
         mAEztJejmdyzfQIlI4Jm1Mg8xFedLJCbPA7MClahCh2GmzWRQlsVHYoGT3U7o7G6JbcE
         hCRmoz7kd6kmcanieXwK0UbycESgCnFmPnoKmB0gbAYdppVHZ/qmxCFPIixZURKO67mr
         n3ZdViixjUGIG/64Q07Is2F88OH/VD1T763Jd+y5ZesMasc7dfK2k/dQQKfParfWwCq9
         uEFa3kIb7L705p9jxJNGgTcG1R9TPohBejU8onvkQ5+7Z/EdrBGt/fSIl/Ec9o2I0FkM
         F6mQ==
X-Forwarded-Encrypted: i=1; AFNElJ9uK2UNtXqLs21JksCeOsnhpnfgi9QRSsjWPehQhuQrGI3r5fzr+xALhmeN7St81YdgpALrdJHo7SeIHkY=@vger.kernel.org
X-Gm-Message-State: AOJu0YyS+JAscNADqxq7pBkblqOpZ2IwglWEbx5W1Fit3W76NdX9n6J/
	yFCJ5RK3HBKN7jgJL12z3dXfHlPxoA7R63S1hl+adNPIXU9TxHF9FtF2L5n83Ved55w=
X-Gm-Gg: AeBDieugm6sTYi2bu7iawM3OKVpkPXjhRtH6eovb988h6r0valcd+bf2e9YM98tq+ZU
	QeCLGK3L6RhWGq2rXrAcO+SoswkDLYEmJ2LEw+UFTKtrzagcrpGoYKrbDT3DJPEkPxWvSYx9ikU
	utY1w4x8MoWvAe0Yc6S9/Dn2BKIfF17dDF1RAwDBnVK4WJF0GkitQvHv3KfvkMxxJQ0fsfPXXq2
	a65dWIUAWOACOWEnBsRKpueyHJWFDwVPiV9tRYFVGMT/FLGGWuLyGx2KRxcNKRiwZVNOxHOM8n/
	gztORigAQmc+bvz99vYTNJLzGLEY+QdWMfBe3aOaA2keDJbLxASWclCUY6/ZGhR0DD1BmhCqpT8
	zH68KLNvUrqlvTvFVAc4s1m+IT+Z4vkUOWk/SUNyF0Zec6c/TRHdbH51VIRDbo2GQNJs/y3syH9
	Kfb0bqo1QvDAlYxfUICzZktUb9W5BCpeBwkaum/f8V5EJMHJw+gW9CVWs7lAX2t5IRwrAug77G4
	extRstxXcSeluKaZ7g7SA==
X-Received: by 2002:a05:600c:1f10:b0:487:1fb4:7e1 with SMTP id 5b1f17b1804b1-48a8445b91cmr118213405e9.22.1777640449917;
        Fri, 01 May 2026 06:00:49 -0700 (PDT)
Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72])
        by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48a82301b7bsm151465915e9.11.2026.05.01.06.00.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 01 May 2026 06:00:49 -0700 (PDT)
From: David Carlier <devnexen@gmail.com>
To: daniel.zahka@gmail.com,
	kuba@kernel.org
Cc: willemdebruijn.kernel@gmail.com,
	davem@davemloft.net,
	edumazet@google.com,
	pabeni@redhat.com,
	horms@kernel.org,
	raeds@nvidia.com,
	kees@kernel.org,
	cratiu@nvidia.com,
	netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	David Carlier <devnexen@gmail.com>,
	stable@vger.kernel.org
Subject: [PATCH net v2] psp: strip variable-length PSP header in psp_dev_rcv()
Date: Fri,  1 May 2026 14:00:46 +0100
Message-ID: <20260501130046.16008-1-devnexen@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260430062033.20428-1-devnexen@gmail.com>
References: <20260430062033.20428-1-devnexen@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

psp_dev_rcv() unconditionally removes a fixed PSP_ENCAP_HLEN, even
when psph->hdrlen indicates that the PSP header carries optional
fields. A frame whose PSP header advertises a non-zero VC or any
extension would therefore be silently mis-decapsulated: option bytes
would spill into the inner packet head and downstream parsing would
fail on a corrupted skb.

Compute the full PSP header length from psph->hdrlen, pull the
optional bytes into the linear region, and strip the whole header
when decapsulating. Optional fields (VC, ...) are still ignored,
just discarded with the rest of the header instead of leaking.
crypt_offset and the VIRT flag are intentionally not validated here
- callers know their device's PSP implementation and can decide.

Both in-tree callers gate on hardware-validated PSP, so this is a
correctness fix rather than a reachable corruption path under
current configurations.

