首页 发现 帮助
登录
GfA
/
linux_kernel
5
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

Merge branch 'skb-sgvec-overflow'

Jason A. Donenfeld says:

====================
net: Avoiding stack overflow in skb_to_sgvec

The recent bug with macsec and historical one with virtio have
indicated that letting skb_to_sgvec trounce all over an sglist
without checking the length is probably a bad idea. And it's not
necessary either: an sglist already explicitly marks its last
item, and the initialization functions are diligent in doing so.
Thus there's a clear way of avoiding future overflows.

So, this patchset, from a high level, makes skb_to_sgvec return
a potential error code, and then adjusts all callers to check
for the error code. There are two situations in which skb_to_sgvec
might return such an error:

   1) When the passed in sglist is too small; and
   2) When the passed in skbuff is too deeply nested.

So, the first patch in this series handles the issues with
skb_to_sgvec directly, and the remaining ones then handle the call
sites.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller 8 年之前
父节点
a11227dcc3 e2fcad58fd
当前提交
a619cc8bed
共有 9 个文件被更改,包括 116 次插入54 次删除
分列视图 显示文件统计
  1. 11 2
      drivers/net/macsec.c
  2. 7 2
      drivers/net/virtio_net.c
  3. 4 4
      include/linux/skbuff.h
  4. 42 23
      net/core/skbuff.c
  5. 6 2
      net/ipv4/ah4.c
  6. 13 7
      net/ipv4/esp4.c
  7. 6 2
      net/ipv6/ah6.c
  8. 13 7
      net/ipv6/esp6.c
  9. 14 5
      net/rxrpc/rxkad.c

+ 11 - 2
drivers/net/macsec.c
查看文件 

@@ -740,7 +740,12 @@ static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
 
 	macsec_fill_iv(iv, secy->sci, pn);
 
 
 	sg_init_table(sg, ret);
 
-	skb_to_sgvec(skb, sg, 0, skb->len);
 
+	ret = skb_to_sgvec(skb, sg, 0, skb->len);
 
+	if (unlikely(ret < 0)) {
 
+		macsec_txsa_put(tx_sa);
 
+		kfree_skb(skb);
 
+		return ERR_PTR(ret);
 
+	}
 
 
 	if (tx_sc->encrypt) {
 
 		int len = skb->len - macsec_hdr_len(sci_present) -
 
@@ -947,7 +952,11 @@ static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
 
 	macsec_fill_iv(iv, sci, ntohl(hdr->packet_number));
 
 
 	sg_init_table(sg, ret);
 
-	skb_to_sgvec(skb, sg, 0, skb->len);
 
+	ret = skb_to_sgvec(skb, sg, 0, skb->len);
 
+	if (unlikely(ret < 0)) {
 
+		kfree_skb(skb);
 
+		return ERR_PTR(ret);
 
+	}
 
 
 	if (hdr->tci_an & MACSEC_TCI_E) {
 
 		/* confidentiality: ethernet + macsec header

+ 7 - 2
drivers/net/virtio_net.c
查看文件 

@@ -1150,7 +1150,7 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
 
 	struct virtio_net_hdr_mrg_rxbuf *hdr;
 
 	const unsigned char *dest = ((struct ethhdr *)skb->data)->h_dest;
 
 	struct virtnet_info *vi = sq->vq->vdev->priv;
 
-	unsigned num_sg;
 
+	int num_sg;
 
 	unsigned hdr_len = vi->hdr_len;
 
 	bool can_push;
 
 
@@ -1177,11 +1177,16 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
 
 	if (can_push) {
 
 		__skb_push(skb, hdr_len);
 
 		num_sg = skb_to_sgvec(skb, sq->sg, 0, skb->len);
 
+		if (unlikely(num_sg < 0))
 
+			return num_sg;
 
 		/* Pull header back to avoid skew in tx bytes calculations. */
 
 		__skb_pull(skb, hdr_len);
 
 	} else {
 
 		sg_set_buf(sq->sg, hdr, hdr_len);
 
-		num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len) + 1;
 
+		num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len);
 
+		if (unlikely(num_sg < 0))
 
+			return num_sg;
 
+		num_sg++;
 
 	}
 
 	return virtqueue_add_outbuf(sq->vq, sq->sg, num_sg, skb, GFP_ATOMIC);
 
