Cherry-pick request to fix CVE-2022-0886 in v5.10 and v5.4

Cherry-pick request to fix CVE-2022-0886 in v5.10 and v5.4

[Vaibhav Rustagi]

[-- Attachment #1: Type: text/plain, Size: 784 bytes --]

Hi Greg,

To fix CVE-2022-0886 in v5.10 and v5.4, we need to cherry-pick the
commit "esp: Fix possible buffer overflow in ESP transformation"
(ebe48d368e97d007bfeb76fcb065d6cfc4c96645). The commit didn't apply
cleanly in v5.10 and v5.4 and therefore, patches for both the kernel
versions are attached.

In order to backport the original commit, following changes are done:

 - v5.10:
    - "SKB_FRAG_PAGE_ORDER" declaration is moved from
"net/core/sock.c" to "include/net/sock.c"

 - v5.4:
    - "SKB_FRAG_PAGE_ORDER" declaration is moved from
"net/core/sock.c" to "include/net/sock.c"
    - Ignore changes introduced due to `xfrm: add support for UDPv6
encapsulation of ESP` in esp6_output_head()

Can you help in cherry-picking the commit to above stable branches?

Thanks,
Vaibhav

[-- Attachment #2: 5-4-esp-Fix-possible-buffer-overflow-in-ESP-transformati.patch --]
[-- Type: application/octet-stream, Size: 3788 bytes --]

From 33c40493a6b79866065afe041818e424f8bbf264 Mon Sep 17 00:00:00 2001
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Mon, 7 Mar 2022 13:11:39 +0100
Subject: [PATCH] esp: Fix possible buffer overflow in ESP transformation

The maximum message size that can be send is bigger than
the  maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.

Fix this by doing a fallback to COW in that case.

v2:

Avoid get get_order() costs as suggested by Linus Torvalds.

For having the patch build on v5.4, following changes are done:
 - `SKB_FRAG_PAGE_ORDER` declaration is moved from net/core/sock.c to include/net/sock.c.
 - Remove changes introduced due to `xfrm: add support for UDPv6 encapsulation of ESP` in esp6_output_head

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <sec@valis.email>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
---
 include/net/esp.h  | 2 ++
 include/net/sock.h | 3 +++
 net/core/sock.c    | 2 --
 net/ipv4/esp4.c    | 5 +++++
 net/ipv6/esp6.c    | 5 +++++
 5 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/include/net/esp.h b/include/net/esp.h
index 117652eb6ea3..465e38890ee9 100644
--- a/include/net/esp.h
+++ b/include/net/esp.h
@@ -4,6 +4,8 @@
 
 #include <linux/skbuff.h>
 
+#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER)
+
 struct ip_esp_hdr;
 
 static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb)
diff --git a/include/net/sock.h b/include/net/sock.h
index 079b5f6f13d8..7f213cfcb3cc 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2583,6 +2583,9 @@ extern int sysctl_optmem_max;
 extern __u32 sysctl_wmem_default;
 extern __u32 sysctl_rmem_default;
 
+
+/* On 32bit arches, an skb frag is limited to 2^15 */
+#define SKB_FRAG_PAGE_ORDER	get_order(32768)
 DECLARE_STATIC_KEY_FALSE(net_high_order_alloc_disable_key);
 
 static inline int sk_get_wmem0(const struct sock *sk, const struct proto *proto)
diff --git a/net/core/sock.c b/net/core/sock.c
index 57b7a10703c3..c84f68bff7f5 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2355,8 +2355,6 @@ static void sk_leave_memory_pressure(struct sock *sk)
 	}
 }
 
-/* On 32bit arches, an skb frag is limited to 2^15 */
-#define SKB_FRAG_PAGE_ORDER	get_order(32768)
 DEFINE_STATIC_KEY_FALSE(net_high_order_alloc_disable_key);
 
 /**
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 00210e55b4cd..ef20f550d2f8 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -277,6 +277,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsz;
 
 	/* this is non-NULL only with UDP Encapsulation */
 	if (x->encap) {
@@ -286,6 +287,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 			return err;
 	}
 
+	allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+		goto cow;
+
 	if (!skb_cloned(skb)) {
 		if (tailen <= skb_tailroom(skb)) {
 			nfrags = 1;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 7a739f16d82b..79f117e33b80 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -230,6 +230,11 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsz;
+
+	allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+		goto cow;
 
 	if (!skb_cloned(skb)) {
 		if (tailen <= skb_tailroom(skb)) {
-- 
2.35.1.894.gb6a874cedc-goog


[-- Attachment #3: 5-10-esp-Fix-possible-buffer-overflow-in-ESP-transformati.patch --]
[-- Type: application/octet-stream, Size: 3806 bytes --]

From 862d44d130e14ba26ab69f28d3153b788f5b6f67 Mon Sep 17 00:00:00 2001
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Mon, 7 Mar 2022 13:11:39 +0100
Subject: [PATCH] esp: Fix possible buffer overflow in ESP transformation

[ Upstream commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 ]

The maximum message size that can be send is bigger than
the  maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.

