Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp4130156ioa; Tue, 26 Apr 2022 18:11:56 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyrW8omyr34A/sSUyuTevSUtfGg5da9ZgZIfY8vWNU2PmCW6oDlrhVdX1ey1vVV9wbk9p0Z X-Received: by 2002:a63:dd54:0:b0:3a8:f358:5b3f with SMTP id g20-20020a63dd54000000b003a8f3585b3fmr21950127pgj.97.1651021916189; Tue, 26 Apr 2022 18:11:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651021916; cv=none; d=google.com; s=arc-20160816; b=UQe3hmSxe/rj3Spebxo8pzp+IVrSGGrnhv0hjNGqsePaxCab7kUXoSlYEfvBZlX9fm sF7av+Z8K4yjCiTVhvSd5lq4BSQuy429+6DIIQzYmWsanhlcXjQPpNzIIJs9v7k5qARZ t3N4M8D6b4I76fThcbGvXZdK37FFGh/CjRqsZxWPeVX3FAyc9wGgU+I09r8sB/YtTZpH AiaDODmGy77NuCgUCfgcUWAh8IxHtKHPfsuAuxaYhkWmWIWQY1glxAUv9Z/jWXFCeI7L 7aEdp2lmpkffCKtbjgG6S7DRQXI6QuUkUir5vTuRFhUguWyt9cc0IqnrXIzxfNqJ4Kmp /VIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=67iji+LrEAibsUqs2u2pPrkqcOvH6x17wy17wLaxElk=; b=DoO2oMI+BSOEFciBnWu3MnEOcSOmGPJcPps3+Ion3PBHq84gbG8/VbJvJ3XKdWyc9Z 1x23HPryfD11u70cQBkjeeF2SJkPdiuKT9QyJJXpNR4UyCC01ysqre+I99lVjXsShnKL 0MA3BUa7n0SEgXNPNqD+49uzwQqYI93qfQa4w88Q5tKzaeFboP9tb5brlVsCZDIVW5MC JIg9HGNMQ1VgPZOCJfYmLqZ7Km6cO6CWZofquWF4oqZt83CCPcAk/C6Ek4oSd821W9T6 Py7fImpV/pksl7FZTadjgQwkuBC//QjUBLRr1yZ21y1pDU83onHQEdcboRDr/Rqiw4Wt eueQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="VFvbp/qt"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k12-20020a170902760c00b00158a978a3b5si209668pll.14.2022.04.26.18.11.40; Tue, 26 Apr 2022 18:11:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="VFvbp/qt"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346563AbiDZJAu (ORCPT + 99 others); Tue, 26 Apr 2022 05:00:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56742 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346995AbiDZIpm (ORCPT ); Tue, 26 Apr 2022 04:45:42 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EC3273ED38; Tue, 26 Apr 2022 01:37:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 6D684618EA; Tue, 26 Apr 2022 08:37:08 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7987AC385AC; Tue, 26 Apr 2022 08:37:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1650962227; bh=DMpaeTTuIh10Xdze5E5n9YBI3ta6Jp3ZHW7X2ellZSw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VFvbp/qt9HRjkVyoszjGqvN27eF0FaiMEfNm8/IFo0X/4tLp5Y0UdpOqz2xQpSMJX zXauL4bWHCazpOE6jT3Ovds75Mj9LtDmJbvq27YJ+cCIDTOc4yToTabasAuzjk6kCM TqvElT5rpcjQSIWX0ZwVoqiaD8/UDjo0cBDhyN/0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sabrina Dubroca , Steffen Klassert , Sasha Levin Subject: [PATCH 5.15 027/124] esp: limit skb_page_frag_refill use to a single page Date: Tue, 26 Apr 2022 10:20:28 +0200 Message-Id: <20220426081748.076838969@linuxfoundation.org> X-Mailer: git-send-email 2.36.0 In-Reply-To: <20220426081747.286685339@linuxfoundation.org> References: <20220426081747.286685339@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sabrina Dubroca [ Upstream commit 5bd8baab087dff657e05387aee802e70304cc813 ] Commit ebe48d368e97 ("esp: Fix possible buffer overflow in ESP transformation") tried to fix skb_page_frag_refill usage in ESP by capping allocsize to 32k, but that doesn't completely solve the issue, as skb_page_frag_refill may return a single page. If that happens, we will write out of bounds, despite the check introduced in the previous patch. This patch forces COW in cases where we would end up calling skb_page_frag_refill with a size larger than a page (first in esp_output_head with tailen, then in esp_output_tail with skb->data_len). Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") Signed-off-by: Sabrina Dubroca Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- include/net/esp.h | 2 -- net/ipv4/esp4.c | 5 ++--- net/ipv6/esp6.c | 5 ++--- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/include/net/esp.h b/include/net/esp.h index 90cd02ff77ef..9c5637d41d95 100644 --- a/include/net/esp.h +++ b/include/net/esp.h @@ -4,8 +4,6 @@ #include -#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER) - struct ip_esp_hdr; static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb) diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 70e6c87fbe3d..d747166bb291 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c @@ -446,7 +446,6 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * struct page *page; struct sk_buff *trailer; int tailen = esp->tailen; - unsigned int allocsz; /* this is non-NULL only with TCP/UDP Encapsulation */ if (x->encap) { @@ -456,8 +455,8 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info * return err; } - allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES); - if (allocsz > ESP_SKB_FRAG_MAXSIZE) + if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE || + ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE) goto cow; if (!skb_cloned(skb)) { diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 5023f59a5b96..6219d97cac7a 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -483,7 +483,6 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info struct page *page; struct sk_buff *trailer; int tailen = esp->tailen; - unsigned int allocsz; if (x->encap) { int err = esp6_output_encap(x, skb, esp); @@ -492,8 +491,8 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info return err; } - allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES); - if (allocsz > ESP_SKB_FRAG_MAXSIZE) + if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE || + ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE) goto cow; if (!skb_cloned(skb)) { -- 2.35.1