Merge branch 'skb-sgvec-overflow'

Jason A. Donenfeld says: ==================== net: Avoiding stack overflow in skb_to_sgvec The recent bug with macsec and historical one with virtio have indicated that letting skb_to_sgvec trounce all over an sglist without checking the length is probably a bad idea. And it's not necessary either: an sglist already explicitly marks its last item, and the initialization functions are diligent in doing so. Thus there's a clear way of avoiding future overflows. So, this patchset, from a high level, makes skb_to_sgvec return a potential error code, and then adjusts all callers to check for the error code. There are two situations in which skb_to_sgvec might return such an error: 1) When the passed in sglist is too small; and 2) When the passed in skbuff is too deeply nested. So, the first patch in this series handles the issues with skb_to_sgvec directly, and the remaining ones then handle the call sites. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
2017-06-04 23:01:48 -04:00 · 2017-06-04 23:01:48 -04:00 · a619cc8bed
commit a619cc8bed
parent a11227dcc3 e2fcad58fd
9 changed files with 116 additions and 54 deletions
--- a/drivers/net/macsec.c
+++ b/drivers/net/macsec.c
@ -740,7 +740,12 @@ static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
 	macsec_fill_iv(iv, secy->sci, pn);
 	sg_init_table(sg, ret);
-	skb_to_sgvec(skb, sg, 0, skb->len);
+	ret = skb_to_sgvec(skb, sg, 0, skb->len);
 	if (unlikely(ret < 0)) {
 		macsec_txsa_put(tx_sa);
 		kfree_skb(skb);
 		return ERR_PTR(ret);
 	}
 	if (tx_sc->encrypt) {
 		int len = skb->len - macsec_hdr_len(sci_present) -
@ -947,7 +952,11 @@ static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
 	macsec_fill_iv(iv, sci, ntohl(hdr->packet_number));
 	sg_init_table(sg, ret);
-	skb_to_sgvec(skb, sg, 0, skb->len);
+	ret = skb_to_sgvec(skb, sg, 0, skb->len);
 	if (unlikely(ret < 0)) {
 		kfree_skb(skb);
 		return ERR_PTR(ret);
 	}
 	if (hdr->tci_an & MACSEC_TCI_E) {
 		/* confidentiality: ethernet + macsec header
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@ -1150,7 +1150,7 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
 	struct virtio_net_hdr_mrg_rxbuf *hdr;
 	const unsigned char *dest = ((struct ethhdr *)skb->data)->h_dest;
 	struct virtnet_info *vi = sq->vq->vdev->priv;
-	unsigned num_sg;
+	int num_sg;
 	unsigned hdr_len = vi->hdr_len;
 	bool can_push;
@ -1177,11 +1177,16 @@ static int xmit_skb(struct send_queue *sq, struct sk_buff *skb)
 	if (can_push) {
 		__skb_push(skb, hdr_len);
 		num_sg = skb_to_sgvec(skb, sq->sg, 0, skb->len);
 		if (unlikely(num_sg < 0))
 			return num_sg;
 		/* Pull header back to avoid skew in tx bytes calculations. */
 		__skb_pull(skb, hdr_len);
 	} else {
 		sg_set_buf(sq->sg, hdr, hdr_len);
-		num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len) + 1;
+		num_sg = skb_to_sgvec(skb, sq->sg + 1, 0, skb->len);
 		if (unlikely(num_sg < 0))
 			return num_sg;
 		num_sg++;
 	}
 	return virtqueue_add_outbuf(sq->vq, sq->sg, num_sg, skb, GFP_ATOMIC);
 }
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@ -953,10 +953,10 @@ struct sk_buff *skb_realloc_headroom(struct sk_buff *skb,
 				     unsigned int headroom);
 struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom,
 				int newtailroom, gfp_t priority);
-int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
+int __must_check skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
-			int offset, int len);
+				     int offset, int len);
-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset,
+int __must_check skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg,
-		 int len);
+			      int offset, int len);
 int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer);
 int skb_pad(struct sk_buff *skb, int pad);
 #define dev_kfree_skb(a)	consume_skb(a)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@ -3508,24 +3508,18 @@ void __init skb_init(void)
 						NULL);
 }
 /**
 *	skb_to_sgvec - Fill a scatter-gather list from a socket buffer
 *	@skb: Socket buffer containing the buffers to be mapped
 *	@sg: The scatter-gather list to map into
 *	@offset: The offset into the buffer's contents to start mapping
 *	@len: Length of buffer space to be mapped
 *
 *	Fill the specified scatter-gather list with mappings/pointers into a
 *	region of the buffer space attached to a socket buffer.
