Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-24 05:02:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
9119570039
linux/net/ipv4
History
Arjun Roy 70701b83e2 tcp: Fix uninitialized access in skb frags array for Rx 0cp. 
TCP Receive zerocopy iterates through the SKB queue via
tcp_recv_skb(), acquiring a pointer to an SKB and an offset within
that SKB to read from. From there, it iterates the SKB frags array to
determine which offset to start remapping pages from.

However, this is built on the assumption that the offset read so far
within the SKB is smaller than the SKB length. If this assumption is
violated, we can attempt to read an invalid frags array element, which
would cause a fault.

tcp_recv_skb() can cause such an SKB to be returned when the TCP FIN
flag is set. Therefore, we must guard against this occurrence inside
skb_advance_frag().

One way that we can reproduce this error follows:
1) In a receiver program, call getsockopt(TCP_ZEROCOPY_RECEIVE) with:
char some_array[32 * 1024];
struct tcp_zerocopy_receive zc = {
  .copybuf_address  = (__u64) &some_array[0],
  .copybuf_len = 32 * 1024,
};

2) In a sender program, after a TCP handshake, send the following
sequence of packets:
  i) Seq = [X, X+4000]
  ii) Seq = [X+4000, X+5000]
  iii) Seq = [X+4000, X+5000], Flags = FIN | URG, urgptr=1000

(This can happen without URG, if we have a signal pending, but URG is
a convenient way to reproduce the behaviour).

In this case, the following event sequence will occur on the receiver:

tcp_zerocopy_receive():
-> receive_fallback_to_copy() // copybuf_len >= inq
-> tcp_recvmsg_locked() // reads 5000 bytes, then breaks due to URG
-> tcp_recv_skb() // yields skb with skb->len == offset
-> tcp_zerocopy_set_hint_for_skb()
-> skb_advance_to_frag() // will returns a frags ptr. >= nr_frags
-> find_next_mappable_frag() // will dereference this bad frags ptr.

With this patch, skb_advance_to_frag() will no longer return an
invalid frags pointer, and will return NULL instead, fixing the issue.

