Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3727618imm;
        Mon, 8 Oct 2018 08:35:17 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60Z/1QaW35//ETGoZNnBSdKKVb+LDnjKkc+5v/IXGwja2VnPBMu9wxMjtZVKZ6ZW0GVqv1e
X-Received: by 2002:a63:db04:: with SMTP id e4-v6mr21693678pgg.280.1539012917034;
        Mon, 08 Oct 2018 08:35:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539012917; cv=none;
        d=google.com; s=arc-20160816;
        b=EPdy1z4f1+Ymp+UhBNav9XfbQQVnQ4MeeeJBOF147d3x27Z1fzTmhb0gCCLz4mgNaV
         /UYVsymbJ22mGru3eNjmhuTrOCaI1blLhwumItCaKweeZx6yF7gbtT+zojqmhVR1dME8
         JYI48hSbMGMQNx6XDj2JVODpUqLQd+OIuUknU5RSRpHWSmMQAtIhIlQLlDSWLSl68u8v
         PcT+U0ntUAy5FDJdgiNWdhFBVJyFrxTDMa0c1bI8XEytzbDsPGBUv2mUlNTBFDx1N46D
         wAns6QvW9HrbT74xFoTjPr4+RGO2tzpYif6C5Cv+x72Yu3b00hBfj8ddtuGB1h0pXQDE
         zv0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature;
        bh=0mIu6oh4BM1h8IQ6WJqbkyMXXIK4qlDdy5D27LPPIM8=;
        b=iEJNVCTAabfRJNh7/LR8tFrfKl0Qjj5hleKTUMQilp8ekYzzFak+9wPGK2jIynb9lQ
         kwyfYihL5I8dedRb4Fe8IJkltT1AFwma9AADNBrXQQIAQIzvtsnTgoSlCaJAO8EBY2BA
         KpEgz0fl/O4PQksn41+fzEVkiRuu6s3OYXcvUiV5Au4N1zjW1IOaODzYsT6tGh+yoEsz
         rprwK7y5C62L9VUK8XSw7eTLquWEiWsSoEeLj0PKG+lsqj9UhP73pMSEMbMhMnh95g2U
         cFKL3vihU2aczOqz0wNBHfI5uIDlwrzGHBgRVzl+oFSsQ3zTW/ZZiXU8ZZXkt7Jxoi5S
         DbeA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=DXxv7m5M;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a8-v6si18579665ple.80.2018.10.08.08.35.01;
        Mon, 08 Oct 2018 08:35:17 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=DXxv7m5M;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728040AbeJHWi3 (ORCPT <rfc822;chauncqc@gmail.com> + 99 others);
        Mon, 8 Oct 2018 18:38:29 -0400
Received: from mail.kernel.org ([198.145.29.99]:57054 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727447AbeJHWi2 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 8 Oct 2018 18:38:28 -0400
Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 91BF721502;
        Mon,  8 Oct 2018 15:26:12 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1539012373;
        bh=uNW39bScbjX/4nULeg8A845SEHdemUUqg2Cgv1NAmls=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=DXxv7m5Mf/20C9I9uJ3BkVrw96E90x0vhrFij1RL2JC2+nVkKj2VXGx0RXShmDvGO
         5d8w+jWXcar3SY0vR1kwod4HOS7FNtSGi52teL1glw6fw+vTfg4y1mFl9SYYrlrMSu
         iGEtovhbNgUgHhuxTeX+G90s55O+6P3DvGrnpNxY=
From:   Sasha Levin <sashal@kernel.org>
To:     stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc:     Friedemann Gerold <f.gerold@b-c-s.de>,
        Igor Russkikh <igor.russkikh@aquantia.com>,
        "David S . Miller" <davem@davemloft.net>,
        Sasha Levin <alexander.levin@microsoft.com>
Subject: [PATCH AUTOSEL 4.18 49/58] net: aquantia: memory corruption on jumbo frames
Date:   Mon,  8 Oct 2018 11:25:14 -0400
Message-Id: <20181008152523.70705-49-sashal@kernel.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20181008152523.70705-1-sashal@kernel.org>
References: <20181008152523.70705-1-sashal@kernel.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Friedemann Gerold <f.gerold@b-c-s.de>

[ Upstream commit d26ed6b0e5e23190d43ab34bc69cbecdc464a2cf ]

This patch fixes skb_shared area, which will be corrupted
upon reception of 4K jumbo packets.

Originally build_skb usage purpose was to reuse page for skb to eliminate
needs of extra fragments. But that logic does not take into account that
skb_shared_info should be reserved at the end of skb data area.

In case packet data consumes all the page (4K), skb_shinfo location
overflows the page. As a consequence, __build_skb zeroed shinfo data above
the allocated page, corrupting next page.

The issue is rarely seen in real life because jumbo are normally larger
than 4K and that causes another code path to trigger.
But it 100% reproducible with simple scapy packet, like:

    sendp(IP(dst="192.168.100.3") / TCP(dport=443) \
          / Raw(RandString(size=(4096-40))), iface="enp1s0")

Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")

Reported-by: Friedemann Gerold <f.gerold@b-c-s.de>
Reported-by: Michael Rauch <michael@rauch.be>
Signed-off-by: Friedemann Gerold <f.gerold@b-c-s.de>
Tested-by: Nikita Danilov <nikita.danilov@aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 .../net/ethernet/aquantia/atlantic/aq_ring.c  | 32 +++++++++++--------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
index b5f1f62e8e25..d1e1a0ba8615 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ring.c
@@ -225,9 +225,10 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
 		}
 
 		/* for single fragment packets use build_skb() */
-		if (buff->is_eop) {
+		if (buff->is_eop &&
+		    buff->len <= AQ_CFG_RX_FRAME_MAX - AQ_SKB_ALIGN) {
 			skb = build_skb(page_address(buff->page),
-					buff->len + AQ_SKB_ALIGN);
+					AQ_CFG_RX_FRAME_MAX);
 			if (unlikely(!skb)) {
 				err = -ENOMEM;
 				goto err_exit;
@@ -247,18 +248,21 @@ int aq_ring_rx_clean(struct aq_ring_s *self,
 					buff->len - ETH_HLEN,
 					SKB_TRUESIZE(buff->len - ETH_HLEN));
 
-			for (i = 1U, next_ = buff->next,
-			     buff_ = &self->buff_ring[next_]; true;
-			     next_ = buff_->next,
-			     buff_ = &self->buff_ring[next_], ++i) {
-				skb_add_rx_frag(skb, i, buff_->page, 0,
-						buff_->len,
-						SKB_TRUESIZE(buff->len -
-						ETH_HLEN));
-				buff_->is_cleaned = 1;
-
-				if (buff_->is_eop)
-					break;
+			if (!buff->is_eop) {
+				for (i = 1U, next_ = buff->next,
+				     buff_ = &self->buff_ring[next_];
+				     true; next_ = buff_->next,
+				     buff_ = &self->buff_ring[next_], ++i) {
+					skb_add_rx_frag(skb, i,
+							buff_->page, 0,
+							buff_->len,
+							SKB_TRUESIZE(buff->len -
+							ETH_HLEN));
+					buff_->is_cleaned = 1;
+
+					if (buff_->is_eop)
+						break;
+				}
 			}
 		}
 
-- 
2.17.1