Fixes: 0eddb8023cee ("psp: provide decapsulation and receive helper for drivers")
Suggested-by: Daniel Zahka <daniel.zahka@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: David Carlier <devnexen@gmail.com>
---
v1 -> v2 (per Daniel Zahka):
  - strip the variable-length PSP header (psph->hdrlen) instead of
    rejecting opt-bearing frames; VC/options are ignored, not refused
  - drop the crypt_offset and PSPHDR_VERFL_VIRT checks
  - refresh kerneldoc above psp_dev_rcv()
  - retarget at net (was net-next)

 net/psp/psp_main.c | 41 +++++++++++++++++++++++++++++++----------
 1 file changed, 31 insertions(+), 10 deletions(-)

diff --git a/net/psp/psp_main.c b/net/psp/psp_main.c
index 9508b6c38003..b040345d7273 100644
--- a/net/psp/psp_main.c
+++ b/net/psp/psp_main.c
@@ -263,15 +263,17 @@ EXPORT_SYMBOL(psp_dev_encapsulate);
 
 /* Receive handler for PSP packets.
  *
- * Presently it accepts only already-authenticated packets and does not
- * support optional fields, such as virtualization cookies. The caller should
- * ensure that skb->data is pointing to the mac header, and that skb->mac_len
- * is set. This function does not currently adjust skb->csum (CHECKSUM_COMPLETE
- * is not supported).
+ * Accepts only already-authenticated packets. The full PSP header is
+ * stripped according to psph->hdrlen; any optional fields it advertises
+ * (virtualization cookies, etc.) are ignored and discarded along with the
+ * rest of the header. The caller should ensure that skb->data is pointing
+ * to the mac header, and that skb->mac_len is set. This function does not
+ * currently adjust skb->csum (CHECKSUM_COMPLETE is not supported).
  */
 int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv)
 {
 	int l2_hlen = 0, l3_hlen, encap;
+	u32 psp_hdr_len;
 	struct psp_skb_ext *pse;
 	struct psphdr *psph;
 	struct ethhdr *eth;
@@ -312,18 +314,36 @@ int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv)
 	if (unlikely(uh->dest != htons(PSP_DEFAULT_UDP_PORT)))
 		return -EINVAL;
 
-	pse = skb_ext_add(skb, SKB_EXT_PSP);
-	if (!pse)
+	psph = (struct psphdr *)(skb->data + l2_hlen + l3_hlen +
+				 sizeof(struct udphdr));
+
+	/* Strip the full PSP header per psph->hdrlen; VC/options are pulled
+	 * into the linear region only so they can be discarded with the
+	 * rest of the header.
+	 */
+	psp_hdr_len = ((u32)psph->hdrlen + 1) * 8;
+
+	if (unlikely(psp_hdr_len < sizeof(struct psphdr)))
+		return -EINVAL;
+
+	if (psp_hdr_len > sizeof(struct psphdr) &&
+	    !pskb_may_pull(skb, l2_hlen + l3_hlen +
+				sizeof(struct udphdr) + psp_hdr_len))
 		return -EINVAL;
 
 	psph = (struct psphdr *)(skb->data + l2_hlen + l3_hlen +
 				 sizeof(struct udphdr));
+
+	pse = skb_ext_add(skb, SKB_EXT_PSP);
+	if (!pse)
+		return -EINVAL;
+
 	pse->spi = psph->spi;
 	pse->dev_id = dev_id;
 	pse->generation = generation;
 	pse->version = FIELD_GET(PSPHDR_VERFL_VERSION, psph->verfl);
 
-	encap = PSP_ENCAP_HLEN;
+	encap = sizeof(struct udphdr) + psp_hdr_len;
 	encap += strip_icv ? PSP_TRL_SIZE : 0;
 
 	if (proto == htons(ETH_P_IP)) {
@@ -340,8 +360,9 @@ int psp_dev_rcv(struct sk_buff *skb, u16 dev_id, u8 generation, bool strip_icv)
 		ipv6h->payload_len = htons(ntohs(ipv6h->payload_len) - encap);
 	}
 
-	memmove(skb->data + PSP_ENCAP_HLEN, skb->data, l2_hlen + l3_hlen);
-	skb_pull(skb, PSP_ENCAP_HLEN);
+	memmove(skb->data + sizeof(struct udphdr) + psp_hdr_len,
+		skb->data, l2_hlen + l3_hlen);
+	skb_pull(skb, sizeof(struct udphdr) + psp_hdr_len);
 
 	if (strip_icv)
 		pskb_trim(skb, skb->len - PSP_TRL_SIZE);
-- 
2.53.0