 }

+ 4 - 4
include/linux/skbuff.h
查看文件 

@@ -953,10 +953,10 @@ struct sk_buff *skb_realloc_headroom(struct sk_buff *skb,
 
 				     unsigned int headroom);
 
 struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom,
 
 				int newtailroom, gfp_t priority);
 
-int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
 
-			int offset, int len);
 
-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset,
 
-		 int len);
 
+int __must_check skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
 
+				     int offset, int len);
 
+int __must_check skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg,
 
+			      int offset, int len);
 
 int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer);
 
 int skb_pad(struct sk_buff *skb, int pad);
 
 #define dev_kfree_skb(a)	consume_skb(a)

+ 42 - 23
net/core/skbuff.c
查看文件 

@@ -3508,24 +3508,18 @@ void __init skb_init(void)
 
 						NULL);
 
 }
 
 
-/**
 
- *	skb_to_sgvec - Fill a scatter-gather list from a socket buffer
 
- *	@skb: Socket buffer containing the buffers to be mapped
 
- *	@sg: The scatter-gather list to map into
 
- *	@offset: The offset into the buffer's contents to start mapping
 
- *	@len: Length of buffer space to be mapped
 
- *
 
- *	Fill the specified scatter-gather list with mappings/pointers into a
 
- *	region of the buffer space attached to a socket buffer.
 
- */
 
 static int
 
-__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 
+__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len,
 
+	       unsigned int recursion_level)
 
 {
 
 	int start = skb_headlen(skb);
 
 	int i, copy = start - offset;
 
 	struct sk_buff *frag_iter;
 
 	int elt = 0;
 
 
+	if (unlikely(recursion_level >= 24))
 
+		return -EMSGSIZE;
 
+
 
 	if (copy > 0) {
 
 		if (copy > len)
 
 			copy = len;
 
@@ -3544,6 +3538,8 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 
 		end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]);
 
 		if ((copy = end - offset) > 0) {
 
 			skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
 
+			if (unlikely(elt && sg_is_last(&sg[elt - 1])))
 
+				return -EMSGSIZE;
 
 
 			if (copy > len)
 
 				copy = len;
 
@@ -3558,16 +3554,22 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 
 	}
 
 
 	skb_walk_frags(skb, frag_iter) {
 
-		int end;
 
+		int end, ret;
 
 
 		WARN_ON(start > offset + len);
 
 
 		end = start + frag_iter->len;
 
 		if ((copy = end - offset) > 0) {
 
+			if (unlikely(elt && sg_is_last(&sg[elt - 1])))
 
+				return -EMSGSIZE;
 
+
 
 			if (copy > len)
 
 				copy = len;
 
-			elt += __skb_to_sgvec(frag_iter, sg+elt, offset - start,
 
-					      copy);
 
+			ret = __skb_to_sgvec(frag_iter, sg+elt, offset - start,
 
+					      copy, recursion_level + 1);
 
+			if (unlikely(ret < 0))
 
+				return ret;
 
+			elt += ret;
 
 			if ((len -= copy) == 0)
 
 				return elt;
 
 			offset += copy;
 
@@ -3578,6 +3580,31 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 
 	return elt;
 
 }
 
 
+/**
 
+ *	skb_to_sgvec - Fill a scatter-gather list from a socket buffer
 
+ *	@skb: Socket buffer containing the buffers to be mapped
 
+ *	@sg: The scatter-gather list to map into
 
+ *	@offset: The offset into the buffer's contents to start mapping
 
+ *	@len: Length of buffer space to be mapped
 
+ *
 
+ *	Fill the specified scatter-gather list with mappings/pointers into a
 
+ *	region of the buffer space attached to a socket buffer. Returns either
 
+ *	the number of scatterlist items used, or -EMSGSIZE if the contents
 
+ *	could not fit.
 
+ */
 
+int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 
+{
 
+	int nsg = __skb_to_sgvec(skb, sg, offset, len, 0);
 
+
 
+	if (nsg <= 0)
 
+		return nsg;
 
+
 
+	sg_mark_end(&sg[nsg - 1]);
 
+
 
+	return nsg;
 
+}
 
+EXPORT_SYMBOL_GPL(skb_to_sgvec);
 
+
 
 /* As compared with skb_to_sgvec, skb_to_sgvec_nomark only map skb to given
 
  * sglist without mark the sg which contain last skb data as the end.
 
