Message ID | 20180212044200.15745-2-daniel.axtens@canonical.com |
---|---|
State | New |
Headers | show |
Series | Fixes for LP: #1715519/CVE 2018-1000026 | expand |
On 02/12/18 05:41, Daniel Axtens wrote: > From: Daniel Axtens <dja@axtens.net> > > BugLink: https://bugs.launchpad.net/bugs/1715519 > CVE-2018-1000026 > > If you take a GSO skb, and split it into packets, will the MAC > length (L2 + L3 + L4 headers + payload) of those packets be small > enough to fit within a given length? > > Move skb_gso_mac_seglen() to skbuff.h with other related functions > like skb_gso_network_seglen() so we can use it, and then create > skb_gso_validate_mac_len to do the full calculation. > > Signed-off-by: Daniel Axtens <dja@axtens.net> > Signed-off-by: David S. Miller <davem@davemloft.net> > (backported from commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90) > [nb: drop GSO_BY_FRAGS case as that isn't introduced until 4.8] > Signed-off-by: Daniel Axtens <daniel.axtens@canonical.com> > --- > include/linux/skbuff.h | 16 ++++++++++++++++ > net/core/skbuff.c | 42 ++++++++++++++++++++++++++++++++++++++++++ > net/sched/sch_tbf.c | 10 ---------- > 3 files changed, 58 insertions(+), 10 deletions(-) > > diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h > index d7383cdb105e..d230827c053f 100644 > --- a/include/linux/skbuff.h > +++ b/include/linux/skbuff.h > @@ -2901,6 +2901,7 @@ void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len); > int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen); > void skb_scrub_packet(struct sk_buff *skb, bool xnet); > unsigned int skb_gso_transport_seglen(const struct sk_buff *skb); > +bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len); > struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features); > struct sk_buff *skb_vlan_untag(struct sk_buff *skb); > int skb_ensure_writable(struct sk_buff *skb, int write_len); > @@ -3659,5 +3660,20 @@ static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb) > return hdr_len + skb_gso_transport_seglen(skb); > } > > +/** > + * skb_gso_mac_seglen - Return length of individual segments of a gso packet > + * > + * @skb: GSO skb > + * > + * skb_gso_mac_seglen is used to determine the real size of the > + * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4 > + * headers (TCP/UDP). > + */ > +static inline unsigned int skb_gso_mac_seglen(const struct sk_buff *skb) > +{ > + unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb); > + return hdr_len + skb_gso_transport_seglen(skb); > +} > + > #endif /* __KERNEL__ */ > #endif /* _LINUX_SKBUFF_H */ > diff --git a/net/core/skbuff.c b/net/core/skbuff.c > index 6c495f0c090e..95c33dbd3a23 100644 > --- a/net/core/skbuff.c > +++ b/net/core/skbuff.c > @@ -4337,6 +4337,48 @@ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb) > } > EXPORT_SYMBOL_GPL(skb_gso_transport_seglen); > > +/* > + * skb_gso_size_check - check the skb size > + * > + * There are a couple of instances where we have a GSO skb, and we > + * want to determine what size it would be after it is segmented. > + * > + * We might want to check: > + * - L3+L4+payload size (e.g. IP forwarding) > + * - L2+L3+L4+payload size (e.g. sanity check before passing to driver) > + * > + * @seg_len: The segmented length (from skb_gso_*_seglen). > + * > + * @max_len: The maximum permissible length. > + * > + * Returns true if the segmented length <= max length. > + * > + * In upstream this has to consider GSO_BY_FRAGS, but not in this > + * backport. > + */ > +static inline bool skb_gso_size_check(const struct sk_buff *skb, > + unsigned int seg_len, > + unsigned int max_len) { > + const struct skb_shared_info *shinfo = skb_shinfo(skb); The shinfo variable declared above is not used anywhere in the function and could be removed on the backport. Otherwise the backport looks good. Thanks, Kleber > + > + return seg_len <= max_len; > +} > + > +/** > + * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length? > + * > + * @skb: GSO skb > + * @len: length to validate against > + * > + * skb_gso_validate_mac_len validates if a given skb will fit a wanted > + * length once split, including L2, L3 and L4 headers and the payload. > + */ > +bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len) > +{ > + return skb_gso_size_check(skb, skb_gso_mac_seglen(skb), len); > +} > +EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len); > + > static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) > { > if (skb_cow(skb, skb_headroom(skb)) < 0) { > diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c > index c2fbde742f37..93d6a21b49d3 100644 > --- a/net/sched/sch_tbf.c > +++ b/net/sched/sch_tbf.c > @@ -142,16 +142,6 @@ static u64 psched_ns_t2l(const struct psched_ratecfg *r, > return len; > } > > -/* > - * Return length of individual segments of a gso packet, > - * including all headers (MAC, IP, TCP/UDP) > - */ > -static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb) > -{ > - unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb); > - return hdr_len + skb_gso_transport_seglen(skb); > -} > - > /* GSO packet is too big, segment it so that tbf can transmit > * each segment in time > */ >
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index d7383cdb105e..d230827c053f 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -2901,6 +2901,7 @@ void skb_split(struct sk_buff *skb, struct sk_buff *skb1, const u32 len); int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen); void skb_scrub_packet(struct sk_buff *skb, bool xnet); unsigned int skb_gso_transport_seglen(const struct sk_buff *skb); +bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len); struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features); struct sk_buff *skb_vlan_untag(struct sk_buff *skb); int skb_ensure_writable(struct sk_buff *skb, int write_len); @@ -3659,5 +3660,20 @@ static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb) return hdr_len + skb_gso_transport_seglen(skb); } +/** + * skb_gso_mac_seglen - Return length of individual segments of a gso packet + * + * @skb: GSO skb + * + * skb_gso_mac_seglen is used to determine the real size of the + * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4 + * headers (TCP/UDP). + */ +static inline unsigned int skb_gso_mac_seglen(const struct sk_buff *skb) +{ + unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb); + return hdr_len + skb_gso_transport_seglen(skb); +} + #endif /* __KERNEL__ */ #endif /* _LINUX_SKBUFF_H */ diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 6c495f0c090e..95c33dbd3a23 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -4337,6 +4337,48 @@ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb) } EXPORT_SYMBOL_GPL(skb_gso_transport_seglen); +/* + * skb_gso_size_check - check the skb size + * + * There are a couple of instances where we have a GSO skb, and we + * want to determine what size it would be after it is segmented. + * + * We might want to check: + * - L3+L4+payload size (e.g. IP forwarding) + * - L2+L3+L4+payload size (e.g. sanity check before passing to driver) + * + * @seg_len: The segmented length (from skb_gso_*_seglen). + * + * @max_len: The maximum permissible length. + * + * Returns true if the segmented length <= max length. + * + * In upstream this has to consider GSO_BY_FRAGS, but not in this + * backport. + */ +static inline bool skb_gso_size_check(const struct sk_buff *skb, + unsigned int seg_len, + unsigned int max_len) { + const struct skb_shared_info *shinfo = skb_shinfo(skb); + + return seg_len <= max_len; +} + +/** + * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length? + * + * @skb: GSO skb + * @len: length to validate against + * + * skb_gso_validate_mac_len validates if a given skb will fit a wanted + * length once split, including L2, L3 and L4 headers and the payload. + */ +bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len) +{ + return skb_gso_size_check(skb, skb_gso_mac_seglen(skb), len); +} +EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len); + static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) { if (skb_cow(skb, skb_headroom(skb)) < 0) { diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c index c2fbde742f37..93d6a21b49d3 100644 --- a/net/sched/sch_tbf.c +++ b/net/sched/sch_tbf.c @@ -142,16 +142,6 @@ static u64 psched_ns_t2l(const struct psched_ratecfg *r, return len; } -/* - * Return length of individual segments of a gso packet, - * including all headers (MAC, IP, TCP/UDP) - */ -static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb) -{ - unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb); - return hdr_len + skb_gso_transport_seglen(skb); -} - /* GSO packet is too big, segment it so that tbf can transmit * each segment in time */