Fix this by doing a fallback to COW in that case.

v2:

Avoid get get_order() costs as suggested by Linus Torvalds.

For having the patch build on v5.10, `SKB_FRAG_PAGE_ORDER` declaration
is moved from net/core/sock.c to include/net/sock.c.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <sec@valis.email>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
---
 include/net/esp.h  | 2 ++
 include/net/sock.h | 1 +
 net/core/sock.c    | 1 -
 net/ipv4/esp4.c    | 5 +++++
 net/ipv6/esp6.c    | 5 +++++
 5 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/include/net/esp.h b/include/net/esp.h
index 9c5637d41d95..90cd02ff77ef 100644
--- a/include/net/esp.h
+++ b/include/net/esp.h
@@ -4,6 +4,8 @@
 
 #include <linux/skbuff.h>
 
+#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER)
+
 struct ip_esp_hdr;
 
 static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb)
diff --git a/include/net/sock.h b/include/net/sock.h
index bb40d4de545c..9426af15b1b8 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2670,6 +2670,7 @@ extern int sysctl_optmem_max;
 extern __u32 sysctl_wmem_default;
 extern __u32 sysctl_rmem_default;
 
+#define SKB_FRAG_PAGE_ORDER     get_order(32768)
 DECLARE_STATIC_KEY_FALSE(net_high_order_alloc_disable_key);
 
 static inline int sk_get_wmem0(const struct sock *sk, const struct proto *proto)
diff --git a/net/core/sock.c b/net/core/sock.c
index 6d9af4ef93d7..bee3c320dbfe 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2445,7 +2445,6 @@ static void sk_leave_memory_pressure(struct sock *sk)
 	}
 }
 
-#define SKB_FRAG_PAGE_ORDER	get_order(32768)
 DEFINE_STATIC_KEY_FALSE(net_high_order_alloc_disable_key);
 
 /**
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 4b834bbf95e0..9aae82145bc1 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -448,6 +448,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsz;
 
 	/* this is non-NULL only with TCP/UDP Encapsulation */
 	if (x->encap) {
@@ -457,6 +458,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 			return err;
 	}
 
+	allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+		goto cow;
+
 	if (!skb_cloned(skb)) {
 		if (tailen <= skb_tailroom(skb)) {
 			nfrags = 1;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index fc8acb15dcfb..a28301a4cc8f 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -483,6 +483,7 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsz;
 
 	if (x->encap) {
 		int err = esp6_output_encap(x, skb, esp);
@@ -491,6 +492,10 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 			return err;
 	}
 
+	allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+		goto cow;
+
 	if (!skb_cloned(skb)) {
 		if (tailen <= skb_tailroom(skb)) {
 			nfrags = 1;
-- 
2.35.1.894.gb6a874cedc-goog

Re: Cherry-pick request to fix CVE-2022-0886 in v5.10 and v5.4

[Greg KH]

On Mon, Mar 21, 2022 at 06:49:02PM -0700, Vaibhav Rustagi wrote:
> Hi Greg,
> 
> To fix CVE-2022-0886 in v5.10 and v5.4, we need to cherry-pick the
> commit "esp: Fix possible buffer overflow in ESP transformation"
> (ebe48d368e97d007bfeb76fcb065d6cfc4c96645). The commit didn't apply
> cleanly in v5.10 and v5.4 and therefore, patches for both the kernel
> versions are attached.
> 
> In order to backport the original commit, following changes are done:
> 
>  - v5.10:
>     - "SKB_FRAG_PAGE_ORDER" declaration is moved from
> "net/core/sock.c" to "include/net/sock.c"

Did you see that this is already in the 5.10 queue and out for review
right now?  Can you verify that the backport there matches yours?