 */
 static int
-__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
+__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len,
 	       unsigned int recursion_level)
 {
 	int start = skb_headlen(skb);
 	int i, copy = start - offset;
 	struct sk_buff *frag_iter;
 	int elt = 0;
 	if (unlikely(recursion_level >= 24))
 		return -EMSGSIZE;
 	if (copy > 0) {
 		if (copy > len)
 			copy = len;
@ -3544,6 +3538,8 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 		end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]);
 		if ((copy = end - offset) > 0) {
 			skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
 			if (unlikely(elt && sg_is_last(&sg[elt - 1])))
 				return -EMSGSIZE;
 			if (copy > len)
 				copy = len;
@ -3558,16 +3554,22 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 	}
 	skb_walk_frags(skb, frag_iter) {
-		int end;
+		int end, ret;
 		WARN_ON(start > offset + len);
 		end = start + frag_iter->len;
 		if ((copy = end - offset) > 0) {
 			if (unlikely(elt && sg_is_last(&sg[elt - 1])))
 				return -EMSGSIZE;
 			if (copy > len)
 				copy = len;
-			elt += __skb_to_sgvec(frag_iter, sg+elt, offset - start,
+			ret = __skb_to_sgvec(frag_iter, sg+elt, offset - start,
-					      copy);
+					      copy, recursion_level + 1);
 			if (unlikely(ret < 0))
 				return ret;
 			elt += ret;
 			if ((len -= copy) == 0)
 				return elt;
 			offset += copy;
@ -3578,6 +3580,31 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 	return elt;
 }
 /**
 *	skb_to_sgvec - Fill a scatter-gather list from a socket buffer
 *	@skb: Socket buffer containing the buffers to be mapped
 *	@sg: The scatter-gather list to map into
 *	@offset: The offset into the buffer's contents to start mapping
 *	@len: Length of buffer space to be mapped
 *
 *	Fill the specified scatter-gather list with mappings/pointers into a
 *	region of the buffer space attached to a socket buffer. Returns either
 *	the number of scatterlist items used, or -EMSGSIZE if the contents
 *	could not fit.
 */
 int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 {
 	int nsg = __skb_to_sgvec(skb, sg, offset, len, 0);
 	if (nsg <= 0)
 		return nsg;
 	sg_mark_end(&sg[nsg - 1]);
 	return nsg;
 }
 EXPORT_SYMBOL_GPL(skb_to_sgvec);
 /* As compared with skb_to_sgvec, skb_to_sgvec_nomark only map skb to given
 * sglist without mark the sg which contain last skb data as the end.
 * So the caller can mannipulate sg list as will when padding new data after
@ -3600,19 +3627,11 @@ __skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg,
 			int offset, int len)
 {
-	return __skb_to_sgvec(skb, sg, offset, len);
+	return __skb_to_sgvec(skb, sg, offset, len, 0);
 }
 EXPORT_SYMBOL_GPL(skb_to_sgvec_nomark);
 int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len)
 {
 	int nsg = __skb_to_sgvec(skb, sg, offset, len);
 	sg_mark_end(&sg[nsg - 1]);
 	return nsg;
 }
 EXPORT_SYMBOL_GPL(skb_to_sgvec);
 /**
 *	skb_cow_data - Check that a socket buffer's data buffers are writable
--- a/net/ipv4/ah4.c
+++ b/net/ipv4/ah4.c
@ -220,7 +220,9 @@ static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
 	ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
 	sg_init_table(sg, nfrags + sglists);
-	skb_to_sgvec_nomark(skb, sg, 0, skb->len);
+	err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
 	if (unlikely(err < 0))
 		goto out_free;
 	if (x->props.flags & XFRM_STATE_ESN) {
 		/* Attach seqhi sg right after packet payload */
@ -393,7 +395,9 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
 	skb_push(skb, ihl);
 	sg_init_table(sg, nfrags + sglists);
-	skb_to_sgvec_nomark(skb, sg, 0, skb->len);
+	err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
 	if (unlikely(err < 0))
 		goto out_free;
 	if (x->props.flags & XFRM_STATE_ESN) {
 		/* Attach seqhi sg right after packet payload */
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@ -377,9 +377,11 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 	esp->esph = esph;
 	sg_init_table(sg, esp->nfrags);
-	skb_to_sgvec(skb, sg,
+	err = skb_to_sgvec(skb, sg,
-		     (unsigned char *)esph - skb->data,
+		           (unsigned char *)esph - skb->data,
-		     assoclen + ivlen + esp->clen + alen);
+		           assoclen + ivlen + esp->clen + alen);
 	if (unlikely(err < 0))
 		goto error;
 	if (!esp->inplace) {
 		int allocsize;
