From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.18 28/76] bpf: fix shift upon scatterlist ring wrap-around in bpf_msg_pull_data
Date: Mon, 24 Sep 2018 14:48:18 +0000 [thread overview]
Message-ID: <20180924144751.164410-28-alexander.levin@microsoft.com> (raw)
In-Reply-To: <20180924144751.164410-1-alexander.levin@microsoft.com>
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit 2e43f95dd8ee62bc8bf57f2afac37fbd70c8d565 ]
If first_sg and last_sg wraps around in the scatterlist ring, then we
need to account for that in the shift as well. E.g. crafting such msgs
where this is the case leads to a hang as shift becomes negative. E.g.
consider the following scenario:
first_sg := 14 |=> shift := -12 msg->sg_start := 10
last_sg := 3 | msg->sg_end := 5
round 1: i := 15, move_from := 3, sg[15] := sg[ 3]
round 2: i := 0, move_from := -12, sg[ 0] := sg[-12]
round 3: i := 1, move_from := -11, sg[ 1] := sg[-11]
round 4: i := 2, move_from := -10, sg[ 2] := sg[-10]
[...]
round 13: i := 11, move_from := -1, sg[ 2] := sg[ -1]
round 14: i := 12, move_from := 0, sg[ 2] := sg[ 0]
round 15: i := 13, move_from := 1, sg[ 2] := sg[ 1]
round 16: i := 14, move_from := 2, sg[ 2] := sg[ 2]
round 17: i := 15, move_from := 3, sg[ 2] := sg[ 3]
[...]
This means we will loop forever and never hit the msg->sg_end condition
to break out of the loop. When we see that the ring wraps around, then
the shift should be MAX_SKB_FRAGS - first_sg + last_sg - 1. Meaning,
the remainder slots from the tail of the ring and the head until last_sg
combined.
Fixes: 015632bb30da ("bpf: sk_msg program helper bpf_sk_msg_pull_data")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
net/core/filter.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index e713a8791815..cc4d660aafe1 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2360,7 +2360,10 @@ BPF_CALL_4(bpf_msg_pull_data,
* had a single entry though we can just replace it and
* be done. Otherwise walk the ring and shift the entries.
*/
- shift = last_sg - first_sg - 1;
+ WARN_ON_ONCE(last_sg == first_sg);
+ shift = last_sg > first_sg ?
+ last_sg - first_sg - 1 :
+ MAX_SKB_FRAGS - first_sg + last_sg - 1;
if (!shift)
goto out;
--
2.17.1
next prev parent reply other threads:[~2018-09-24 20:50 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-24 14:48 [PATCH AUTOSEL 4.18 01/76] mac80211: Run TXQ teardown code before de-registering interfaces Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 02/76] mac80211_hwsim: require at least one channel Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 03/76] Btrfs: fix unexpected failure of nocow buffered writes after snapshotting when low on space Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 04/76] KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 05/76] cfg80211: remove division by size of sizeof(struct ieee80211_wmm_rule) Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 06/76] btrfs: btrfs_shrink_device should call commit transaction at the end Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 08/76] scsi: csiostor: fix incorrect port capabilities Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 07/76] scsi: csiostor: add a check for NULL pointer after kmalloc() Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 09/76] scsi: libata: Add missing newline at end of file Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 10/76] scsi: aacraid: fix a signedness bug Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 11/76] bpf, sockmap: fix potential use after free in bpf_tcp_close Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 13/76] bpf: sockmap, decrement copied count correctly in redirect error case Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 12/76] bpf, sockmap: fix psock refcount leak in bpf_tcp_recvmsg Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 15/76] mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 14/76] mac80211: " Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 16/76] cfg80211: make wmm_rule part of the reg_rule structure Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 17/76] mac80211_hwsim: Fix possible Spectre-v1 for hwsim_world_regdom_custom Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 18/76] nl80211: Fix nla_put_u8 to u16 for NL80211_WMMR_TXOP Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 19/76] nl80211: Pass center frequency in kHz instead of MHz Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 20/76] bpf: fix several offset tests in bpf_msg_pull_data Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 21/76] gpio: adp5588: Fix sleep-in-atomic-context bug Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 23/76] mac80211: avoid kernel panic when building AMSDU from non-linear SKB Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 22/76] mac80211: mesh: fix HWMP sequence numbering to follow standard Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 24/76] gpiolib: acpi: Switch to cansleep version of GPIO library call Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 25/76] gpiolib-acpi: Register GpioInt ACPI event handlers from a late_initcall Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 26/76] gpio: dwapb: Fix error handling in dwapb_gpio_probe() Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 27/76] bpf: fix msg->data/data_end after sg shift repair in bpf_msg_pull_data Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 29/76] bpf: fix sg shift repair start offset " Sasha Levin