Signed-off-by: Arjun Roy <arjunroy@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: 05255b823a ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive")
Link: https://lore.kernel.org/r/20211111235215.2605384-1-arjunroy.kdev@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2021-11-12 20:13:28 -08:00
..
bpfilter net: Revert "net: optimize the sockptr_t for unified kernel/user address spaces" 2020-08-10 12:06:44 -07:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2021-10-18 14:05:25 +01:00
af_inet.c net: introduce sk_forward_alloc_get() 2021-10-27 18:20:29 -07:00
ah4.c Networking changes for 5.14. 2021-06-30 15:51:09 -07:00
arp.c net: arp: introduce arp_evict_nocarrier sysctl parameter 2021-11-01 19:57:14 -07:00
bpf_tcp_ca.c bpf: Factor out helpers for ctx access checking 2021-11-01 14:10:00 -07:00
cipso_ipv4.c NET: IPV4: fix error "do not initialise globals to 0" 2021-09-19 12:43:56 +01:00
datagram.c net/ipv4/datagram.c: remove superfluous header files from datagram.c 2021-09-29 11:39:33 +01:00
devinet.c net: arp: introduce arp_evict_nocarrier sysctl parameter 2021-11-01 19:57:14 -07:00
esp4_offload.c xfrm: remove description from xfrm_type struct 2021-06-09 09:38:52 +02:00
esp4.c ipsec: Remove unneeded extra variable in esp4 esp_ssg_unref() 2021-07-20 16:14:23 +02:00
fib_frontend.c net: Use nlmsg_unicast() instead of netlink_unicast() 2021-07-13 09:28:29 -07:00
fib_lookup.h ipv4: Fix spelling mistakes 2021-06-07 14:08:30 -07:00
fib_notifier.c net: ipv4: remove superfluous header files from fib_notifier.c 2021-09-28 17:32:56 -07:00
fib_rules.c
fib_semantics.c net: ipv4: Fix rtnexthop len when RTA_FLOW is present 2021-09-24 14:07:10 +01:00
fib_trie.c memcg: enable accounting for IP address and routing-related objects 2021-07-20 06:00:38 -07:00
fou.c fou: remove sparse errors 2021-08-31 12:03:33 +01:00
gre_demux.c net: Remove the member netns_ok 2021-05-17 15:29:35 -07:00
gre_offload.c ip_gre: add csum offload support for gre header 2021-01-29 20:39:14 -08:00
icmp.c icmp: fix icmp_ext_echo_iio parsing in icmp_build_probe 2021-10-14 07:54:47 -07:00
igmp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-08-13 06:41:22 -07:00
inet_connection_sock.c tcp: switch orphan_count to bare per-cpu counters 2021-10-15 11:28:34 +01:00
inet_diag.c net: introduce sk_forward_alloc_get() 2021-10-27 18:20:29 -07:00
inet_fragment.c inet: frags: batch fqdir destroy works 2020-12-12 15:08:54 -08:00
inet_hashtables.c tcp: switch orphan_count to bare per-cpu counters 2021-10-15 11:28:34 +01:00
inet_timewait_sock.c net: Use generic ns_common::count 2020-08-19 14:06:36 +02:00
inetpeer.c inetpeer: use div64_ul() and clamp_val() calculate inet_peer_threshold 2021-03-01 13:32:12 -08:00
ip_forward.c
ip_fragment.c
ip_gre.c ip: use dev_addr_set() in tunnels 2021-10-13 09:41:37 -07:00
ip_input.c net: use indirect call helpers for dst_input 2021-02-03 14:51:39 -08:00
ip_options.c net: clean up codestyle for net/ipv4 2020-08-25 06:28:02 -07:00
ip_output.c net: ipv4: Fix the warning for dereference 2021-08-30 12:47:09 +01:00
ip_sockglue.c ipv4: guard IP_MINTTL with a static key 2021-10-25 18:02:14 -07:00
ip_tunnel_core.c net: ip_tunnel: clean up endianness conversions 2021-01-08 19:25:35 -08:00
ip_tunnel.c ip: use dev_addr_set() in tunnels 2021-10-13 09:41:37 -07:00
ip_vti.c ip: use dev_addr_set() in tunnels 2021-10-13 09:41:37 -07:00
ipcomp.c Networking changes for 5.14. 2021-06-30 15:51:09 -07:00
ipconfig.c net: ipconfig: Release the rtnl_lock while waiting for carrier 2021-10-28 14:36:41 +01:00
ipip.c ip: use dev_addr_set() in tunnels 2021-10-13 09:41:37 -07:00
ipmr_base.c
ipmr.c ipmr: Fix indentation issue 2021-07-07 20:52:25 -07:00
Kconfig net: ipv4: remove duplicate "the the" phrase in Kconfig text 2020-08-18 16:02:16 -07:00
Makefile bpf: Clean up sockmap related Kconfigs 2021-02-26 12:28:03 -08:00
metrics.c treewide: rename nla_strlcpy to nla_strscpy. 2020-11-16 08:08:54 -08:00
netfilter.c netfilter: Dissect flow after packet mangling 2021-04-18 22:04:16 +02:00