@ -403,9 +405,11 @@ int esp_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
 		spin_unlock_bh(&x->lock);
 		sg_init_table(dsg, skb_shinfo(skb)->nr_frags + 1);
-		skb_to_sgvec(skb, dsg,
+		err = skb_to_sgvec(skb, dsg,
-			     (unsigned char *)esph - skb->data,
+			           (unsigned char *)esph - skb->data,
-			     assoclen + ivlen + esp->clen + alen);
+			           assoclen + ivlen + esp->clen + alen);
 		if (unlikely(err < 0))
 			goto error;
 	}
 	if ((x->props.flags & XFRM_STATE_ESN))
@ -690,7 +694,9 @@ skip_cow:
 	esp_input_set_header(skb, seqhi);
 	sg_init_table(sg, nfrags);
-	skb_to_sgvec(skb, sg, 0, skb->len);
+	err = skb_to_sgvec(skb, sg, 0, skb->len);
 	if (unlikely(err < 0))
 		goto out;
 	skb->ip_summed = CHECKSUM_NONE;
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@ -423,7 +423,9 @@ static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
 	ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low);
 	sg_init_table(sg, nfrags + sglists);
-	skb_to_sgvec_nomark(skb, sg, 0, skb->len);
+	err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
 	if (unlikely(err < 0))
 		goto out_free;
 	if (x->props.flags & XFRM_STATE_ESN) {
 		/* Attach seqhi sg right after packet payload */
@ -606,7 +608,9 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
 	ip6h->hop_limit   = 0;
 	sg_init_table(sg, nfrags + sglists);
-	skb_to_sgvec_nomark(skb, sg, 0, skb->len);
+	err = skb_to_sgvec_nomark(skb, sg, 0, skb->len);
 	if (unlikely(err < 0))
 		goto out_free;
 	if (x->props.flags & XFRM_STATE_ESN) {
 		/* Attach seqhi sg right after packet payload */
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@ -346,9 +346,11 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 	esph = esp_output_set_esn(skb, x, ip_esp_hdr(skb), seqhi);
 	sg_init_table(sg, esp->nfrags);
-	skb_to_sgvec(skb, sg,
+	err = skb_to_sgvec(skb, sg,
-		     (unsigned char *)esph - skb->data,
+		           (unsigned char *)esph - skb->data,
-		     assoclen + ivlen + esp->clen + alen);
+		           assoclen + ivlen + esp->clen + alen);
 	if (unlikely(err < 0))
 		goto error;
 	if (!esp->inplace) {
 		int allocsize;
@ -372,9 +374,11 @@ int esp6_output_tail(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
 		spin_unlock_bh(&x->lock);
 		sg_init_table(dsg, skb_shinfo(skb)->nr_frags + 1);
-		skb_to_sgvec(skb, dsg,
+		err = skb_to_sgvec(skb, dsg,
-			     (unsigned char *)esph - skb->data,
+			           (unsigned char *)esph - skb->data,
-			     assoclen + ivlen + esp->clen + alen);
+			           assoclen + ivlen + esp->clen + alen);
 		if (unlikely(err < 0))
 			goto error;
 	}
 	if ((x->props.flags & XFRM_STATE_ESN))
@ -618,7 +622,9 @@ skip_cow:
 	esp_input_set_header(skb, seqhi);
 	sg_init_table(sg, nfrags);
-	skb_to_sgvec(skb, sg, 0, skb->len);
+	ret = skb_to_sgvec(skb, sg, 0, skb->len);
 	if (unlikely(ret < 0))
 		goto out;
 	skb->ip_summed = CHECKSUM_NONE;
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@ -227,7 +227,9 @@ static int rxkad_secure_packet_encrypt(const struct rxrpc_call *call,
 	len &= ~(call->conn->size_align - 1);
 	sg_init_table(sg, nsg);
-	skb_to_sgvec(skb, sg, 0, len);
+	err = skb_to_sgvec(skb, sg, 0, len);
 	if (unlikely(err < 0))
 		goto out;
 	skcipher_request_set_crypt(req, sg, sg, len, iv.x);
 	crypto_skcipher_encrypt(req);
@ -324,7 +326,7 @@ static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
 	bool aborted;
 	u32 data_size, buf;
 	u16 check;
-	int nsg;
+	int nsg, ret;
 	_enter("");
@ -342,7 +344,9 @@ static int rxkad_verify_packet_1(struct rxrpc_call *call, struct sk_buff *skb,
 		goto nomem;
 	sg_init_table(sg, nsg);
-	skb_to_sgvec(skb, sg, offset, 8);
+	ret = skb_to_sgvec(skb, sg, offset, 8);
 	if (unlikely(ret < 0))
 		return ret;
 	/* start the decryption afresh */
 	memset(&iv, 0, sizeof(iv));
@ -409,7 +413,7 @@ static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
 	bool aborted;
 	u32 data_size, buf;
 	u16 check;
-	int nsg;
+	int nsg, ret;
 	_enter(",{%d}", skb->len);
@ -434,7 +438,12 @@ static int rxkad_verify_packet_2(struct rxrpc_call *call, struct sk_buff *skb,
 	}
 	sg_init_table(sg, nsg);
-	skb_to_sgvec(skb, sg, offset, len);
+	ret = skb_to_sgvec(skb, sg, offset, len);
 	if (unlikely(ret < 0)) {
 		if (sg != _sg)
 			kfree(sg);
 		return ret;
 	}
 	/* decrypt from the session key */
 	token = call->conn->params.key->payload.data[0];