>  - v5.4:
>     - "SKB_FRAG_PAGE_ORDER" declaration is moved from
> "net/core/sock.c" to "include/net/sock.c"
>     - Ignore changes introduced due to `xfrm: add support for UDPv6
> encapsulation of ESP` in esp6_output_head()

Thanks for this one, I'll queue it up after this next round of releases.
What about 4.14 and 4.19?  Will this backport work there?  If not, can
you provide a working one?

thanks,

greg k-h

Re: Cherry-pick request to fix CVE-2022-0886 in v5.10 and v5.4

[Vaibhav Rustagi]

On Tue, Mar 22, 2022 at 2:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Mon, Mar 21, 2022 at 06:49:02PM -0700, Vaibhav Rustagi wrote:
> > Hi Greg,
> >
> > To fix CVE-2022-0886 in v5.10 and v5.4, we need to cherry-pick the
> > commit "esp: Fix possible buffer overflow in ESP transformation"
> > (ebe48d368e97d007bfeb76fcb065d6cfc4c96645). The commit didn't apply
> > cleanly in v5.10 and v5.4 and therefore, patches for both the kernel
> > versions are attached.
> >
> > In order to backport the original commit, following changes are done:
> >
> >  - v5.10:
> >     - "SKB_FRAG_PAGE_ORDER" declaration is moved from
> > "net/core/sock.c" to "include/net/sock.c"
>
> Did you see that this is already in the 5.10 queue and out for review
> right now?  Can you verify that the backport there matches yours?
>

I was not aware that I could check that. Thanks for the hint.

The change is not exactly identical. In addition to the change
mentioned in https://www.spinics.net/lists/stable/msg542796.html, I
have also removed following from "net/core/sock.c":

-#define SKB_FRAG_PAGE_ORDER get_order(32768)

This is done because "net/core/sock.c" includes "include/net/sock.h"
which defined the MACRO.

> >  - v5.4:
> >     - "SKB_FRAG_PAGE_ORDER" declaration is moved from
> > "net/core/sock.c" to "include/net/sock.c"
> >     - Ignore changes introduced due to `xfrm: add support for UDPv6
> > encapsulation of ESP` in esp6_output_head()
>
> Thanks for this one, I'll queue it up after this next round of releases.
> What about 4.14 and 4.19?  Will this backport work there?  If not, can
> you provide a working one?
>

I haven't tested the change in v4.14 and v4.19. I will check out those
trees and check whether the current patch will work or not.

> thanks,
>
> greg k-h

Regards,
Vaibhav

Re: Cherry-pick request to fix CVE-2022-0886 in v5.10 and v5.4

[Vaibhav Rustagi]

[-- Attachment #1: Type: text/plain, Size: 2204 bytes --]

On Tue, Mar 22, 2022 at 9:53 AM Vaibhav Rustagi
<vaibhavrustagi@google.com> wrote:
>
> On Tue, Mar 22, 2022 at 2:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > On Mon, Mar 21, 2022 at 06:49:02PM -0700, Vaibhav Rustagi wrote:
> > > Hi Greg,
> > >
> > > To fix CVE-2022-0886 in v5.10 and v5.4, we need to cherry-pick the
> > > commit "esp: Fix possible buffer overflow in ESP transformation"
> > > (ebe48d368e97d007bfeb76fcb065d6cfc4c96645). The commit didn't apply
> > > cleanly in v5.10 and v5.4 and therefore, patches for both the kernel
> > > versions are attached.
> > >
> > > In order to backport the original commit, following changes are done:
> > >
> > >  - v5.10:
> > >     - "SKB_FRAG_PAGE_ORDER" declaration is moved from
> > > "net/core/sock.c" to "include/net/sock.c"
> >
> > Did you see that this is already in the 5.10 queue and out for review
> > right now?  Can you verify that the backport there matches yours?
> >
>
> I was not aware that I could check that. Thanks for the hint.
>
> The change is not exactly identical. In addition to the change
> mentioned in https://www.spinics.net/lists/stable/msg542796.html, I
> have also removed following from "net/core/sock.c":
>
> -#define SKB_FRAG_PAGE_ORDER get_order(32768)
>
> This is done because "net/core/sock.c" includes "include/net/sock.h"
> which defined the MACRO.
>
> > >  - v5.4:
> > >     - "SKB_FRAG_PAGE_ORDER" declaration is moved from
> > > "net/core/sock.c" to "include/net/sock.c"
> > >     - Ignore changes introduced due to `xfrm: add support for UDPv6
> > > encapsulation of ESP` in esp6_output_head()
> >
> > Thanks for this one, I'll queue it up after this next round of releases.
> > What about 4.14 and 4.19?  Will this backport work there?  If not, can
> > you provide a working one?
> >
>
> I haven't tested the change in v4.14 and v4.19. I will check out those
> trees and check whether the current patch will work or not.
>

The changes for v4.14 and v4.19 are the same as what is sent for v5.4.
However, the v5.4 patch didn't apply cleanly and I have attached
patches for v4.14 (tested build on v4.14.272) and v4.19 (tested build
on v4.19.235).

