From: Greg Kroah-Hartman Date: Thu, 24 Mar 2022 14:22:58 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.9.309~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=008f1927ce8c1cf1fe546818e3accd71a2f5cb18;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: esp-fix-possible-buffer-overflow-in-esp-transformation.patch --- diff --git a/queue-4.19/esp-fix-possible-buffer-overflow-in-esp-transformation.patch b/queue-4.19/esp-fix-possible-buffer-overflow-in-esp-transformation.patch new file mode 100644 index 00000000000..bad9adfc090 --- /dev/null +++ b/queue-4.19/esp-fix-possible-buffer-overflow-in-esp-transformation.patch @@ -0,0 +1,103 @@ +From ebe48d368e97d007bfeb76fcb065d6cfc4c96645 Mon Sep 17 00:00:00 2001 +From: Steffen Klassert +Date: Mon, 7 Mar 2022 13:11:39 +0100 +Subject: esp: Fix possible buffer overflow in ESP transformation + +From: Steffen Klassert + +commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 upstream. + +The maximum message size that can be send is bigger than +the maximum site that skb_page_frag_refill can allocate. +So it is possible to write beyond the allocated buffer. + +Fix this by doing a fallback to COW in that case. + +v2: + +Avoid get get_order() costs as suggested by Linus Torvalds. + +Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") +Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") +Reported-by: valis +Signed-off-by: Steffen Klassert +Signed-off-by: Vaibhav Rustagi +Signed-off-by: Greg Kroah-Hartman +--- + include/net/esp.h | 2 ++ + include/net/sock.h | 3 +++ + net/core/sock.c | 3 --- + net/ipv4/esp4.c | 5 +++++ + net/ipv6/esp6.c | 5 +++++ + 5 files changed, 15 insertions(+), 3 deletions(-) + +--- a/include/net/esp.h ++++ b/include/net/esp.h +@@ -4,6 +4,8 @@ + + #include + ++#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER) ++ + struct ip_esp_hdr; + + static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb) +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2518,6 +2518,9 @@ extern int sysctl_optmem_max; + extern __u32 sysctl_wmem_default; + extern __u32 sysctl_rmem_default; + ++/* On 32bit arches, an skb frag is limited to 2^15 */ ++#define SKB_FRAG_PAGE_ORDER get_order(32768) ++ + static inline int sk_get_wmem0(const struct sock *sk, const struct proto *proto) + { + /* Does this proto have per netns sysctl_wmem ? */ +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2207,9 +2207,6 @@ static void sk_leave_memory_pressure(str + } + } + +-/* On 32bit arches, an skb frag is limited to 2^15 */ +-#define SKB_FRAG_PAGE_ORDER get_order(32768) +- + /** + * skb_page_frag_refill - check that a page_frag contains enough room + * @sz: minimum size of the fragment we want to get +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -275,6 +275,7 @@ int esp_output_head(struct xfrm_state *x + struct page *page; + struct sk_buff *trailer; + int tailen = esp->tailen; ++ unsigned int allocsz; + + /* this is non-NULL only with UDP Encapsulation */ + if (x->encap) { +@@ -284,6 +285,10 @@ int esp_output_head(struct xfrm_state *x + return err; + } + ++ allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES); ++ if (allocsz > ESP_SKB_FRAG_MAXSIZE) ++ goto cow; ++ + if (!skb_cloned(skb)) { + if (tailen <= skb_tailroom(skb)) { + nfrags = 1; +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -241,6 +241,11 @@ int esp6_output_head(struct xfrm_state * + struct page *page; + struct sk_buff *trailer; + int tailen = esp->tailen; ++ unsigned int allocsz; ++ ++ allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES); ++ if (allocsz > ESP_SKB_FRAG_MAXSIZE) ++ goto cow; + + if (!skb_cloned(skb)) { + if (tailen <= skb_tailroom(skb)) { diff --git a/queue-4.19/series b/queue-4.19/series index 4d0b0d0004e..c8eb6e7f442 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1,2 +1,3 @@ nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch +esp-fix-possible-buffer-overflow-in-esp-transformation.patch