netlink.c
nexthop.c nexthop: Fix memory leaks in nexthop notification chain listeners 2021-09-23 12:33:22 +01:00
ping.c Revert "Revert "ipv4: fix memory leaks in ip_cmsg_send() callers"" 2021-09-14 14:24:31 +01:00
proc.c tcp: switch orphan_count to bare per-cpu counters 2021-10-15 11:28:34 +01:00
protocol.c net: Remove the member netns_ok 2021-05-17 15:29:35 -07:00
raw_diag.c net: Use nlmsg_unicast() instead of netlink_unicast() 2021-07-13 09:28:29 -07:00
raw.c Revert "Revert "ipv4: fix memory leaks in ip_cmsg_send() callers"" 2021-09-14 14:24:31 +01:00
route.c net/ipv4/route.c: remove superfluous header files from route.c 2021-09-20 13:09:06 +01:00
syncookies.c net/ipv4/syncookies.c: remove superfluous header files from syncookies.c 2021-09-21 10:48:47 +01:00
sysctl_net_ipv4.c tcp: remove sk_{tr}x_skb_cache 2021-09-23 12:50:26 +01:00
tcp_bbr.c bpf: Enable TCP congestion control kfunc from modules 2021-10-05 17:07:41 -07:00
tcp_bic.c
tcp_bpf.c bpf, sockmap: Fix race in ingress receive verdict with redirect to self 2021-11-09 00:58:26 +01:00
tcp_cdg.c
tcp_cong.c net: Only allow init netns to set default tcp cong to a restricted algo 2021-05-04 11:58:28 -07:00
tcp_cubic.c bpf: Enable TCP congestion control kfunc from modules 2021-10-05 17:07:41 -07:00
tcp_dctcp.c bpf: Enable TCP congestion control kfunc from modules 2021-10-05 17:07:41 -07:00
tcp_dctcp.h
tcp_diag.c
tcp_fastopen.c net/ipv4/tcp_fastopen.c: remove superfluous header files from tcp_fastopen.c 2021-09-20 13:09:06 +01:00
tcp_highspeed.c
tcp_htcp.c
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: adjust rcv_ssthresh according to sk_reserved_mem 2021-09-30 13:36:46 +01:00
tcp_ipv4.c ipv4: guard IP_MINTTL with a static key 2021-10-25 18:02:14 -07:00
tcp_lp.c ipv4: tcp_lp.c: Couple of typo fixes 2021-03-28 17:31:13 -07:00
tcp_metrics.c fixes-v5.11 2020-12-14 16:40:27 -08:00
tcp_minisocks.c net/ipv4/tcp_minisocks.c: remove superfluous header files from tcp_minisocks.c 2021-09-20 13:09:06 +01:00
tcp_nv.c net/ipv4/tcp_nv.c: remove superfluous header files from tcp_nv.c 2021-09-27 12:47:39 +01:00
tcp_offload.c net, gro: Set inner transport header offset in tcp/udp GRO hook 2021-08-02 10:20:56 +01:00
tcp_output.c tcp: Use BIT() for OPTION_* constants 2021-11-04 11:26:15 +00:00
tcp_rate.c tcp: tracking packets with CE marks in BW rate sample 2021-09-24 14:16:40 +01:00
tcp_recovery.c tcp: more accurately check DSACKs to grow RACK reordering window 2021-07-27 20:07:21 +01:00
tcp_scalable.c net: ipv4: delete repeated words 2020-08-24 17:31:20 -07:00
tcp_timer.c net: sock: introduce sk_error_report 2021-06-29 11:28:21 -07:00
tcp_ulp.c
tcp_vegas.c tcp: use semicolons rather than commas to separate statements 2020-10-13 17:11:52 -07:00
tcp_vegas.h
tcp_veno.c
tcp_westwood.c
tcp_yeah.c tcp_yeah: check struct yeah size at compile time 2021-06-29 11:54:36 -07:00
tcp.c tcp: Fix uninitialized access in skb frags array for Rx 0cp. 2021-11-12 20:13:28 -08:00
tunnel4.c net: Remove the member netns_ok 2021-05-17 15:29:35 -07:00
udp_bpf.c net: Implement ->sock_is_readable() for UDP and AF_UNIX 2021-10-26 12:29:33 -07:00
udp_diag.c net: Use nlmsg_unicast() instead of netlink_unicast() 2021-07-13 09:28:29 -07:00
udp_impl.h
udp_offload.c fou: remove sparse errors 2021-08-31 12:03:33 +01:00
udp_tunnel_core.c net/ipv4/udp_tunnel_core.c: remove superfluous header files from udp_tunnel_core.c 2021-09-21 10:17:20 +01:00
udp_tunnel_nic.c udp_tunnel: Fix udp_tunnel_nic work-queue type 2021-09-13 12:38:45 +01:00
udp_tunnel_stub.c
udp.c include/linux/mm.h: move nr_free_buffer_pages from swap.h to mm.h 2021-11-06 13:30:43 -07:00
udplite.c net: Remove the member netns_ok 2021-05-17 15:29:35 -07:00
xfrm4_input.c
xfrm4_output.c
xfrm4_policy.c
xfrm4_protocol.c net: Remove the member netns_ok 2021-05-17 15:29:35 -07:00
xfrm4_state.c
xfrm4_tunnel.c net/ipv4/xfrm4_tunnel.c: remove superfluous header files from xfrm4_tunnel.c 2021-09-23 10:10:00 +02:00