--- /dev/null
+From ebe48d368e97d007bfeb76fcb065d6cfc4c96645 Mon Sep 17 00:00:00 2001
+From: Steffen Klassert <steffen.klassert@secunet.com>
+Date: Mon, 7 Mar 2022 13:11:39 +0100
+Subject: esp: Fix possible buffer overflow in ESP transformation
+
+From: Steffen Klassert <steffen.klassert@secunet.com>
+
+commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 upstream.
+
+The maximum message size that can be send is bigger than
+the maximum site that skb_page_frag_refill can allocate.
+So it is possible to write beyond the allocated buffer.
+
+Fix this by doing a fallback to COW in that case.
+
+v2:
+
+Avoid get get_order() costs as suggested by Linus Torvalds.
+
+Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
+Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible")
+Reported-by: valis <sec@valis.email>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/esp.h | 2 ++
+ include/net/sock.h | 1 +
+ net/ipv4/esp4.c | 5 +++++
+ net/ipv6/esp6.c | 5 +++++
+ 4 files changed, 13 insertions(+)
+
+--- a/include/net/esp.h
++++ b/include/net/esp.h
+@@ -4,6 +4,8 @@
+
+ #include <linux/skbuff.h>
+
++#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER)
++
+ struct ip_esp_hdr;
+
+ static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb)
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -2583,6 +2583,7 @@ extern int sysctl_optmem_max;
+ extern __u32 sysctl_wmem_default;
+ extern __u32 sysctl_rmem_default;
+
++#define SKB_FRAG_PAGE_ORDER get_order(32768)
+ DECLARE_STATIC_KEY_FALSE(net_high_order_alloc_disable_key);
+
+ static inline int sk_get_wmem0(const struct sock *sk, const struct proto *proto)
+--- a/net/ipv4/esp4.c
++++ b/net/ipv4/esp4.c
+@@ -277,6 +277,7 @@ int esp_output_head(struct xfrm_state *x
+ struct page *page;
+ struct sk_buff *trailer;
+ int tailen = esp->tailen;
++ unsigned int allocsz;
+
+ /* this is non-NULL only with UDP Encapsulation */
+ if (x->encap) {
+@@ -286,6 +287,10 @@ int esp_output_head(struct xfrm_state *x
+ return err;
+ }
+
++ allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
++ if (allocsz > ESP_SKB_FRAG_MAXSIZE)
++ goto cow;
++
+ if (!skb_cloned(skb)) {
+ if (tailen <= skb_tailroom(skb)) {
+ nfrags = 1;
+--- a/net/ipv6/esp6.c
++++ b/net/ipv6/esp6.c
+@@ -230,6 +230,7 @@ int esp6_output_head(struct xfrm_state *
+ struct page *page;
+ struct sk_buff *trailer;
+ int tailen = esp->tailen;
++ unsigned int allocsz;
+
+ if (!skb_cloned(skb)) {
+ if (tailen <= skb_tailroom(skb)) {
+@@ -617,6 +618,10 @@ static int esp6_input(struct xfrm_state
+ assoclen += seqhilen;
+ }
+
++ allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES);
++ if (allocsz > ESP_SKB_FRAG_MAXSIZE)
++ goto cow;
++
+ if (!skb_cloned(skb)) {
+ if (!skb_is_nonlinear(skb)) {
+ nfrags = 1;
projects / thirdparty / kernel / stable-queue.git / commitdiff