2018-09-24 14:48 ` Sasha Levin [this message]
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 31/76] net: hns: add the code for cleaning pkt in chip Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 32/76] net: hns: add netif_carrier_off before change speed and duplex Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 33/76] sh_eth: Add R7S9210 support Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 34/76] net: mvpp2: initialize port of_node pointer Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 35/76] tc-testing: add test-cases for numeric and invalid control action Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 36/76] cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 37/76] mac80211: do not convert to A-MSDU if frag/subframe limited Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 38/76] mac80211: always account for A-MSDU header changes Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 39/76] tools/kvm_stat: fix python3 issues Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 40/76] tools/kvm_stat: fix handling of invalid paths in debugfs provider Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 41/76] tools/kvm_stat: fix updates for dead guests Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 42/76] gpio: Fix crash due to registration race Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 43/76] ARC: atomics: unbork atomic_fetch_##op() Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 44/76] Revert "blk-throttle: fix race between blkcg_bio_issue_check() and cgroup_rmdir()" Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 45/76] md/raid5-cache: disable reshape completely Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 46/76] RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0 Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 47/76] selftests: pmtu: maximum MTU for vti4 is 2^16-1-20 Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 49/76] ibmvnic: Include missing return code checks in reset function Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 48/76] selftests: pmtu: detect correct binary to ping ipv6 addresses Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 50/76] bpf: Fix bpf_msg_pull_data() Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 51/76] bpf: avoid misuse of psock when TCP_ULP_BPF collides with another ULP Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 52/76] net: ethernet: cpsw-phy-sel: prefer phandle for phy sel Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 53/76] i2c: uniphier: issue STOP only for last message or I2C_M_STOP Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 54/76] i2c: uniphier-f: " Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 56/76] fs/cifs: don't translate SFM_SLASH (U+F026) to backslash Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 55/76] net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx() Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 57/76] mac80211: fix an off-by-one issue in A-MSDU max_subframe computation Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 58/76] cfg80211: fix a type issue in ieee80211_chandef_to_operating_class() Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 60/76] mac80211: fix a race between restart and CSA flows Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 59/76] mac80211: fix WMM TXOP calculation Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 61/76] mac80211: Fix station bandwidth setting after channel switch Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 62/76] mac80211: don't Tx a deauth frame if the AP forbade Tx Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 63/76] mac80211: shorten the IBSS debug messages Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 64/76] fsnotify: fix ignore mask logic in fsnotify() Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 65/76] net/ibm/emac: wrong emac_calc_base call was used by typo Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 66/76] nds32: fix logic for module Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 68/76] nds32: Fix empty call trace Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 67/76] nds32: add NULL entry to the end of_device_id array Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 69/76] nds32: Fix get_user/put_user macro expand pointer problem Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 70/76] nds32: fix build error because of wrong semicolon Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 72/76] tools/vm/page-types.c: fix "defined but not used" warning Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 71/76] tools/vm/slabinfo.c: fix sign-compare warning Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 73/76] nds32: linker script: GCOV kernel may refers data in __exit Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 74/76] ceph: avoid a use-after-free in ceph_destroy_options() Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 75/76] firmware: arm_scmi: fix divide by zero when sustained_perf_level is zero Sasha Levin
2018-09-24 14:48 ` [PATCH AUTOSEL 4.18 76/76] afs: Fix cell specification to permit an empty address list Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180924144751.164410-28-alexander.levin@microsoft.com \
--to=alexander.levin@microsoft.com \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).