mirror of
https://github.com/torvalds/linux.git
synced 2024-11-15 08:31:55 +00:00
8bd795fedb
Although commitc2c24edb1d("arm64: csum: Fix pathological zero-length calls") added an early return for zero-length input, syzkaller has popped up with an example of a _negative_ length which causes an undefined shift and an out-of-bounds read: | BUG: KASAN: slab-out-of-bounds in do_csum+0x44/0x254 arch/arm64/lib/csum.c:39 | Read of size 4294966928 at addr ffff0000d7ac0170 by task syz-executor412/5975 | | CPU: 0 PID: 5975 Comm: syz-executor412 Not tainted 6.4.0-rc4-syzkaller-g908f31f2a05b #0 | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/25/2023 | Call trace: | dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:233 | show_stack+0x2c/0x44 arch/arm64/kernel/stacktrace.c:240 | __dump_stack lib/dump_stack.c:88 [inline] | dump_stack_lvl+0xd0/0x124 lib/dump_stack.c:106 | print_address_description mm/kasan/report.c:351 [inline] | print_report+0x174/0x514 mm/kasan/report.c:462 | kasan_report+0xd4/0x130 mm/kasan/report.c:572 | kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:187 | __kasan_check_read+0x20/0x30 mm/kasan/shadow.c:31 | do_csum+0x44/0x254 arch/arm64/lib/csum.c:39 | csum_partial+0x30/0x58 lib/checksum.c:128 | gso_make_checksum include/linux/skbuff.h:4928 [inline] | __udp_gso_segment+0xaf4/0x1bc4 net/ipv4/udp_offload.c:332 | udp6_ufo_fragment+0x540/0xca0 net/ipv6/udp_offload.c:47 | ipv6_gso_segment+0x5cc/0x1760 net/ipv6/ip6_offload.c:119 | skb_mac_gso_segment+0x2b4/0x5b0 net/core/gro.c:141 | __skb_gso_segment+0x250/0x3d0 net/core/dev.c:3401 | skb_gso_segment include/linux/netdevice.h:4859 [inline] | validate_xmit_skb+0x364/0xdbc net/core/dev.c:3659 | validate_xmit_skb_list+0x94/0x130 net/core/dev.c:3709 | sch_direct_xmit+0xe8/0x548 net/sched/sch_generic.c:327 | __dev_xmit_skb net/core/dev.c:3805 [inline] | __dev_queue_xmit+0x147c/0x3318 net/core/dev.c:4210 | dev_queue_xmit include/linux/netdevice.h:3085 [inline] | packet_xmit+0x6c/0x318 net/packet/af_packet.c:276 | packet_snd net/packet/af_packet.c:3081 [inline] | packet_sendmsg+0x376c/0x4c98 net/packet/af_packet.c:3113 | sock_sendmsg_nosec net/socket.c:724 [inline] | sock_sendmsg net/socket.c:747 [inline] | __sys_sendto+0x3b4/0x538 net/socket.c:2144 Extend the early return to reject negative lengths as well, aligning our implementation with the generic code in lib/checksum.c Cc: Robin Murphy <robin.murphy@arm.com> Fixes:5777eaed56("arm64: Implement optimised checksum routine") Reported-by: syzbot+4a9f9820bd8d302e22f7@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/000000000000e0e94c0603f8d213@google.com Signed-off-by: Will Deacon <will@kernel.org>
158 lines
4.0 KiB
C
158 lines
4.0 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
// Copyright (C) 2019-2020 Arm Ltd.
|
|
|
|
#include <linux/compiler.h>
|
|
#include <linux/kasan-checks.h>
|
|
#include <linux/kernel.h>
|
|
|
|
#include <net/checksum.h>
|
|
|
|
/* Looks dumb, but generates nice-ish code */
|
|
static u64 accumulate(u64 sum, u64 data)
|
|
{
|
|
__uint128_t tmp = (__uint128_t)sum + data;
|
|
return tmp + (tmp >> 64);
|
|
}
|
|
|
|
/*
|
|
* We over-read the buffer and this makes KASAN unhappy. Instead, disable
|
|
* instrumentation and call kasan explicitly.
|
|
*/
|
|
unsigned int __no_sanitize_address do_csum(const unsigned char *buff, int len)
|
|
{
|
|
unsigned int offset, shift, sum;
|
|
const u64 *ptr;
|
|
u64 data, sum64 = 0;
|
|
|
|
if (unlikely(len <= 0))
|
|
return 0;
|
|
|
|
offset = (unsigned long)buff & 7;
|
|
/*
|
|
* This is to all intents and purposes safe, since rounding down cannot
|
|
* result in a different page or cache line being accessed, and @buff
|
|
* should absolutely not be pointing to anything read-sensitive. We do,
|
|
* however, have to be careful not to piss off KASAN, which means using
|
|
* unchecked reads to accommodate the head and tail, for which we'll
|
|
* compensate with an explicit check up-front.
