From 52ce419fe0eb0e5a73732a53eb0da09c1cfc3a09 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 24 Mar 2022 15:22:44 +0100 Subject: [PATCH] 4.14-stable patches added patches: esp-fix-possible-buffer-overflow-in-esp-transformation.patch --- ...uffer-overflow-in-esp-transformation.patch | 101 ++++++++++++++++++ queue-4.14/series | 1 + 2 files changed, 102 insertions(+) create mode 100644 queue-4.14/esp-fix-possible-buffer-overflow-in-esp-transformation.patch diff --git a/queue-4.14/esp-fix-possible-buffer-overflow-in-esp-transformation.patch b/queue-4.14/esp-fix-possible-buffer-overflow-in-esp-transformation.patch new file mode 100644 index 00000000000..31149857e6f --- /dev/null +++ b/queue-4.14/esp-fix-possible-buffer-overflow-in-esp-transformation.patch @@ -0,0 +1,101 @@ +From ebe48d368e97d007bfeb76fcb065d6cfc4c96645 Mon Sep 17 00:00:00 2001 +From: Steffen Klassert +Date: Mon, 7 Mar 2022 13:11:39 +0100 +Subject: esp: Fix possible buffer overflow in ESP transformation + +From: Steffen Klassert + +commit ebe48d368e97d007bfeb76fcb065d6cfc4c96645 upstream. + +The maximum message size that can be send is bigger than +the maximum site that skb_page_frag_refill can allocate. +So it is possible to write beyond the allocated buffer. + +Fix this by doing a fallback to COW in that case. + +v2: + +Avoid get get_order() costs as suggested by Linus Torvalds. + +Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") +Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") +Reported-by: valis +Signed-off-by: Steffen Klassert +Signed-off-by: Vaibhav Rustagi +Signed-off-by: Greg Kroah-Hartman +--- + include/net/esp.h | 2 ++ + include/net/sock.h | 3 +++ + net/core/sock.c | 3 --- + net/ipv4/esp4.c | 5 +++++ + net/ipv6/esp6.c | 5 +++++ + 5 files changed, 15 insertions(+), 3 deletions(-) + +--- a/include/net/esp.h ++++ b/include/net/esp.h +@@ -4,6 +4,8 @@ + + #include + ++#define ESP_SKB_FRAG_MAXSIZE (PAGE_SIZE << SKB_FRAG_PAGE_ORDER) ++ + struct ip_esp_hdr; + + static inline struct ip_esp_hdr *ip_esp_hdr(const struct sk_buff *skb) +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -2438,4 +2438,7 @@ extern int sysctl_optmem_max; + extern __u32 sysctl_wmem_default; + extern __u32 sysctl_rmem_default; + ++/* On 32bit arches, an skb frag is limited to 2^15 */ ++#define SKB_FRAG_PAGE_ORDER get_order(32768) ++ + #endif /* _SOCK_H */ +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2193,9 +2193,6 @@ static void sk_leave_memory_pressure(str + } + } + +-/* On 32bit arches, an skb frag is limited to 2^15 */ +-#define SKB_FRAG_PAGE_ORDER get_order(32768) +- + /** + * skb_page_frag_refill - check that a page_frag contains enough room + * @sz: minimum size of the fragment we want to get +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -257,6 +257,7 @@ int esp_output_head(struct xfrm_state *x + struct page *page; + struct sk_buff *trailer; + int tailen = esp->tailen; ++ unsigned int allocsz; + + /* this is non-NULL only with UDP Encapsulation */ + if (x->encap) { +@@ -266,6 +267,10 @@ int esp_output_head(struct xfrm_state *x + return err; + } + ++ allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES); ++ if (allocsz > ESP_SKB_FRAG_MAXSIZE) ++ goto cow; ++ + if (!skb_cloned(skb)) { + if (tailen <= skb_tailroom(skb)) { + nfrags = 1; +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -223,6 +223,11 @@ int esp6_output_head(struct xfrm_state * + struct page *page; + struct sk_buff *trailer; + int tailen = esp->tailen; ++ unsigned int allocsz; ++ ++ allocsz = ALIGN(skb->data_len + tailen, L1_CACHE_BYTES); ++ if (allocsz > ESP_SKB_FRAG_MAXSIZE) ++ goto cow; + + if (!skb_cloned(skb)) { + if (tailen <= skb_tailroom(skb)) { diff --git a/queue-4.14/series b/queue-4.14/series index 4d0b0d0004e..c8eb6e7f442 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1,2 +1,3 @@ nfc-st21nfca-fix-potential-buffer-overflows-in-evt_transaction.patch net-ipv6-fix-skb_over_panic-in-__ip6_append_data.patch +esp-fix-possible-buffer-overflow-in-esp-transformation.patch -- 2.47.3