From patchwork Tue May 9 23:50:42 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1779143 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=RkzIIBYm; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QGFLH6cgTz214m for ; Wed, 10 May 2023 09:51:35 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pwX7C-0007Tp-Mn; Tue, 09 May 2023 23:51:30 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pwX79-0007Qx-QV for kernel-team@lists.ubuntu.com; Tue, 09 May 2023 23:51:27 +0000 Received: from mail-ej1-f72.google.com (mail-ej1-f72.google.com [209.85.218.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 7249F3F481 for ; Tue, 9 May 2023 23:51:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1683676287; bh=hQj0FIUtINGixCaqXi1o7ffvMNIcjxLUhF9OtxLTOSM=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=RkzIIBYmYDJ143mTAp7h7NkO3gB5OpLQLaZ5rzpJ69r3SvCKe27LddfYxqDuwCbIU XE61+EBUFiCm7Q7TSfyjv2vcvwvqmEtiVLBPrRwG+J55RLnnZfiRPRF5VCQuDbrQz3 uwsb9ZiKvtsMESOfBzPdj/uxCrRibcX2CWNaoWPJahRgxpeGU1WdN0QhNHcULWdyH2 Ob5HO4LQOg6/W0pgX7XBxia/hVS2V96a+/s6EiBUCFTLUxz97LQMtnCio0XsDaVJK4 zT6aAv1+9KWgbGFus4X3HeWxgtSPLS+SvjP7LoFANoQlFh2h/qV3/JVNQVcokcyKnn lAA3BEq3ah+yA== Received: by mail-ej1-f72.google.com with SMTP id a640c23a62f3a-965f0c4ae32so490167366b.1 for ; Tue, 09 May 2023 16:51:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683676286; x=1686268286; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hQj0FIUtINGixCaqXi1o7ffvMNIcjxLUhF9OtxLTOSM=; b=L5zKL6lEnMdL3MHxMJEWp6KsXRNzhHRYk6Lf+1aoiVnPzyKSkJZRzEAZiJtINDpnE8 N2KbzQnjve6Jl9b4v0YskdpUIIZDbjIoePOCrobmGPHMhS6sUGkhjtN6n+dourPUabRM tsooKrzkNv2RLCfEo57906AAcYyADcB1YiE5R10PtFxYgNSYy34ZzzgFhdraLN9Hqtdm u4RTY18OyQJmyM9q/6+51+rQRoz41flan76iUtYaB6KR3ab9XjucsOQltoY/Q5thkG+z ay9L8WCN46aOgmFukHdFCuMpV3EFA2LdvmS8gxI+vCLgLk0XxMHOCcpN/B+mTr1/wqpj T+0g== X-Gm-Message-State: AC+VfDy0b9PAWSWqrEvz0xAFUg8He4grf2GdLyQFeJRkHNyf4Dwyw6gY AcZScWSYgNk3zxpf582hlQQhP5xFsG7qdeMDc8RTDaPaVdx+u0XMr4WbsrH0TpBz1Mw9ZZ9WuZ4 Ab+fVPBi+5+PD4ruV4Rcd1PtGxkEHbTPqOaAd3PjKolD0m5k8BA== X-Received: by 2002:a17:907:7212:b0:966:61b3:f630 with SMTP id dr18-20020a170907721200b0096661b3f630mr8784055ejc.9.1683676286851; Tue, 09 May 2023 16:51:26 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6bxoHP07BdBV8+cuETIwJtts3RWi3wf2lBTmLOflKdRG0T6BybPYNTo7PtD540RF2KGRU4rw== X-Received: by 2002:a17:907:7212:b0:966:61b3:f630 with SMTP id dr18-20020a170907721200b0096661b3f630mr8784042ejc.9.1683676286501; Tue, 09 May 2023 16:51:26 -0700 (PDT) Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id p15-20020aa7cc8f000000b0050bcca2e459sm1295429edt.8.2023.05.09.16.51.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 May 2023 16:51:25 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Kinetic/Jammy][PATCH 2/2] net/sched: act_mirred: better wording on protection against excessive stack growth Date: Tue, 9 May 2023 19:50:42 -0400 Message-Id: <20230509235043.69974-5-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230509235043.69974-1-yuxuan.luo@canonical.com> References: <20230509235043.69974-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Davide Caratti with commit e2ca070f89ec ("net: sched: protect against stack overflow in TC act_mirred"), act_mirred protected itself against excessive stack growth using per_cpu counter of nested calls to tcf_mirred_act(), and capping it to MIRRED_RECURSION_LIMIT. However, such protection does not detect recursion/loops in case the packet is enqueued to the backlog (for example, when the mirred target device has RPS or skb timestamping enabled). Change the wording from "recursion" to "nesting" to make it more clear to readers. CC: Jamal Hadi Salim Signed-off-by: Davide Caratti Reviewed-by: Marcelo Ricardo Leitner Acked-by: Jamal Hadi Salim Signed-off-by: Paolo Abeni (cherry picked from commit 78dcdffe0418ac8f3f057f26fe71ccf4d8ed851f) CVE-2022-4269 Signed-off-by: Yuxuan Luo --- net/sched/act_mirred.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c index 66f9078e7c087..4515c427ea038 100644 --- a/net/sched/act_mirred.c +++ b/net/sched/act_mirred.c @@ -28,8 +28,8 @@ static LIST_HEAD(mirred_list); static DEFINE_SPINLOCK(mirred_list_lock); -#define MIRRED_RECURSION_LIMIT 4 -static DEFINE_PER_CPU(unsigned int, mirred_rec_level); +#define MIRRED_NEST_LIMIT 4 +static DEFINE_PER_CPU(unsigned int, mirred_nest_level); static bool tcf_mirred_is_act_redirect(int action) { @@ -232,7 +232,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, struct sk_buff *skb2 = skb; bool m_mac_header_xmit; struct net_device *dev; - unsigned int rec_level; + unsigned int nest_level; int retval, err = 0; bool use_reinsert; bool want_ingress; @@ -243,11 +243,11 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, int mac_len; bool at_nh; - rec_level = __this_cpu_inc_return(mirred_rec_level); - if (unlikely(rec_level > MIRRED_RECURSION_LIMIT)) { + nest_level = __this_cpu_inc_return(mirred_nest_level); + if (unlikely(nest_level > MIRRED_NEST_LIMIT)) { net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n", netdev_name(skb->dev)); - __this_cpu_dec(mirred_rec_level); + __this_cpu_dec(mirred_nest_level); return TC_ACT_SHOT; } @@ -317,7 +317,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, err = tcf_mirred_forward(res->ingress, skb); if (err) tcf_action_inc_overlimit_qstats(&m->common); - __this_cpu_dec(mirred_rec_level); + __this_cpu_dec(mirred_nest_level); return TC_ACT_CONSUMED; } } @@ -329,7 +329,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, if (tcf_mirred_is_act_redirect(m_eaction)) retval = TC_ACT_SHOT; } - __this_cpu_dec(mirred_rec_level); + __this_cpu_dec(mirred_nest_level); return retval; }