shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-03-25 12:00:22 +09:00
Code Issues Packages Projects Releases Wiki Activity

UPSTREAM: esp: limit skb_page_frag_refill use to a single page

Browse Source 
[ Upstream commit 5bd8baab08 ]

Commit ebe48d368e ("esp: Fix possible buffer overflow in ESP
transformation") tried to fix skb_page_frag_refill usage in ESP by
capping allocsize to 32k, but that doesn't completely solve the issue,
as skb_page_frag_refill may return a single page. If that happens, we
will write out of bounds, despite the check introduced in the previous
patch.

This patch forces COW in cases where we would end up calling
skb_page_frag_refill with a size larger than a page (first in
esp_output_head with tailen, then in esp_output_tail with
skb->data_len).

Fixes: cac2661c53 ("esp4: Avoid skb_cow_data whenever possible")
Fixes: 03e2a30f6a ("esp6: Avoid skb_cow_data whenever possible")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit c075c3ea03)
[ resolves a merge conflict mistake in 5.10.113 as pointed out by
  Daniel that was noticed by watching the compiler warnings.]
Reported-by: Daniel Micay <danielmicay@gmail.com>
Bug: 261841282
Reported-by: Robin Peng <robinpeng@google.com>
Reported-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ic0c3b752b552a20aa35a9b262ee356e56b264695
This commit is contained in:
Sabrina Dubroca
2022-04-13 10:10:50 +02:00
committed by Treehugger Robot
parent 9cab3b60aa
commit f971863010
3 changed files with 2 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
include/net/esp.h
View File

@@ -4,8 +4,6 @@
#include <linux/skbuff.h>
#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER)
struct ip_esp_hdr;
static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb)

1
net/ipv4/esp4.c
View File

@@ -448,7 +448,6 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
struct page *page;
struct sk_buff *trailer;
int tailen = esp->tailen;
unsigned int allocsz;
/* this is non-NULL only with TCP/UDP Encapsulation */
if (x->encap) {

5
net/ipv6/esp6.c
View File

@@ -483,10 +483,9 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
struct page *page;
struct sk_buff *trailer;
int tailen = esp->tailen;
unsigned int allocsz;
allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
if (allocsz > ESP_SKB_FRAG_MAXSIZE)
if (ALIGN(tailen, L1_CACHE_BYTES) > PAGE_SIZE ||
ALIGN(skb->data_len, L1_CACHE_BYTES) > PAGE_SIZE)
goto cow;
if (x->encap) {