> > thanks,
> >
> > greg k-h
>
> Regards,
> Vaibhav

[-- Attachment #2: 4-14-esp-Fix-possible-buffer-overflow-in-ESP-transformati.patch --]
[-- Type: application/octet-stream, Size: 3531 bytes --]

From 514622a26e1b14b396b074faf0c7b8ed060c882b Mon Sep 17 00:00:00 2001
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Mon, 7 Mar 2022 13:11:39 +0100
Subject: [PATCH] esp: Fix possible buffer overflow in ESP transformation

[ Upstream commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 ]

The maximum message size that can be send is bigger than
the  maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.

Fix this by doing a fallback to COW in that case.

v2:

Avoid get get_order() costs as suggested by Linus Torvalds.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <sec@valis.email>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
---
 include/net/esp.h  | 2 ++
 include/net/sock.h | 3 +++
 net/core/sock.c    | 3 ---
 net/ipv4/esp4.c    | 5 +++++
 net/ipv6/esp6.c    | 5 +++++
 5 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/include/net/esp.h b/include/net/esp.h
index 117652eb6ea3..465e38890ee9 100644
--- a/include/net/esp.h
+++ b/include/net/esp.h
@@ -4,6 +4,8 @@
 
 #include <linux/skbuff.h>
 
+#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER)
+
 struct ip_esp_hdr;
 
 static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb)
diff --git a/include/net/sock.h b/include/net/sock.h
index 029df5cdeaf1..f72753391acc 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2438,4 +2438,7 @@ extern int sysctl_optmem_max;
 extern __u32 sysctl_wmem_default;
 extern __u32 sysctl_rmem_default;
 
+/* On 32bit arches, an skb frag is limited to 2^15 */
+#define SKB_FRAG_PAGE_ORDER	get_order(32768)
+
 #endif	/* _SOCK_H */
diff --git a/net/core/sock.c b/net/core/sock.c
index 427024597204..bbf9517218ff 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2193,9 +2193,6 @@ static void sk_leave_memory_pressure(struct sock *sk)
 	}
 }
 
-/* On 32bit arches, an skb frag is limited to 2^15 */
-#define SKB_FRAG_PAGE_ORDER	get_order(32768)
-
 /**
  * skb_page_frag_refill - check that a page_frag contains enough room
  * @sz: minimum size of the fragment we want to get
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 9e664b6cef13..38e2aa2b2a31 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -257,6 +257,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsz;
 
 	/* this is non-NULL only with UDP Encapsulation */
 	if (x->encap) {
@@ -266,6 +267,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 			return err;
 	}
 
+	allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+		goto cow;
+
 	if (!skb_cloned(skb)) {
 		if (tailen <= skb_tailroom(skb)) {
 			nfrags = 1;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index dd1f4ed3fc2b..a9baf562bb9b 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -223,6 +223,11 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsz;
+
+	allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+		goto cow;
 
 	if (!skb_cloned(skb)) {
 		if (tailen <= skb_tailroom(skb)) {
-- 
2.35.1.1021.g381101b075-goog


[-- Attachment #3: 4-19-esp-Fix-possible-buffer-overflow-in-ESP-transformati.patch --]
[-- Type: application/octet-stream, Size: 3647 bytes --]

From 865dd1705dd4c5e50d2a58e5d7dac26dc754ed56 Mon Sep 17 00:00:00 2001
From: Steffen Klassert <steffen.klassert@secunet.com>
Date: Mon, 7 Mar 2022 13:11:39 +0100
Subject: [PATCH] esp: Fix possible buffer overflow in ESP transformation

[ Upstream commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 ]

The maximum message size that can be send is bigger than
the  maximum site that skb_page_frag_refill can allocate.
So it is possible to write beyond the allocated buffer.

