Received: by 2002:ab2:1689:0:b0:1f7:5705:b850 with SMTP id d9csp861649lqa; Sun, 28 Apr 2024 07:29:35 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWnIBIwcbmGwJUhAyd0UsQ3BGKpkNHwE6XfCVPq76YAXgNQWC31I9u7UBJr+EIbF/5k99HxrPtlbBMzUrFjcjn3NagG1cmPs9LUFJsQUQ== X-Google-Smtp-Source: AGHT+IEvxryBXm+lQwaeT/lTN342k1DLiMF7FHKSSHMDThfiS74T4Mn+vZhl5rhbCY5f7O4LWHMX X-Received: by 2002:a17:90a:a582:b0:2a2:eb67:b20a with SMTP id b2-20020a17090aa58200b002a2eb67b20amr4039834pjq.42.1714314575711; Sun, 28 Apr 2024 07:29:35 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714314575; cv=pass; d=google.com; s=arc-20160816; b=GxxmSoixmsg7xf/b/rOqDpmmWMWVj6kSwlRCHe1MZVXlMy4VicP8wHdqS3jvi5czre g4zItAZt8qcpWEIpZKmaiM+PxTNH/ND5L4hCvLRfFs0yDntQTVNiugENHMfx9FyxS/e7 +kntgawirIuPQvUjAM26RzqoA8p3zw6/2Xeac8n13n5loaKAmmOCmDlOdCpXJorrkvVW TOgFCWYZptEWiTuKbsoJdOeOAnwyZzoApEIfFuMA23EbXZ9NWQeuMvKmWevWMceCid5f b7IDUZLJccV9bXbtAZ961M+eCdMDLmlosu0YHcAisGLNDnAY3R8PIde6UFj90euVM0Wg JeKA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence :message-id:date:subject:cc:to:from:dkim-signature; bh=+AJLIaBitYxpEmHqEZ77HT8/gK2VQB6rWKd5c7RlOhA=; fh=g2Z6nFUi9O7M4WruPoeiD/fr6oRKSTFifkQcLJdXMp0=; b=PLmOEXhIKpV9br3Jf4Y16SV3PRidBuo6V7VrE0CQtJjUg0YRw3GgLujbMH64NILa/9 iDYxjI8T/WnBeG8c12A1vtSkNi7e3vKjXA63nCZZ7Fj8Oe4dla5hFtfxy7zfy2a+hPTI Im1nU+pZHZN3xVi9WqWHj5OUHbQiPHDIUjWzc022Ckk6vpTPjtO3oXVxfKaVusIQC2Z+ QYgkawrsroellKNuRKhdRz2gayWcmd9LbgdHQLoYrM+IGpLyhmXLEJ35102HOdOS56zd UjEocSRlmbyi/TuZ/hL6HkHHNSxFZgt7zS43gKCKItWodHqZmiEOexw7LD7cso124LLj BL/w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=sXwpeMVa; arc=pass (i=1 spf=pass spfdomain=mediatek.com dkim=pass dkdomain=mediatek.com dmarc=pass fromdomain=mediatek.com); spf=pass (google.com: domain of linux-kernel+bounces-161452-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161452-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [2604:1380:45e3:2400::1]) by mx.google.com with ESMTPS id u32-20020a632360000000b005dc855c40a4si18049226pgm.645.2024.04.28.07.29.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 28 Apr 2024 07:29:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-161452-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) client-ip=2604:1380:45e3:2400::1; Authentication-Results: mx.google.com; dkim=pass header.i=@mediatek.com header.s=dk header.b=sXwpeMVa; arc=pass (i=1 spf=pass spfdomain=mediatek.com dkim=pass dkdomain=mediatek.com dmarc=pass fromdomain=mediatek.com); spf=pass (google.com: domain of linux-kernel+bounces-161452-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45e3:2400::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-161452-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=mediatek.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 4CE6E2819B2 for ; Sun, 28 Apr 2024 14:29:35 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9FD016EB72; Sun, 28 Apr 2024 14:29:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b="sXwpeMVa" Received: from mailgw01.mediatek.com (unknown [60.244.123.