[SRU,X,1/2] net: create skb_gso_validate_mac_len()

Message ID 20180212044200.15745-2-daniel.axtens@canonical.com
State New
Headers show
Series
  • Fixes for LP: #1715519/CVE 2018-1000026
Related show

Commit Message

Daniel Axtens Feb. 12, 2018, 4:41 a.m.
From: Daniel Axtens <dja@axtens.net>

BugLink: https://bugs.launchpad.net/bugs/1715519
CVE-2018-1000026

If you take a GSO skb, and split it into packets, will the MAC
length (L2 + L3 + L4 headers + payload) of those packets be small
enough to fit within a given length?

Move skb_gso_mac_seglen() to skbuff.h with other related functions
like skb_gso_network_seglen() so we can use it, and then create
skb_gso_validate_mac_len to do the full calculation.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
(backported from commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90)
[nb: drop GSO_BY_FRAGS case as that isn't introduced until 4.8]
Signed-off-by: Daniel Axtens <daniel.axtens@canonical.com>
---
 include/linux/skbuff.h | 16 ++++++++++++++++
 net/core/skbuff.c      | 42 ++++++++++++++++++++++++++++++++++++++++++
 net/sched/sch_tbf.c    | 10 ----------
 3 files changed, 58 insertions(+), 10 deletions(-)

Comments

Kleber Souza Feb. 23, 2018, 8:56 a.m. | #1
On 02/12/18 05:41, Daniel Axtens wrote:
> From: Daniel Axtens <dja@axtens.net>
> 
> BugLink: https://bugs.launchpad.net/bugs/1715519
> CVE-2018-1000026
> 
> If you take a GSO skb, and split it into packets, will the MAC
> length (L2 + L3 + L4 headers + payload) of those packets be small
> enough to fit within a given length?
> 
> Move skb_gso_mac_seglen() to skbuff.h with other related functions
> like skb_gso_network_seglen() so we can use it, and then create
> skb_gso_validate_mac_len to do the full calculation.
> 
> Signed-off-by: Daniel Axtens <dja@axtens.net>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> (backported from commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90)
> [nb: drop GSO_BY_FRAGS case as that isn't introduced until 4.8]
> Signed-off-by: Daniel Axtens <daniel.axtens@canonical.com>
> ---
>  include/linux/skbuff.h | 16 ++++++++++++++++
>  net/core/skbuff.c      | 42 ++++++++++++++++++++++++++++++++++++++++++
>  net/sched/sch_tbf.c    | 10 ----------
>  3 files changed, 58 insertions(+), 10 deletions(-)
> 
> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> index d7383cdb105e..d230827c053f 100644
> --- a/include/linux/skbuff.h
> +++ b/include/linux/skbuff.h
> @@ -2901,6 +2901,7 @@ void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len);
>  int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen);
>  void skb_scrub_packet(struct sk_buff *skb, bool xnet);
>  unsigned int skb_gso_transport_seglen(const struct sk_buff *skb);
> +bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len);
>  struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features);
>  struct sk_buff *skb_vlan_untag(struct sk_buff *skb);
>  int skb_ensure_writable(struct sk_buff *skb, int write_len);
> @@ -3659,5 +3660,20 @@ static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb)
>  	return hdr_len + skb_gso_transport_seglen(skb);
>  }
>  
> +/**
> + * skb_gso_mac_seglen - Return length of individual segments of a gso packet
> + *
> + * @skb: GSO skb
> + *
> + * skb_gso_mac_seglen is used to determine the real size of the
> + * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4
> + * headers (TCP/UDP).
> + */
> +static inline unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
> +{
> +	unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
> +	return hdr_len + skb_gso_transport_seglen(skb);
> +}
> +
>  #endif	/* __KERNEL__ */
>  #endif	/* _LINUX_SKBUFF_H */
> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
> index 6c495f0c090e..95c33dbd3a23 100644
> --- a/net/core/skbuff.c
> +++ b/net/core/skbuff.c
> @@ -4337,6 +4337,48 @@ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
>  }
>  EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
>  
> +/*
> + * skb_gso_size_check - check the skb size
> + *
> + * There are a couple of instances where we have a GSO skb, and we
> + * want to determine what size it would be after it is segmented.
> + *
> + * We might want to check:
> + * -    L3+L4+payload size (e.g. IP forwarding)
> + * - L2+L3+L4+payload size (e.g. sanity check before passing to driver)
> + *
> + * @seg_len: The segmented length (from skb_gso_*_seglen).
> + *
> + * @max_len: The maximum permissible length.
> + *
> + * Returns true if the segmented length <= max length.
> + *
> + * In upstream this has to consider GSO_BY_FRAGS, but not in this
> + * backport.
> + */
> +static inline bool skb_gso_size_check(const struct sk_buff *skb,
> +				      unsigned int seg_len,
> +				      unsigned int max_len) {
> +	const struct skb_shared_info *shinfo = skb_shinfo(skb);

The shinfo variable declared above is not used anywhere in the function
and could be removed on the backport.