Fix this by doing a fallback to COW in that case.

v2:

Avoid get get_order() costs as suggested by Linus Torvalds.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
Reported-by: valis <sec@valis.email>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
---
 include/net/esp.h  | 2 ++
 include/net/sock.h | 3 +++
 net/core/sock.c    | 3 ---
 net/ipv4/esp4.c    | 5 +++++
 net/ipv6/esp6.c    | 5 +++++
 5 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/include/net/esp.h b/include/net/esp.h
index 117652eb6ea3..465e38890ee9 100644
--- a/include/net/esp.h
+++ b/include/net/esp.h
@@ -4,6 +4,8 @@
 
 #include <linux/skbuff.h>
 
+#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER)
+
 struct ip_esp_hdr;
 
 static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb)
diff --git a/include/net/sock.h b/include/net/sock.h
index 75677050c82e..2bf8dcf863f2 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2518,6 +2518,9 @@ extern int sysctl_optmem_max;
 extern __u32 sysctl_wmem_default;
 extern __u32 sysctl_rmem_default;
 
+/* On 32bit arches, an skb frag is limited to 2^15 */
+#define SKB_FRAG_PAGE_ORDER	get_order(32768)
+
 static inline int sk_get_wmem0(const struct sock *sk, const struct proto *proto)
 {
 	/* Does this proto have per netns sysctl_wmem ? */
diff --git a/net/core/sock.c b/net/core/sock.c
index 41a77027a549..79f085df52ce 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -2207,9 +2207,6 @@ static void sk_leave_memory_pressure(struct sock *sk)
 	}
 }
 
-/* On 32bit arches, an skb frag is limited to 2^15 */
-#define SKB_FRAG_PAGE_ORDER	get_order(32768)
-
 /**
  * skb_page_frag_refill - check that a page_frag contains enough room
  * @sz: minimum size of the fragment we want to get
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 0792a9e2a555..45bb5b60b994 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -275,6 +275,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsz;
 
 	/* this is non-NULL only with UDP Encapsulation */
 	if (x->encap) {
@@ -284,6 +285,10 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 			return err;
 	}
 
+	allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+		goto cow;
+
 	if (!skb_cloned(skb)) {
 		if (tailen <= skb_tailroom(skb)) {
 			nfrags = 1;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 25317d5ccf2c..e3abfc97fde7 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -241,6 +241,11 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 	struct page *page;
 	struct sk_buff *trailer;
 	int tailen = esp->tailen;
+	unsigned int allocsz;
+
+	allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
+	if (allocsz > ESP_SKB_FRAG_MAXSIZE)
+		goto cow;
 
 	if (!skb_cloned(skb)) {
 		if (tailen <= skb_tailroom(skb)) {
-- 
2.35.1.1021.g381101b075-goog

Re: Cherry-pick request to fix CVE-2022-0886 in v5.10 and v5.4

[Greg KH]

On Tue, Mar 22, 2022 at 01:42:50PM -0700, Vaibhav Rustagi wrote:
> On Tue, Mar 22, 2022 at 9:53 AM Vaibhav Rustagi
> <vaibhavrustagi@google.com> wrote:
> >
> > On Tue, Mar 22, 2022 at 2:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> > >
> > > On Mon, Mar 21, 2022 at 06:49:02PM -0700, Vaibhav Rustagi wrote:
> > > > Hi Greg,
> > > >
> > > > To fix CVE-2022-0886 in v5.10 and v5.4, we need to cherry-pick the
> > > > commit "esp: Fix possible buffer overflow in ESP transformation"
> > > > (ebe48d368e97d007bfeb76fcb065d6cfc4c96645). The commit didn't apply
> > > > cleanly in v5.10 and v5.4 and therefore, patches for both the kernel
> > > > versions are attached.
> > > >
> > > > In order to backport the original commit, following changes are done:
> > > >
> > > >  - v5.10:
> > > >     - "SKB_FRAG_PAGE_ORDER" declaration is moved from
> > > > "net/core/sock.c" to "include/net/sock.c"
> > >
> > > Did you see that this is already in the 5.10 queue and out for review
> > > right now?  Can you verify that the backport there matches yours?
> > >
> >
> > I was not aware that I could check that. Thanks for the hint.
> >
> > The change is not exactly identical. In addition to the change
> > mentioned in https://www.spinics.net/lists/stable/msg542796.html, I
> > have also removed following from "net/core/sock.c":
> >
> > -#define SKB_FRAG_PAGE_ORDER get_order(32768)
> >
> > This is done because "net/core/sock.c" includes "include/net/sock.h"
> > which defined the MACRO.
> >
> > > >  - v5.4:
> > > >     - "SKB_FRAG_PAGE_ORDER" declaration is moved from
> > > > "net/core/sock.c" to "include/net/sock.c"
> > > >     - Ignore changes introduced due to `xfrm: add support for UDPv6
> > > > encapsulation of ESP` in esp6_output_head()
> > >
> > > Thanks for this one, I'll queue it up after this next round of releases.
> > > What about 4.14 and 4.19?  Will this backport work there?  If not, can
> > > you provide a working one?
> > >
> >
> > I haven't tested the change in v4.14 and v4.19. I will check out those
> > trees and check whether the current patch will work or not.
> >
> 
> The changes for v4.14 and v4.19 are the same as what is sent for v5.4.
> However, the v5.4 patch didn't apply cleanly and I have attached
> patches for v4.14 (tested build on v4.14.272) and v4.19 (tested build
> on v4.19.235).