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D6A5A1C32; Sun, 28 Apr 2024 14:29:23 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=60.244.123.138 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714314567; cv=none; b=uRpA8SrhYnkV9Bu3HpF7MU0BT1Mf0+demejSL2G5SutWb4jETT7jF+LAWsr4fE28ymkkyqViwYrxCegz4zyzTHqoyqWgOAaVLELf5z0sBOyR8ivPPo0AWwIqfGxp9hXvIYYqFccT+K4fYfZiAoj+sSCUL+s+0flYhCq++YbWDEQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714314567; c=relaxed/simple; bh=pEOEFwml9g9Ku1dfnMgPeNijnvjb2rGfZrouDU5XDvs=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=O+7ARqPXee4yxe4nzttFbcAViYqK3diKFRoZnHworYNvTYmWfj5N3/nl3Kc1n3wZPPw6IlaZivOqSwyUpCLHCmqIL/yyagX2vWnUkdqOyh152OW9JGFsLGJ4rQ6g61yIdcfy3Sg2TkVk3tlfIH4BGDFJRCn3gESpdL8/Zp1kKZs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com; spf=pass smtp.mailfrom=mediatek.com; dkim=pass (1024-bit key) header.d=mediatek.com header.i=@mediatek.com header.b=sXwpeMVa; arc=none smtp.client-ip=60.244.123.138 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=mediatek.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=mediatek.com X-UUID: b2522164056b11efb92737409a0e9459-20240428 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mediatek.com; s=dk; h=Content-Type:MIME-Version:Message-ID:Date:Subject:CC:To:From; bh=+AJLIaBitYxpEmHqEZ77HT8/gK2VQB6rWKd5c7RlOhA=; b=sXwpeMVaadQuhbwLlpl8riuhQtqjOyMbj8n9tZlrkBbxt9Y4ZPnbF0fnqheyAzzcU8MzU3MLv+LlqPSx/xThANZj3sxqIPVSS2Nu6tSJFkUhBfcnMH5KNKKZhqdrmAN+zBRfm5E9TazusmfGvB7Ita7Ml12Ycb+XLXIot2ezQoo=; X-CID-P-RULE: Release_Ham X-CID-O-INFO: VERSION:1.1.38,REQID:a218aa2d-9b93-4571-bfc4-a000bf3160cd,IP:0,U RL:0,TC:0,Content:0,EDM:0,RT:0,SF:0,FILE:0,BULK:0,RULE:Release_Ham,ACTION: release,TS:0 X-CID-META: VersionHash:82c5f88,CLOUDID:010ab166-72bc-4ae0-ab39-a531fe78e0a5,B ulkID:nil,BulkQuantity:0,Recheck:0,SF:102,TC:nil,Content:0,EDM:-3,IP:nil,U RL:11|1,File:nil,RT:nil,Bulk:nil,QS:nil,BEC:nil,COL:0,OSI:0,OSA:0,AV:0,LES :1,SPR:NO,DKR:0,DKP:0,BRR:0,BRE:0 X-CID-BVR: 0 X-CID-BAS: 0,_,0,_ X-CID-FACTOR: TF_CID_SPAM_SNR,TF_CID_SPAM_ULN X-UUID: b2522164056b11efb92737409a0e9459-20240428 Received: from mtkmbs14n1.mediatek.inc [(172.21.101.75)] by mailgw01.mediatek.com (envelope-from ) (Generic MTA with TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 256/256) with ESMTP id 1209379289; Sun, 28 Apr 2024 22:29:18 +0800 Received: from mtkmbs13n2.mediatek.inc (172.21.101.108) by mtkmbs11n2.mediatek.inc (172.21.101.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Sun, 28 Apr 2024 22:29:17 +0800 Received: from mbjsdccf07.gcn.mediatek.inc (10.15.20.246) by mtkmbs13n2.mediatek.inc (172.21.101.73) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Sun, 28 Apr 2024 22:29:16 +0800 From: To: , , , , , CC: , , , Lena Wang Subject: [PATCH net] net: prevent pulling SKB_GSO_FRAGLIST skb Date: Sun, 28 Apr 2024 22:29:13 +0800 Message-ID: <20240428142913.18666-1-shiming.cheng@mediatek.com> X-Mailer: git-send-email 2.18.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain X-MTK: N From: Shiming Cheng BPF or TC callers may pull in a length longer than skb_headlen() for a SKB_GSO_FRAGLIST skb. The data in fraglist will be pulled into the linear space. However it destroys the skb's structure and may result in an invalid segmentation or kernel exception. So we should add protection to stop the operation and return error to remind callers. Fixes: 3a1296a38d0c ("net: Support GRO/GSO fraglist chaining.") Signed-off-by: Shiming Cheng Signed-off-by: Lena Wang --- net/core/skbuff.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index f68f2679b086..2d35e009e814 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -6100,6 +6100,12 @@ EXPORT_SYMBOL(skb_vlan_untag); int skb_ensure_writable(struct sk_buff *skb, unsigned int write_len) { + if (skb_is_gso(skb) && + (skb_shinfo(skb)->gso_type & SKB_GSO_FRAGLIST) && + write_len > skb_headlen(skb)) { + return -ENOMEM; + } + if (!pskb_may_pull(skb, write_len)) return -ENOMEM; -- 2.18.0