--- /dev/null
+From ebe48d368e97d007bfeb76fcb065d6cfc4c96645 Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Mon, 7 Mar 2022 13:11:39 +0100
+Subject: esp: Fix possible buffer overflow in ESP transformation
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 upstream.
+
+The maximum message size that can be send is bigger than
+the maximum site that skb_page_frag_refill can allocate.
+So it is possible to write beyond the allocated buffer.
+
+Fix this by doing a fallback to COW in that case.
+
+v2:
+
+Avoid get get_order() costs as suggested by Linus Torvalds.
+
+Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+Reported-by: valis <sec@valis.email>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/esp.h | 2 ++
+ include/net/sock.h | 3 +++
+ net/core/sock.c | 3 ---
+ net/ipv4/esp4.c | 5 +++++
+ net/ipv6/esp6.c | 5 +++++
+ 5 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/include/net/esp.h
++++ b/include/net/esp.h
+@@ -4,6 +4,8 @@
+
+ #include <linux/skbuff.h>
+
++#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER)
++
+ struct ip_esp_hdr;
+
+ static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb)
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2518,6 +2518,9 @@ extern int sysctl_optmem_max;
+ extern __u32 sysctl_wmem_default;
+ extern __u32 sysctl_rmem_default;
+
++/* On 32bit arches, an skb frag is limited to 2^15 */
++#define SKB_FRAG_PAGE_ORDER get_order(32768)
++
+ static inline int sk_get_wmem0(const struct sock *sk, const struct proto *proto)
+ {
+ /* Does this proto have per netns sysctl_wmem ? */
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2207,9 +2207,6 @@ static void sk_leave_memory_pressure(str
+ }
+ }
+
+-/* On 32bit arches, an skb frag is limited to 2^15 */
+-#define SKB_FRAG_PAGE_ORDER get_order(32768)
+-
+ /**
+ * skb_page_frag_refill - check that a page_frag contains enough room
+ * @sz: minimum size of the fragment we want to get
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -275,6 +275,7 @@ int esp_output_head(struct xfrm_state *x
+ struct page *page;
+ struct sk_buff *trailer;
+ int tailen = esp->tailen;
++ unsigned int allocsz;
+
+ /* this is non-NULL only with UDP Encapsulation */
+ if (x->encap) {
+@@ -284,6 +285,10 @@ int esp_output_head(struct xfrm_state *x
+ return err;
+ }
+
++ allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
++ if (allocsz > ESP_SKB_FRAG_MAXSIZE)
++ goto cow;
++
+ if (!skb_cloned(skb)) {
+ if (tailen <= skb_tailroom(skb)) {
+ nfrags = 1;
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -241,6 +241,11 @@ int esp6_output_head(struct xfrm_state *
+ struct page *page;
+ struct sk_buff *trailer;
+ int tailen = esp->tailen;
++ unsigned int allocsz;
++
++ allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
++ if (allocsz > ESP_SKB_FRAG_MAXSIZE)
++ goto cow;
+
+ if (!skb_cloned(skb)) {
+ if (tailen <= skb_tailroom(skb)) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