Otherwise the backport looks good.


Thanks,
Kleber

> +
> +	return seg_len <= max_len;
> +}
> +
> +/**
> + * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length?
> + *
> + * @skb: GSO skb
> + * @len: length to validate against
> + *
> + * skb_gso_validate_mac_len validates if a given skb will fit a wanted
> + * length once split, including L2, L3 and L4 headers and the payload.
> + */
> +bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len)
> +{
> +	return skb_gso_size_check(skb, skb_gso_mac_seglen(skb), len);
> +}
> +EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);
> +
>  static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
>  {
>  	if (skb_cow(skb, skb_headroom(skb)) < 0) {
> diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
> index c2fbde742f37..93d6a21b49d3 100644
> --- a/net/sched/sch_tbf.c
> +++ b/net/sched/sch_tbf.c
> @@ -142,16 +142,6 @@ static u64 psched_ns_t2l(const struct psched_ratecfg *r,
>  	return len;
>  }
>  
> -/*
> - * Return length of individual segments of a gso packet,
> - * including all headers (MAC, IP, TCP/UDP)
> - */
> -static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
> -{
> -	unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
> -	return hdr_len + skb_gso_transport_seglen(skb);
> -}
> -
>  /* GSO packet is too big, segment it so that tbf can transmit
>   * each segment in time
>   */
>

Patch

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index d7383cdb105e..d230827c053f 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -2901,6 +2901,7 @@  void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len);
 int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen);
 void skb_scrub_packet(struct sk_buff *skb, bool xnet);
 unsigned int skb_gso_transport_seglen(const struct sk_buff *skb);
+bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len);
 struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features);
 struct sk_buff *skb_vlan_untag(struct sk_buff *skb);
 int skb_ensure_writable(struct sk_buff *skb, int write_len);
@@ -3659,5 +3660,20 @@  static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb)
 	return hdr_len + skb_gso_transport_seglen(skb);
 }
 
+/**
+ * skb_gso_mac_seglen - Return length of individual segments of a gso packet
+ *
+ * @skb: GSO skb
+ *
+ * skb_gso_mac_seglen is used to determine the real size of the
+ * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4
+ * headers (TCP/UDP).
+ */
+static inline unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
+{
+	unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
+	return hdr_len + skb_gso_transport_seglen(skb);
+}
+
 #endif	/* __KERNEL__ */
 #endif	/* _LINUX_SKBUFF_H */
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 6c495f0c090e..95c33dbd3a23 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4337,6 +4337,48 @@  unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
 }
 EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
 
+/*
+ * skb_gso_size_check - check the skb size
+ *
+ * There are a couple of instances where we have a GSO skb, and we
+ * want to determine what size it would be after it is segmented.
+ *
+ * We might want to check:
+ * -    L3+L4+payload size (e.g. IP forwarding)
+ * - L2+L3+L4+payload size (e.g. sanity check before passing to driver)
+ *
+ * @seg_len: The segmented length (from skb_gso_*_seglen).
+ *
+ * @max_len: The maximum permissible length.
+ *
+ * Returns true if the segmented length <= max length.
+ *
+ * In upstream this has to consider GSO_BY_FRAGS, but not in this
+ * backport.
+ */
+static inline bool skb_gso_size_check(const struct sk_buff *skb,
+				      unsigned int seg_len,
+				      unsigned int max_len) {
+	const struct skb_shared_info *shinfo = skb_shinfo(skb);
+
+	return seg_len <= max_len;
+}
+
+/**
+ * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length?
+ *
+ * @skb: GSO skb
+ * @len: length to validate against
+ *
+ * skb_gso_validate_mac_len validates if a given skb will fit a wanted
+ * length once split, including L2, L3 and L4 headers and the payload.
+ */
+bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len)
+{
+	return skb_gso_size_check(skb, skb_gso_mac_seglen(skb), len);
+}
+EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);
+
 static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
 {
 	if (skb_cow(skb, skb_headroom(skb)) < 0) {
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index c2fbde742f37..93d6a21b49d3 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -142,16 +142,6 @@  static u64 psched_ns_t2l(const struct psched_ratecfg *r,
 	return len;
 }
 
-/*
- * Return length of individual segments of a gso packet,
- * including all headers (MAC, IP, TCP/UDP)
- */
-static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
-{
-	unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
-	return hdr_len + skb_gso_transport_seglen(skb);
-}
-
 /* GSO packet is too big, segment it so that tbf can transmit
  * each segment in time
  */