* [PATCH net 2/2] ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues
2015-10-15 12:07 [PATCH net 1/2] overflow-arith: begin to add support for overflow builtin functions Hannes Frederic Sowa
@ 2015-10-15 12:07 ` Hannes Frederic Sowa
0 siblings, 0 replies; 5+ messages in thread
From: Hannes Frederic Sowa @ 2015-10-15 12:07 UTC (permalink / raw)
To: netdev; +Cc: dvyukov, Hannes Frederic Sowa
Raw sockets with hdrincl enabled can insert ipv6 extension headers
right into the data stream. In case we need to fragment those packets,
we reparse the options header to find the place where we can insert
the fragment header. If the extension headers exceed the link's MTU we
actually cannot make progress in such a case.
Instead of ending up in broken arithmetic or rounding towards 0 and
entering an endless loop in ip6_fragment, just prevent those cases by
aborting early and signal -EMSGSIZE to user space.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
net/ipv6/ip6_output.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 61d403e..00aa538 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -28,6 +28,7 @@
#include <linux/errno.h>
#include <linux/kernel.h>
+#include <linux/overflow-arith.h>
#include <linux/string.h>
#include <linux/socket.h>
#include <linux/net.h>
@@ -584,7 +585,10 @@ int ip6_fragment(struct sock *sk, struct sk_buff *skb,
if (np->frag_size)
mtu = np->frag_size;
}
- mtu -= hlen + sizeof(struct frag_hdr);
+
+ if (overflow_usub(mtu, hlen + sizeof(struct frag_hdr), &mtu) ||
+ mtu <= 7)
+ goto fail_toobig;
frag_id = ipv6_select_ident(net, &ipv6_hdr(skb)->daddr,
&ipv6_hdr(skb)->saddr);
--
2.4.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 1/2] Revert "Merge branch 'ipv6-overflow-arith'"
@ 2015-10-28 12:21 Hannes Frederic Sowa
2015-10-28 12:21 ` [PATCH net 2/2] ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues Hannes Frederic Sowa
2015-10-29 14:03 ` [PATCH net 1/2] Revert "Merge branch 'ipv6-overflow-arith'" David Miller
0 siblings, 2 replies; 5+ messages in thread
From: Hannes Frederic Sowa @ 2015-10-28 12:21 UTC (permalink / raw)
To: netdev; +Cc: Hannes Frederic Sowa, Linus Torvalds
Linus dislikes these changes. To not hold up the net-merge let's revert
it for now and fix the bug like Linus suggested.
This reverts commit ec3661b42257d9a06cf0d318175623ac7a660113, reversing
changes made to c80dbe04612986fd6104b4a1be21681b113b5ac9.
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
Sorry for delaying the net pull request!
include/linux/compiler-gcc.h | 4 ----
include/linux/overflow-arith.h | 18 ------------------
net/ipv6/ip6_output.c | 6 +-----
3 files changed, 1 insertion(+), 27 deletions(-)
delete mode 100644 include/linux/overflow-arith.h
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index 82c159e..dfaa7b3 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -237,10 +237,6 @@
#define KASAN_ABI_VERSION 3
#endif
-#if GCC_VERSION >= 50000
-#define CC_HAVE_BUILTIN_OVERFLOW
-#endif
-
#endif /* gcc version >= 40000 specific checks */
#if !defined(__noclone)
diff --git a/include/linux/overflow-arith.h b/include/linux/overflow-arith.h
deleted file mode 100644
index e12ccf8..0000000
--- a/include/linux/overflow-arith.h
+++ /dev/null
@@ -1,18 +0,0 @@
-#pragma once
-
-#include <linux/kernel.h>
-
-#ifdef CC_HAVE_BUILTIN_OVERFLOW
-
-#define overflow_usub __builtin_usub_overflow
-
-#else
-
-static inline bool overflow_usub(unsigned int a, unsigned int b,
- unsigned int *res)
-{
- *res = a - b;
- return *res > a ? true : false;
-}
-
-#endif
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index 8dddb45..d03d6da 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -28,7 +28,6 @@
#include <linux/errno.h>
#include <linux/kernel.h>
-#include <linux/overflow-arith.h>
#include <linux/string.h>
#include <linux/socket.h>
#include <linux/net.h>
@@ -585,10 +584,7 @@ int ip6_fragment(struct sock *sk, struct sk_buff *skb,
if (np->frag_size)
mtu = np->frag_size;
}
-
- if (overflow_usub(mtu, hlen + sizeof(struct frag_hdr), &mtu) ||
- mtu <= 7)
- goto fail_toobig;
+ mtu -= hlen + sizeof(struct frag_hdr);
frag_id = ipv6_select_ident(net, &ipv6_hdr(skb)->daddr,
&ipv6_hdr(skb)->saddr);
--
2.4.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 2/2] ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues
2015-10-28 12:21 [PATCH net 1/2] Revert "Merge branch 'ipv6-overflow-arith'" Hannes Frederic Sowa
@ 2015-10-28 12:21 ` Hannes Frederic Sowa
2015-10-29 14:03 ` David Miller
2015-10-29 14:03 ` [PATCH net 1/2] Revert "Merge branch 'ipv6-overflow-arith'" David Miller
1 sibling, 1 reply; 5+ messages in thread
From: Hannes Frederic Sowa @ 2015-10-28 12:21 UTC (permalink / raw)
To: netdev; +Cc: Hannes Frederic Sowa, Linus Torvalds, Dmitry Vyukov
Raw sockets with hdrincl enabled can insert ipv6 extension headers
right into the data stream. In case we need to fragment those packets,
we reparse the options header to find the place where we can insert
the fragment header. If the extension headers exceed the link's MTU we
actually cannot make progress in such a case.