  * So the caller can mannipulate sg list as will when padding new data after
 
@@ -3600,19 +3627,11 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 
 int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
 
 			int offset, int len)
 
 {
 
-	return __skb_to_sgvec(skb, sg, offset, len);
 
+	return __skb_to_sgvec(skb, sg, offset, len, 0);
 
 }
 
 EXPORT_SYMBOL_GPL(skb_to_sgvec_nomark);
 
 
-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 
-{
 
-	int nsg = __skb_to_sgvec(skb, sg, offset, len);
 
 
-	sg_mark_end(&sg[nsg - 1]);
 
-
 
-	return nsg;
 
-}
 
-EXPORT_SYMBOL_GPL(skb_to_sgvec);
 
 
 /**
 
  *	skb_cow_data - Check that a socket buffer's data buffers are writable

+ 6 - 2
net/ipv4/ah4.c
查看文件 

@@ -220,7 +220,9 @@ static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
 
 	ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
 
 
 	sg_init_table(sg, nfrags + sglists);
 
-	skb_to_sgvec_nomark(skb, sg, 0, skb->len);
 
+	err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
 
+	if (unlikely(err < 0))
 
+		goto out_free;
 
 
 	if (x->props.flags & XFRM_STATE_ESN) {
 
 		/* Attach seqhi sg right after packet payload */
 
@@ -393,7 +395,9 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
 
 	skb_push(skb, ihl);
 
 
 	sg_init_table(sg, nfrags + sglists);
 
-	skb_to_sgvec_nomark(skb, sg, 0, skb->len);
 
+	err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
 
+	if (unlikely(err < 0))
 
+		goto out_free;
 
 
 	if (x->props.flags & XFRM_STATE_ESN) {
 
 		/* Attach seqhi sg right after packet payload */

+ 13 - 7
net/ipv4/esp4.c
查看文件 

@@ -377,9 +377,11 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 
 	esp->esph = esph;
 
 
 	sg_init_table(sg, esp->nfrags);
 
-	skb_to_sgvec(skb, sg,
 
-		     (unsigned char *)esph - skb->data,
 
-		     assoclen + ivlen + esp->clen + alen);
 
+	err = skb_to_sgvec(skb, sg,
 
+		           (unsigned char *)esph - skb->data,
 
+		           assoclen + ivlen + esp->clen + alen);
 
+	if (unlikely(err < 0))
 
+		goto error;
 
 
 	if (!esp->inplace) {
 
 		int allocsize;
 
@@ -403,9 +405,11 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 
 		spin_unlock_bh(&x->lock);
 
 
 		sg_init_table(dsg, skb_shinfo(skb)->nr_frags + 1);
 
-		skb_to_sgvec(skb, dsg,
 
-			     (unsigned char *)esph - skb->data,
 
-			     assoclen + ivlen + esp->clen + alen);
 
+		err = skb_to_sgvec(skb, dsg,
 
+			           (unsigned char *)esph - skb->data,
 
+			           assoclen + ivlen + esp->clen + alen);
 
+		if (unlikely(err < 0))
 
+			goto error;
 
 	}
 
 
 	if ((x->props.flags & XFRM_STATE_ESN))
 
@@ -690,7 +694,9 @@ skip_cow:
 
 	esp_input_set_header(skb, seqhi);
 
 
 	sg_init_table(sg, nfrags);
 
-	skb_to_sgvec(skb, sg, 0, skb->len);
 
+	err = skb_to_sgvec(skb, sg, 0, skb->len);
 
+	if (unlikely(err < 0))
 
+		goto out;
 
 
 	skb->ip_summed = CHECKSUM_NONE;

+ 6 - 2
net/ipv6/ah6.c
查看文件 

@@ -423,7 +423,9 @@ static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
 
 	ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
 
 
 	sg_init_table(sg, nfrags + sglists);
 
-	skb_to_sgvec_nomark(skb, sg, 0, skb->len);
 
+	err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
 
+	if (unlikely(err < 0))
 
+		goto out_free;
 
 
 	if (x->props.flags & XFRM_STATE_ESN) {
 
 		/* Attach seqhi sg right after packet payload */
 
@@ -606,7 +608,9 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
 
 	ip6h->hop_limit   = 0;
 
 
 	sg_init_table(sg, nfrags + sglists);
 
