From patchwork Thu Nov 12 17:26:42 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 543562 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 68063141301 for ; Fri, 13 Nov 2015 04:26:50 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b=eomD8IHz; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752865AbbKLR0p (ORCPT ); Thu, 12 Nov 2015 12:26:45 -0500 Received: from mail-pa0-f50.google.com ([209.85.220.50]:36132 "EHLO mail-pa0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751680AbbKLR0o (ORCPT ); Thu, 12 Nov 2015 12:26:44 -0500 Received: by pacdm15 with SMTP id dm15so70657734pac.3; Thu, 12 Nov 2015 09:26:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:in-reply-to:references :content-type:mime-version:content-transfer-encoding; bh=VLYL5PuWiDyK20cFWcJ0L9SbWnZGCeEJ7G7EZ9ILNEg=; b=eomD8IHz15M23z5+n1ONsqlnM3WywIiYJgr+cv01a48ccrJtPTH3n/TO8tQr2ZpJ3+ MERsQcJKQ946fpRPfqE+DT/Qbfh2Kh1p/MHd92uK2FgFajk+M5R7nArLKAM/JDqeUlpz gIw7uXnblaxi57U0jGdc90C8fJysEpQ8OBE4UMcJEFRXqyw6OgRWf2rMp/nJFe0ifTHK Ope/UPAjvwm53pTNxRvHyI2Pm3C0ZlndslVlFNOrakN9EnA2MTKPgLUP7L+wh/4q+AtB +jihR9CrkzjMLS+lQj/MaVF9nkTrPgjBL5RlrzKSlqBNV+tjCqAzX01sYccMfp/FSgIb WaDQ== X-Received: by 10.69.26.36 with SMTP id iv4mr25057906pbd.0.1447349203768; Thu, 12 Nov 2015 09:26:43 -0800 (PST) Received: from ?IPv6:2620:0:1000:3e02:75ba:1b4b:ec14:c309? ([2620:0:1000:3e02:75ba:1b4b:ec14:c309]) by smtp.gmail.com with ESMTPSA id c6sm15791163pbu.51.2015.11.12.09.26.42 (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128/128); Thu, 12 Nov 2015 09:26:43 -0800 (PST) Message-ID: <1447349202.22599.30.camel@edumazet-glaptop2.roam.corp.google.com> Subject: Re: [PATCH stable <= 3.18] net: add length argument to skb_copy_and_csum_datagram_iovec From: Eric Dumazet To: Sabrina Dubroca Cc: David Miller , Greg Kroah-Hartman , Josh Hunt , netdev@vger.kernel.org, herbert@gondor.apana.org.au, stable , hannes@stressinduktion.org Date: Thu, 12 Nov 2015 09:26:42 -0800 In-Reply-To: <20151112094822.GA21732@bistromath.redhat.com> References: <20151029100021.GA17588@bistromath.redhat.com> <20151111000352.GA5134@kroah.com> <20151112094822.GA21732@bistromath.redhat.com> X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Thu, 2015-11-12 at 10:48 +0100, Sabrina Dubroca wrote: > 2015-11-10, 16:03:52 -0800, Greg Kroah-Hartman wrote: > > On Tue, Nov 10, 2015 at 05:59:26PM -0600, Josh Hunt wrote: > > > On Thu, Oct 29, 2015 at 5:00 AM, Sabrina Dubroca wrote: > > > > 2015-10-15, 14:25:03 +0200, Sabrina Dubroca wrote: > > > >> Without this length argument, we can read past the end of the iovec in > > > >> memcpy_toiovec because we have no way of knowing the total length of the > > > >> iovec's buffers. > > > >> > > > >> This is needed for stable kernels where 89c22d8c3b27 ("net: Fix skb > > > >> csum races when peeking") has been backported but that don't have the > > > >> ioviter conversion, which is almost all the stable trees <= 3.18. > > > >> > > > >> This also fixes a kernel crash for NFS servers when the client uses > > > >> -onfsvers=3,proto=udp to mount the export. > > > >> > > > >> Signed-off-by: Sabrina Dubroca > > > >> Reviewed-by: Hannes Frederic Sowa > > > > > > > > Fixes CVE-2015-8019. > > > > http://www.openwall.com/lists/oss-security/2015/10/29/1 > > > > > > > > -- > > > > Sabrina > > > > -- > > > > To unsubscribe from this list: send the line "unsubscribe netdev" in > > > > the body of a message to majordomo@vger.kernel.org > > > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > > Greg > > > > > > Do you have this in your queue? I saw a few other stables pick this > > > up, but haven't seen it in 3.14 or 3.18 yet. It wasn't clear to me if > > > this had been fully reviewed yet. > > > > I rely on Dave to package up networking stable patches and forward them > > on to me, that's why you haven't seen it be picked up yet. > > > > thanks, > > > > greg k-h > > David, can you queue this up? > Note that the following patch (and corresponding part for ipv6) might also have solve the issue ? This would supposedly save some cycles when MSG_PEEK is used and user provides short buffers. --- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c index 24ec14f9825c..387acab1ab5c 100644 --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -1272,6 +1272,7 @@ int udp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock, int err; int is_udplite = IS_UDPLITE(sk); bool slow; + bool checksum_valid = false; if (flags & MSG_ERRQUEUE) return ip_recv_error(sk, msg, len, addr_len); @@ -1296,11 +1297,12 @@ try_again: */ if (copied < ulen || UDP_SKB_CB(skb)->partial_cov) { - if (udp_lib_checksum_complete(skb)) + checksum_valid = !udp_lib_checksum_complete(skb); + if (!checksum_valid) goto csum_copy_err; } - if (skb_csum_unnecessary(skb)) + if (checksum_valid || skb_csum_unnecessary(skb)) err = skb_copy_datagram_msg(skb, sizeof(struct udphdr), msg, copied); else {