Instead of ending up in broken arithmetic or rounding towards 0 and
entering an endless loop in ip6_fragment, just prevent those cases by
aborting early and signal -EMSGSIZE to user space.
This is the second version of the patch which doesn't use the
overflow_usub function, which got reverted for now.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
---
net/ipv6/ip6_output.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index d03d6da..f84ec4e 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -584,6 +584,8 @@ int ip6_fragment(struct sock *sk, struct sk_buff *skb,
if (np->frag_size)
mtu = np->frag_size;
}
+ if (mtu < hlen + sizeof(struct frag_hdr) + 8)
+ goto fail_toobig;
mtu -= hlen + sizeof(struct frag_hdr);
frag_id = ipv6_select_ident(net, &ipv6_hdr(skb)->daddr,
--
2.4.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net 1/2] Revert "Merge branch 'ipv6-overflow-arith'"
2015-10-28 12:21 [PATCH net 1/2] Revert "Merge branch 'ipv6-overflow-arith'" Hannes Frederic Sowa
2015-10-28 12:21 ` [PATCH net 2/2] ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues Hannes Frederic Sowa
@ 2015-10-29 14:03 ` David Miller
1 sibling, 0 replies; 5+ messages in thread
From: David Miller @ 2015-10-29 14:03 UTC (permalink / raw)
To: hannes; +Cc: netdev, torvalds
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Wed, 28 Oct 2015 13:21:03 +0100
> Linus dislikes these changes. To not hold up the net-merge let's revert
> it for now and fix the bug like Linus suggested.
>
> This reverts commit ec3661b42257d9a06cf0d318175623ac7a660113, reversing
> changes made to c80dbe04612986fd6104b4a1be21681b113b5ac9.
>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Applied.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net 2/2] ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues
2015-10-28 12:21 ` [PATCH net 2/2] ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues Hannes Frederic Sowa
@ 2015-10-29 14:03 ` David Miller
0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2015-10-29 14:03 UTC (permalink / raw)
To: hannes; +Cc: netdev, torvalds, dvyukov
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
Date: Wed, 28 Oct 2015 13:21:04 +0100
> Raw sockets with hdrincl enabled can insert ipv6 extension headers
> right into the data stream. In case we need to fragment those packets,
> we reparse the options header to find the place where we can insert
> the fragment header. If the extension headers exceed the link's MTU we
> actually cannot make progress in such a case.
>
> Instead of ending up in broken arithmetic or rounding towards 0 and
> entering an endless loop in ip6_fragment, just prevent those cases by
> aborting early and signal -EMSGSIZE to user space.
>
> This is the second version of the patch which doesn't use the
> overflow_usub function, which got reverted for now.
>
> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Cc: Dmitry Vyukov <dvyukov@google.com>
> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Applied.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-10-29 13:46 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-28 12:21 [PATCH net 1/2] Revert "Merge branch 'ipv6-overflow-arith'" Hannes Frederic Sowa
2015-10-28 12:21 ` [PATCH net 2/2] ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues Hannes Frederic Sowa
2015-10-29 14:03 ` David Miller
2015-10-29 14:03 ` [PATCH net 1/2] Revert "Merge branch 'ipv6-overflow-arith'" David Miller
-- strict thread matches above, loose matches on Subject: below --
2015-10-15 12:07 [PATCH net 1/2] overflow-arith: begin to add support for overflow builtin functions Hannes Frederic Sowa
2015-10-15 12:07 ` [PATCH net 2/2] ipv6: protect mtu calculation of wrap-around and infinite loop by rounding issues Hannes Frederic Sowa
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).