|
|
*/
|
|
kasan_check_read(buff, len);
|
|
ptr = (u64 *)(buff - offset);
|
|
len = len + offset - 8;
|
|
|
|
/*
|
|
* Head: zero out any excess leading bytes. Shifting back by the same
|
|
* amount should be at least as fast as any other way of handling the
|
|
* odd/even alignment, and means we can ignore it until the very end.
|
|
*/
|
|
shift = offset * 8;
|
|
data = *ptr++;
|
|
#ifdef __LITTLE_ENDIAN
|
|
data = (data >> shift) << shift;
|
|
#else
|
|
data = (data << shift) >> shift;
|
|
#endif
|
|
|
|
/*
|
|
* Body: straightforward aligned loads from here on (the paired loads
|
|
* underlying the quadword type still only need dword alignment). The
|
|
* main loop strictly excludes the tail, so the second loop will always
|
|
* run at least once.
|
|
*/
|
|
while (unlikely(len > 64)) {
|
|
__uint128_t tmp1, tmp2, tmp3, tmp4;
|
|
|
|
tmp1 = *(__uint128_t *)ptr;
|
|
tmp2 = *(__uint128_t *)(ptr + 2);
|
|
tmp3 = *(__uint128_t *)(ptr + 4);
|
|
tmp4 = *(__uint128_t *)(ptr + 6);
|
|
|
|
len -= 64;
|
|
ptr += 8;
|
|
|
|
/* This is the "don't dump the carry flag into a GPR" idiom */
|
|
tmp1 += (tmp1 >> 64) | (tmp1 << 64);
|
|
tmp2 += (tmp2 >> 64) | (tmp2 << 64);
|
|
tmp3 += (tmp3 >> 64) | (tmp3 << 64);
|
|
tmp4 += (tmp4 >> 64) | (tmp4 << 64);
|
|
tmp1 = ((tmp1 >> 64) << 64) | (tmp2 >> 64);
|
|
tmp1 += (tmp1 >> 64) | (tmp1 << 64);
|
|
tmp3 = ((tmp3 >> 64) << 64) | (tmp4 >> 64);
|
|
tmp3 += (tmp3 >> 64) | (tmp3 << 64);
|
|
tmp1 = ((tmp1 >> 64) << 64) | (tmp3 >> 64);
|
|
tmp1 += (tmp1 >> 64) | (tmp1 << 64);
|
|
tmp1 = ((tmp1 >> 64) << 64) | sum64;
|
|
tmp1 += (tmp1 >> 64) | (tmp1 << 64);
|
|
sum64 = tmp1 >> 64;
|
|
}
|
|
while (len > 8) {
|
|
__uint128_t tmp;
|
|
|
|
sum64 = accumulate(sum64, data);
|
|
tmp = *(__uint128_t *)ptr;
|
|
|
|
len -= 16;
|
|
ptr += 2;
|
|
|
|
#ifdef __LITTLE_ENDIAN
|
|
data = tmp >> 64;
|
|
sum64 = accumulate(sum64, tmp);
|
|
#else
|
|
data = tmp;
|
|
sum64 = accumulate(sum64, tmp >> 64);
|
|
#endif
|
|
}
|
|
if (len > 0) {
|
|
sum64 = accumulate(sum64, data);
|
|
data = *ptr;
|
|
len -= 8;
|
|
}
|
|
/*
|
|
* Tail: zero any over-read bytes similarly to the head, again
|
|
* preserving odd/even alignment.
|
|
*/
|
|
shift = len * -8;
|
|
#ifdef __LITTLE_ENDIAN
|
|
data = (data << shift) >> shift;
|
|
#else
|
|
data = (data >> shift) << shift;
|
|
#endif
|
|
sum64 = accumulate(sum64, data);
|
|
|
|
/* Finally, folding */
|
|
sum64 += (sum64 >> 32) | (sum64 << 32);
|
|
sum = sum64 >> 32;
|
|
sum += (sum >> 16) | (sum << 16);
|
|
if (offset & 1)
|
|
return (u16)swab32(sum);
|
|
|
|
return sum >> 16;
|
|
}
|
|
|
|
__sum16 csum_ipv6_magic(const struct in6_addr *saddr,
|
|
const struct in6_addr *daddr,
|
|
__u32 len, __u8 proto, __wsum csum)
|
|
{
|
|
__uint128_t src, dst;
|
|
u64 sum = (__force u64)csum;
|
|
|
|
src = *(const __uint128_t *)saddr->s6_addr;
|
|
dst = *(const __uint128_t *)daddr->s6_addr;
|
|
|
|
sum += (__force u32)htonl(len);
|
|
#ifdef __LITTLE_ENDIAN
|
|
sum += (u32)proto << 24;
|
|
#else
|
|
sum += proto;
|
|
#endif
|
|
src += (src >> 64) | (src << 64);
|
|
dst += (dst >> 64) | (dst << 64);
|
|
|
|
sum = accumulate(sum, src >> 64);
|
|
sum = accumulate(sum, dst >> 64);
|
|
|
|
sum += ((sum >> 32) | (sum << 32));
|
|
return csum_fold((__force __wsum)(sum >> 32));
|
|
}
|
|
EXPORT_SYMBOL(csum_ipv6_magic);
|