-	skb_to_sgvec_nomark(skb, sg, 0, skb->len);
 
+	err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
 
+	if (unlikely(err < 0))
 
+		goto out_free;
 
 
 	if (x->props.flags & XFRM_STATE_ESN) {
 
 		/* Attach seqhi sg right after packet payload */

+ 13 - 7
net/ipv6/esp6.c
查看文件 

@@ -346,9 +346,11 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 
 	esph = esp_output_set_esn(skb, x, ip_esp_hdr(skb), seqhi);
 
 
 	sg_init_table(sg, esp->nfrags);
 
-	skb_to_sgvec(skb, sg,
 
-		     (unsigned char *)esph - skb->data,
 
-		     assoclen + ivlen + esp->clen + alen);
 
+	err = skb_to_sgvec(skb, sg,
 
+		           (unsigned char *)esph - skb->data,
 
+		           assoclen + ivlen + esp->clen + alen);
 
+	if (unlikely(err < 0))
 
+		goto error;
 
 
 	if (!esp->inplace) {
 
 		int allocsize;
 
@@ -372,9 +374,11 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 
 		spin_unlock_bh(&x->lock);
 
 
 		sg_init_table(dsg, skb_shinfo(skb)->nr_frags + 1);
 
-		skb_to_sgvec(skb, dsg,
 
-			     (unsigned char *)esph - skb->data,
 
-			     assoclen + ivlen + esp->clen + alen);
 
+		err = skb_to_sgvec(skb, dsg,
 
+			           (unsigned char *)esph - skb->data,
 
+			           assoclen + ivlen + esp->clen + alen);
 
+		if (unlikely(err < 0))
 
+			goto error;
 
 	}
 
 
 	if ((x->props.flags & XFRM_STATE_ESN))
 
@@ -618,7 +622,9 @@ skip_cow:
 
 	esp_input_set_header(skb, seqhi);
 
 
 	sg_init_table(sg, nfrags);
 
-	skb_to_sgvec(skb, sg, 0, skb->len);
 
+	ret = skb_to_sgvec(skb, sg, 0, skb->len);
 
+	if (unlikely(ret < 0))
 
+		goto out;
 
 
 	skb->ip_summed = CHECKSUM_NONE;

+ 14 - 5
net/rxrpc/rxkad.c
查看文件 

@@ -227,7 +227,9 @@ static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
 
 	len &= ~(call->conn->size_align - 1);
 
 
 	sg_init_table(sg, nsg);
 
-	skb_to_sgvec(skb, sg, 0, len);
 
+	err = skb_to_sgvec(skb, sg, 0, len);
 
+	if (unlikely(err < 0))
 
+		goto out;
 
 	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
 
 	crypto_skcipher_encrypt(req);
 
 
@@ -324,7 +326,7 @@ static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
 
 	bool aborted;
 
 	u32 data_size, buf;
 
 	u16 check;
 
-	int nsg;
 
+	int nsg, ret;
 
 
 	_enter("");
 
 
@@ -342,7 +344,9 @@ static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
 
 		goto nomem;
 
 
 	sg_init_table(sg, nsg);
 
-	skb_to_sgvec(skb, sg, offset, 8);
 
+	ret = skb_to_sgvec(skb, sg, offset, 8);
 
+	if (unlikely(ret < 0))
 
+		return ret;
 
 
 	/* start the decryption afresh */
 
 	memset(&iv, 0, sizeof(iv));
 
@@ -409,7 +413,7 @@ static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
 
 	bool aborted;
 
 	u32 data_size, buf;
 
 	u16 check;
 
-	int nsg;
 
+	int nsg, ret;
 
 
 	_enter(",{%d}", skb->len);
 
 
@@ -434,7 +438,12 @@ static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
 
 	}
 
 
 	sg_init_table(sg, nsg);
 
-	skb_to_sgvec(skb, sg, offset, len);
 
+	ret = skb_to_sgvec(skb, sg, offset, len);
 
+	if (unlikely(ret < 0)) {
 
+		if (sg != _sg)
 
+			kfree(sg);
 
+		return ret;
 
+	}
 
 
 	/* decrypt from the session key */
 
 	token = call->conn->params.key->payload.data[0];