Message ID | 20180226015108.17198-3-daniel.axtens@canonical.com |
---|---|
State | New |
Headers | show |
Series | None | expand |
On 26/02/18 01:51, Daniel Axtens wrote: > From: Daniel Axtens <dja@axtens.net> > > BugLink: https://bugs.launchpad.net/bugs/1715519 > CVE-2018-1000026 > > If a bnx2x card is passed a GSO packet with a gso_size larger than > ~9700 bytes, it will cause a firmware error that will bring the card > down: > > bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert! > bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2 > bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052 > bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1 > ... (dump of values continues) ... > > Detect when the mac length of a GSO packet is greater than the maximum > packet size (9700 bytes) and disable GSO. > > Signed-off-by: Daniel Axtens <dja@axtens.net> > Reviewed-by: Eric Dumazet <edumazet@google.com> > Signed-off-by: David S. Miller <davem@davemloft.net> > (cherry picked from commit 8914a595110a6eca69a5e275b323f5d09e18f4f9) > [nb: the reference to BY_FRAGS does not apply here, it was added in > 4.8] > Signed-off-by: Daniel Axtens <daniel.axtens@canonical.com> > --- > drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > > diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c > index 657bdbfada01..433c12e41682 100644 > --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c > +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c > @@ -12809,6 +12809,24 @@ static netdev_features_t bnx2x_features_check(struct sk_buff *skb, > struct net_device *dev, > netdev_features_t features) > { > + /* > + * A skb with gso_size + header length > 9700 will cause a > + * firmware panic. Drop GSO support. > + * > + * Eventually the upper layer should not pass these packets down. > + * > + * For speed, if the gso_size is <= 9000, assume there will > + * not be 700 bytes of headers and pass it through. Only do a > + * full (slow) validation if the gso_size is > 9000. > + * > + * (Due to the way SKB_BY_FRAGS works this will also do a full > + * validation in that case.) > + */ > + if (unlikely(skb_is_gso(skb) && > + (skb_shinfo(skb)->gso_size > 9000) && > + !skb_gso_validate_mac_len(skb, 9700))) > + features &= ~NETIF_F_GSO_MASK; > + > features = vlan_features_check(skb, features); > return vxlan_features_check(skb, features); > } > Thanks for the fix, looks OK to me. Acked-by: Colin Ian King <colin.king@canonical.com>
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c index 657bdbfada01..433c12e41682 100644 --- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c @@ -12809,6 +12809,24 @@ static netdev_features_t bnx2x_features_check(struct sk_buff *skb, struct net_device *dev, netdev_features_t features) { + /* + * A skb with gso_size + header length > 9700 will cause a + * firmware panic. Drop GSO support. + * + * Eventually the upper layer should not pass these packets down. + * + * For speed, if the gso_size is <= 9000, assume there will + * not be 700 bytes of headers and pass it through. Only do a + * full (slow) validation if the gso_size is > 9000. + * + * (Due to the way SKB_BY_FRAGS works this will also do a full + * validation in that case.) + */ + if (unlikely(skb_is_gso(skb) && + (skb_shinfo(skb)->gso_size > 9000) && + !skb_gso_validate_mac_len(skb, 9700))) + features &= ~NETIF_F_GSO_MASK; + features = vlan_features_check(skb, features); return vxlan_features_check(skb, features); }