Thank you for all of these, all now queued up.

greg k-h

Re: Cherry-pick request to fix CVE-2022-0886 in v5.10 and v5.4

[Greg KH]

On Tue, Mar 22, 2022 at 09:53:09AM -0700, Vaibhav Rustagi wrote:
> On Tue, Mar 22, 2022 at 2:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> >
> > On Mon, Mar 21, 2022 at 06:49:02PM -0700, Vaibhav Rustagi wrote:
> > > Hi Greg,
> > >
> > > To fix CVE-2022-0886 in v5.10 and v5.4, we need to cherry-pick the
> > > commit "esp: Fix possible buffer overflow in ESP transformation"
> > > (ebe48d368e97d007bfeb76fcb065d6cfc4c96645). The commit didn't apply
> > > cleanly in v5.10 and v5.4 and therefore, patches for both the kernel
> > > versions are attached.
> > >
> > > In order to backport the original commit, following changes are done:
> > >
> > >  - v5.10:
> > >     - "SKB_FRAG_PAGE_ORDER" declaration is moved from
> > > "net/core/sock.c" to "include/net/sock.c"
> >
> > Did you see that this is already in the 5.10 queue and out for review
> > right now?  Can you verify that the backport there matches yours?
> >
> 
> I was not aware that I could check that. Thanks for the hint.
> 
> The change is not exactly identical. In addition to the change
> mentioned in https://www.spinics.net/lists/stable/msg542796.html, I
> have also removed following from "net/core/sock.c":

Please use lore.kernel.org for mailing list links.

> 
> -#define SKB_FRAG_PAGE_ORDER get_order(32768)
> 
> This is done because "net/core/sock.c" includes "include/net/sock.h"
> which defined the MACRO.

So is the backport correct?  Or just different?

thanks,

greg k-h

Re: Cherry-pick request to fix CVE-2022-0886 in v5.10 and v5.4

[Vaibhav Rustagi]

On Wed, Mar 23, 2022 at 12:01 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Tue, Mar 22, 2022 at 09:53:09AM -0700, Vaibhav Rustagi wrote:
> > On Tue, Mar 22, 2022 at 2:04 AM Greg KH <gregkh@linuxfoundation.org> wrote:
> > >
> > > On Mon, Mar 21, 2022 at 06:49:02PM -0700, Vaibhav Rustagi wrote:
> > > > Hi Greg,
> > > >
> > > > To fix CVE-2022-0886 in v5.10 and v5.4, we need to cherry-pick the
> > > > commit "esp: Fix possible buffer overflow in ESP transformation"
> > > > (ebe48d368e97d007bfeb76fcb065d6cfc4c96645). The commit didn't apply
> > > > cleanly in v5.10 and v5.4 and therefore, patches for both the kernel
> > > > versions are attached.
> > > >
> > > > In order to backport the original commit, following changes are done:
> > > >
> > > >  - v5.10:
> > > >     - "SKB_FRAG_PAGE_ORDER" declaration is moved from
> > > > "net/core/sock.c" to "include/net/sock.c"
> > >
> > > Did you see that this is already in the 5.10 queue and out for review
> > > right now?  Can you verify that the backport there matches yours?
> > >
> >
> > I was not aware that I could check that. Thanks for the hint.
> >
> > The change is not exactly identical. In addition to the change
> > mentioned in https://www.spinics.net/lists/stable/msg542796.html, I
> > have also removed following from "net/core/sock.c":
>
> Please use lore.kernel.org for mailing list links.
>
> >
> > -#define SKB_FRAG_PAGE_ORDER get_order(32768)
> >
> > This is done because "net/core/sock.c" includes "include/net/sock.h"
> > which defined the MACRO.
>
> So is the backport correct?  Or just different?
>
Backport in the mailing list is correct. I have tried that as well for
build and I didn't find any warning.

> thanks,
>
> greg k-h