From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 571DBC31E5B for ; Mon, 17 Jun 2019 17:14:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2D0F02084D for ; Mon, 17 Jun 2019 17:14:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="sGaHi339" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726489AbfFQROP (ORCPT ); Mon, 17 Jun 2019 13:14:15 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:32925 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726121AbfFQROP (ORCPT ); Mon, 17 Jun 2019 13:14:15 -0400 Received: by mail-pg1-f193.google.com with SMTP id k187so6181466pga.0 for ; Mon, 17 Jun 2019 10:14:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version; bh=En+qiiqwAKnNgxo5TxqiVSn7kICNhKhquzG8iOpMlLY=; b=sGaHi33906SjLcvsowBVAqALfIudJ8BTf+EoWzx+/gbK7UFqYYQjqMgMc3mN7foRgV 6htYosj9S+QH9JI7ChgSVxlEVi2/Eux3MflpGPX2R5oqZeb5ZTNwqhWVHJKmx2JkxWQt z1Ok4kWiN4VJzXj2kPx2+8b0GztmtCV+CUMvkIoJjs9cW/3WQ03o9tQpALjvUeGTzzc5 Ix7XuZ0pthuA2Mz+wDZHdD09WEduWnw6aTvnk+KgiGeHPa+0Z4yKp4rSLkSl9HR7yncF KXR/Ph4QHOedQbwvS/Akyrva0aL8JCo9GvIEKjcFAA4rQGyyFrNi6XoV4mJ2x1RMWC06 de1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version; bh=En+qiiqwAKnNgxo5TxqiVSn7kICNhKhquzG8iOpMlLY=; b=YMYzelqeHSxMAu23VqRKS2fU8HiG4BvVYttIQ3T9+c+RUG+kiXeJUaqrk4gEo/3n26 9bArKauacgRlCKpvZGngejIdS9NdnLQwBMoOPwj5IyYsL0rK5c/8mBYS06lPmwx9XkMG BkSM0doMfUX6fXfHUN5iiEARtt62UifOrCEvPSHoULwzW3as41M0p6IEa1JaD9tRfjk6 //ApcHBSSRnuMMt5lI+bbSBv5gtjEJL1Na5upR9+/TRHGYzf6TkcZSw9rcfMBfTTxy7z oOgZr6MaasYm3LTVN3hFVPY0plLuy11sRrhkyHrZAsrKG0YO84FjXHpZqpRWCUF+ZypM lB2Q== X-Gm-Message-State: APjAAAUVbHxKMQ4sDw79vbYXW/2u8ohi4w0IXZXeb6IjJ4sP1RKL2kgU UTj6IOFhW1ekIZrJcs+xorg= X-Google-Smtp-Source: APXvYqwxrWfDtC9dxHwv8dpVaRYF3PyeR5FU5e6fkOCEV4g5CXxTNMvrfT3VLLX4dAppMT4hv+Vr/g== X-Received: by 2002:a65:42cd:: with SMTP id l13mr49083276pgp.72.1560791654519; Mon, 17 Jun 2019 10:14:14 -0700 (PDT) Received: from [172.26.125.68] ([2620:10d:c090:180::1:e1dd]) by smtp.gmail.com with ESMTPSA id h62sm9077665pgc.54.2019.06.17.10.14.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Jun 2019 10:14:13 -0700 (PDT) From: "Jonathan Lemon" To: "Eric Dumazet" Cc: "David S . Miller" , netdev , "Eric Dumazet" , "Greg Kroah-Hartman" , "Jonathan Looney" , "Neal Cardwell" , "Tyler Hicks" , "Yuchung Cheng" , "Bruce Curtis" Subject: Re: [PATCH net 1/4] tcp: limit payload size of sacked skbs Date: Mon, 17 Jun 2019 10:14:12 -0700 X-Mailer: MailMate (1.12.5r5635) Message-ID: In-Reply-To: <20190617170354.37770-2-edumazet@google.com> References: <20190617170354.37770-1-edumazet@google.com> <20190617170354.37770-2-edumazet@google.com> MIME-Version: 1.0 Content-Type: text/plain; format=flowed Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On 17 Jun 2019, at 10:03, Eric Dumazet wrote: > Jonathan Looney reported that TCP can trigger the following crash > in tcp_shifted_skb() : > > BUG_ON(tcp_skb_pcount(skb) < pcount); > > This can happen if the remote peer has advertized the smallest > MSS that linux TCP accepts : 48 > > An skb can hold 17 fragments, and each fragment can hold 32KB > on x86, or 64KB on PowerPC. > > This means that the 16bit witdh of TCP_SKB_CB(skb)->tcp_gso_segs > can overflow. > > Note that tcp_sendmsg() builds skbs with less than 64KB > of payload, so this problem needs SACK to be enabled. > SACK blocks allow TCP to coalesce multiple skbs in the retransmit > queue, thus filling the 17 fragments to maximal capacity. > > CVE-2019-11477 -- u16 overflow of TCP_SKB_CB(skb)->tcp_gso_segs > > Fixes: 832d11c5cd07 ("tcp: Try to restore large SKBs while SACK > processing") > Signed-off-by: Eric Dumazet > Reported-by: Jonathan Looney > Acked-by: Neal Cardwell > Reviewed-by: Tyler Hicks Acked-by: Jonathan Lemon