splice_to_socket() assumes that a pipe_buffer won't hold more than a single
page of data - but this assumption can be violated by skb_splice_bits()
when it splices from a socket into a pipe.
The problem is that splice_to_socket() doesn't advance the pipe_buffer
length and offset when transcribing from the pipe buf into a bio_vec, so if
the buf is >PAGE_SIZE, it keeps repeating the same initial chunk and
doesn't advance the tail index. It then subtracts this from "remain" and
overcounts the amount of data to be sent.
The cleanup phase then tries to overclean the pipe, hits an unused pipe buf
and a NULL-pointer dereference occurs.
Fix this by not restricting the bio_vec size to PAGE_SIZE and instead
transcribing the entirety of each pipe_buffer into a single bio_vec and
advancing the tail index if remain hasn't hit zero yet.
Large bio_vecs will then be split up by iterator functions such as
iov_iter_extract_pages().
This resulted in a KASAN report looking like:
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
...
RIP: 0010:pipe_buf_release include/linux/pipe_fs_i.h:203 [inline]
RIP: 0010:splice_to_socket+0xa91/0xe30 fs/splice.c:933
Fixes: 2dc334f1a63a ("splice, net: Use sendmsg(MSG_SPLICE_PAGES) rather than ->sendpage()")
Reported-by: [email protected]
Link: https://lore.kernel.org/r/[email protected]/
Tested-by: [email protected]
Signed-off-by: David Howells <[email protected]>
cc: Willem de Bruijn <[email protected]>
cc: David Ahern <[email protected]>
cc: "David S. Miller" <[email protected]>
cc: Eric Dumazet <[email protected]>
cc: Jakub Kicinski <[email protected]>
cc: Paolo Abeni <[email protected]>
cc: Jens Axboe <[email protected]>
cc: Matthew Wilcox <[email protected]>
cc: Christian Brauner <[email protected]>
cc: Alexander Viro <[email protected]>
cc: [email protected]
cc: [email protected]
---
fs/splice.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/fs/splice.c b/fs/splice.c
index e337630aed64..567a1f03ea1e 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -886,7 +886,6 @@ ssize_t splice_to_socket(struct pipe_inode_info *pipe, struct file *out,
}
seg = min_t(size_t, remain, buf->len);
- seg = min_t(size_t, seg, PAGE_SIZE);
ret = pipe_buf_confirm(pipe, buf);
if (unlikely(ret)) {
@@ -897,10 +896,9 @@ ssize_t splice_to_socket(struct pipe_inode_info *pipe, struct file *out,
bvec_set_page(&bvec[bc++], buf->page, seg, buf->offset);
remain -= seg;
- if (seg >= buf->len)
- tail++;
- if (bc >= ARRAY_SIZE(bvec))
+ if (remain == 0 || bc >= ARRAY_SIZE(bvec))
break;
+ tail++;
}
if (!bc)
Hello:
This patch was applied to netdev/net-next.git (main)
by Jakub Kicinski <[email protected]>:
On Wed, 14 Jun 2023 11:09:48 +0100 you wrote:
> splice_to_socket() assumes that a pipe_buffer won't hold more than a single
> page of data - but this assumption can be violated by skb_splice_bits()
> when it splices from a socket into a pipe.
>
> The problem is that splice_to_socket() doesn't advance the pipe_buffer
> length and offset when transcribing from the pipe buf into a bio_vec, so if
> the buf is >PAGE_SIZE, it keeps repeating the same initial chunk and
> doesn't advance the tail index. It then subtracts this from "remain" and
> overcounts the amount of data to be sent.
>
> [...]
Here is the summary with links:
- [net-next] splice, net: Fix splice_to_socket() to handle pipe bufs larger than a page
https://git.kernel.org/netdev/net-next/c/ca2d49f77ce4
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html