From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sabrina Dubroca <sd@queasysnail.net>,
Steffen Klassert <steffen.klassert@secunet.com>
Subject: [PATCH 4.14 01/17] esp: limit skb_page_frag_refill use to a single page
Date: Mon, 11 Jul 2022 11:06:26 +0200 [thread overview]
Message-ID: <20220711090536.292670494@linuxfoundation.org> (raw)
In-Reply-To: <20220711090536.245939953@linuxfoundation.org>
From: Sabrina Dubroca <sd@queasysnail.net>
commit 5bd8baab087dff657e05387aee802e70304cc813 upstream.
Commit ebe48d368e97 ("esp: Fix possible buffer overflow in ESP
transformation") tried to fix skb_page_frag_refill usage in ESP by
capping allocsize to 32k, but that doesn't completely solve the issue,
as skb_page_frag_refill may return a single page. If that happens, we
will write out of bounds, despite the check introduced in the previous
patch.
This patch forces COW in cases where we would end up calling
skb_page_frag_refill with a size larger than a page (first in
esp_output_head with tailen, then in esp_output_tail with
skb->data_len).
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/esp.h | 2 --
net/ipv4/esp4.c | 5 ++---
net/ipv6/esp6.c | 5 ++---
3 files changed, 4 insertions(+), 8 deletions(-)
--- a/include/net/esp.h
+++ b/include/net/esp.h
@@ -4,8 +4,6 @@
#include <linux/skbuff.h>
-#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER)
-
struct ip_esp_hdr;
static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb)
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -257,7 +257,6 @@ int esp_output_head(struct xfrm_state *x
struct page *page;
struct sk_buff *trailer;
int tailen = esp->tailen;
- unsigned int allocsz;
/* this is non-NULL only with UDP Encapsulation */
if (x->encap) {
@@ -267,8 +266,8 @@ int esp_output_head(struct xfrm_state *x
return err;
}
- allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
- if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+ if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
+ ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
goto cow;
if (!skb_cloned(skb)) {
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -223,10 +223,9 @@ int esp6_output_head(struct xfrm_state *
struct page *page;
struct sk_buff *trailer;
int tailen = esp->tailen;
- unsigned int allocsz;
- allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
- if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+ if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
+ ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
goto cow;
if (!skb_cloned(skb)) {
next prev parent reply other threads:[~2022-07-11 9:08 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-11 9:06 [PATCH 4.14 00/17] 4.14.288-rc1 review Greg Kroah-Hartman
2022-07-11 9:06 ` Greg Kroah-Hartman [this message]
2022-07-11 9:06 ` [PATCH 4.14 02/17] mm/slub: add missing TID updates on slab deactivation Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 03/17] can: grcan: grcan_probe(): remove extra of_node_get() Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 04/17] can: gs_usb: gs_usb_open/close(): fix memory leak Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 05/17] usbnet: fix memory leak in error case Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 06/17] net: rose: fix UAF bug caused by rose_t0timer_expiry Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 07/17] iommu/vt-d: Fix PCI bus rescan device hot add Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 08/17] fbcon: Disallow setting font bigger than screen size Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 09/17] video: of_display_timing.h: include errno.h Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 10/17] powerpc/powernv: delay rng platform device creation until later in boot Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 11/17] xfs: remove incorrect ASSERT in xfs_rename Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 12/17] pinctrl: sunxi: a83t: Fix NAND function name for some pins Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 13/17] i2c: cadence: Unregister the clk notifier in error path Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 14/17] ida: dont use BUG_ON() for debugging Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 15/17] dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 16/17] dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate Greg Kroah-Hartman
2022-07-11 9:06 ` [PATCH 4.14 17/17] dmaengine: ti: Add missing put_device " Greg Kroah-Hartman
2022-07-12 1:11 ` [PATCH 4.14 00/17] 4.14.288-rc1 review Guenter Roeck
2022-07-12 7:20 ` Naresh Kamboju
2022-07-12 9:18 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220711090536.292670494@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sd@queasysnail.net \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox