Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2020326pxa; Mon, 3 Aug 2020 05:34:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzfqQ9nyMUFL4VkNjbq5OJGT7RPPwAz/QQBlosMCs/mtehfvYaGYKb0xNmNYWff1Db96duU X-Received: by 2002:a05:6402:17f7:: with SMTP id t23mr15745152edy.301.1596458047748; Mon, 03 Aug 2020 05:34:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596458047; cv=none; d=google.com; s=arc-20160816; b=VDtJNDuTpDGsnnCg4rIdLuA6z79gUgOk+dJJQKPqevZDZFOR/sZKLDcR/sHE+rAd5F FmwgFCctBjckHBh44yvqkfbI+0OXHJ2ZVS3jM5C44/74NmdQ8g8+9H9W8qa9u20eI0ea 48a8+DPry9vG/XTHg0nuXXthuyiWYtCHhWzTP2u8UkrXenILfXFeDlKyWkPm7h44aUJ6 Rf9n3Vuea8cjNpMYS2CzjYWoF5XlkEtTzckR6EPWKDVsSkHe84s5KmnhFxXn48t6IqaB 5NcAB/6Ai8Xynx4X01LhJn6vW9gbjwsd9YlVfxlTWDAgEex/7fDku1ZEyIyoyEqrKNeQ ip2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wJkC8iu6pDgTOLY2kAEgHgBVF6Hfbgv0vnNpH4ROTQc=; b=ObWarHWVR2rfi8Fr+eF0bWQ3kp4VLZy2MB97h7AsgtYqvn4jQ/5MNtumjFTF5mfxIj 6rPOdCKRQI27jOkwQOMGP0NPbIkzV0ibBbxVJTNV0vi7fqvUYmvmOE3Xqfi6ES3gwgW9 Yav6fufKf881h/KuCcZCGCa0/1LVQIaM8lcWgS3nwgDJwUZZnfuj87CuIgdb84XgTvUi tIZOolc+7l0b7/MTpCVqT6k5N+7JaGF7R3ZtGkBF+lerWtmL2lfasGmAeiOJIzpoCuzO oUwyFL/MYmrir46N0bxVI9TkSsgdjCnK6wYFqDPO5Sm9Wpo+S7ocW5UG5LzJHzgvt727 KjWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YhSl0rV3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e11si2142215ejk.250.2020.08.03.05.33.45; Mon, 03 Aug 2020 05:34:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YhSl0rV3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728893AbgHCMcm (ORCPT + 99 others); Mon, 3 Aug 2020 08:32:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:60588 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729333AbgHCMcg (ORCPT ); Mon, 3 Aug 2020 08:32:36 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A5FD6204EC; Mon, 3 Aug 2020 12:32:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1596457955; bh=t2oT0uhxQ0+DVoa3OutONu5D6FifUlSdmQ2IaDTNpbU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YhSl0rV3Zn2voRDxzk4fbdvE/Z+LZxCHjW9+iZxL/O0X6J0peYsSKTRzSo9dYPGjA qAvEqHNXPk0pbneyvRKETX8ybRosFjuZrs4lFlICGEnRnVLjpPRsDHFsapMkw3+6zO KSogFdUbUH7j13hFeGPTqE2QKAGZEeP+r1oR+RA4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, guodeqing , Robin Murphy , Will Deacon , Sasha Levin Subject: [PATCH 4.19 42/56] arm64: csum: Fix handling of bad packets Date: Mon, 3 Aug 2020 14:19:57 +0200 Message-Id: <20200803121852.370952603@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200803121850.306734207@linuxfoundation.org> References: <20200803121850.306734207@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Robin Murphy [ Upstream commit 05fb3dbda187bbd9cc1cd0e97e5d6595af570ac6 ] Although iph is expected to point to at least 20 bytes of valid memory, ihl may be bogus, for example on reception of a corrupt packet. If it happens to be less than 5, we really don't want to run away and dereference 16GB worth of memory until it wraps back to exactly zero... Fixes: 0e455d8e80aa ("arm64: Implement optimised IP checksum helpers") Reported-by: guodeqing Signed-off-by: Robin Murphy Signed-off-by: Will Deacon Signed-off-by: Sasha Levin --- arch/arm64/include/asm/checksum.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/checksum.h b/arch/arm64/include/asm/checksum.h index 0b6f5a7d4027c..fd11e0d70e446 100644 --- a/arch/arm64/include/asm/checksum.h +++ b/arch/arm64/include/asm/checksum.h @@ -30,16 +30,17 @@ static inline __sum16 ip_fast_csum(const void *iph, unsigned int ihl) { __uint128_t tmp; u64 sum; + int n = ihl; /* we want it signed */ tmp = *(const __uint128_t *)iph; iph += 16; - ihl -= 4; + n -= 4; tmp += ((tmp >> 64) | (tmp << 64)); sum = tmp >> 64; do { sum += *(const u32 *)iph; iph += 4; - } while (--ihl); + } while (--n > 0); sum += ((sum >> 32) | (sum << 32)); return csum_fold((__force u32)(sum >> 32)); -- 2.25.1