* [stable-4.9 && 4.14 0/2] CVE 2018-1000026 fixes
@ 2019-02-14 10:31 Jack Wang
2019-02-14 10:31 ` [stable-4.9 && 4.14 1/2] net: create skb_gso_validate_mac_len() Jack Wang
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Jack Wang @ 2019-02-14 10:31 UTC (permalink / raw)
To: gregkh, stable
Hi Greg,
This is clean cherry-pick from upstream 4.16 for CVE 2018-1000026
Other OS vendors have the fixes in their kernels[1][2], but not yet in upstream
stable tree for 4.9 and 4.14.
Compile tested with 4.14.93.
Please consider to include them.
Thanks,
Jack Wang
Linux Kernel Developer @ 1&1 IONOS Cloud GmbH
[1] https://bugs.launchpad.net/bugs/cve/2018-1000026
[2] https://access.redhat.com/security/cve/cve-2018-1000026
Daniel Axtens (2):
net: create skb_gso_validate_mac_len()
bnx2x: disable GSO where gso_size is too big for hardware
.../net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 ++++++
include/linux/skbuff.h | 16 +++++
net/core/skbuff.c | 63 +++++++++++++++----
net/sched/sch_tbf.c | 10 ---
4 files changed, 84 insertions(+), 23 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [stable-4.9 && 4.14 1/2] net: create skb_gso_validate_mac_len()
2019-02-14 10:31 [stable-4.9 && 4.14 0/2] CVE 2018-1000026 fixes Jack Wang
@ 2019-02-14 10:31 ` Jack Wang
2019-02-14 10:31 ` [stable-4.9 && 4.14 2/2] bnx2x: disable GSO where gso_size is too big for hardware Jack Wang
2019-02-17 19:26 ` [stable-4.9 && 4.14 0/2] CVE 2018-1000026 fixes Sasha Levin
2 siblings, 0 replies; 4+ messages in thread
From: Jack Wang @ 2019-02-14 10:31 UTC (permalink / raw)
To: gregkh, stable; +Cc: Daniel Axtens, David S . Miller, Jack Wang
From: Daniel Axtens <dja@axtens.net>
commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90 upstream
If you take a GSO skb, and split it into packets, will the MAC
length (L2 + L3 + L4 headers + payload) of those packets be small
enough to fit within a given length?
Move skb_gso_mac_seglen() to skbuff.h with other related functions
like skb_gso_network_seglen() so we can use it, and then create
skb_gso_validate_mac_len to do the full calculation.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[jwang: cherry pick for CVE-2018-1000026]
Signed-off-by: Jack Wang <jinpu.wang@cloud.ionos.com>
---
include/linux/skbuff.h | 16 +++++++++++
net/core/skbuff.c | 63 +++++++++++++++++++++++++++++++++---------
net/sched/sch_tbf.c | 10 -------
3 files changed, 66 insertions(+), 23 deletions(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 39c2570ddcf6..50a4a5968f3a 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -3317,6 +3317,7 @@ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen);
void skb_scrub_packet(struct sk_buff *skb, bool xnet);
unsigned int skb_gso_transport_seglen(const struct sk_buff *skb);
bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu);
+bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len);
struct sk_buff *skb_segment(struct sk_buff *skb, netdev_features_t features);
struct sk_buff *skb_vlan_untag(struct sk_buff *skb);
int skb_ensure_writable(struct sk_buff *skb, int write_len);
@@ -4087,6 +4088,21 @@ static inline unsigned int skb_gso_network_seglen(const struct sk_buff *skb)
return hdr_len + skb_gso_transport_seglen(skb);
}
+/**
+ * skb_gso_mac_seglen - Return length of individual segments of a gso packet
+ *
+ * @skb: GSO skb
+ *
+ * skb_gso_mac_seglen is used to determine the real size of the
+ * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4
+ * headers (TCP/UDP).
+ */
+static inline unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
+{
+ unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
+ return hdr_len + skb_gso_transport_seglen(skb);
+}
+
/* Local Checksum Offload.
* Compute outer checksum based on the assumption that the
* inner checksum will be offloaded later.
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 873032d1a083..6dbd2c54b2c9 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4930,37 +4930,74 @@ unsigned int skb_gso_transport_seglen(const struct sk_buff *skb)
EXPORT_SYMBOL_GPL(skb_gso_transport_seglen);
/**
- * skb_gso_validate_mtu - Return in case such skb fits a given MTU
+ * skb_gso_size_check - check the skb size, considering GSO_BY_FRAGS
*
- * @skb: GSO skb
- * @mtu: MTU to validate against
+ * There are a couple of instances where we have a GSO skb, and we
+ * want to determine what size it would be after it is segmented.
*
- * skb_gso_validate_mtu validates if a given skb will fit a wanted MTU
- * once split.
+ * We might want to check:
+ * - L3+L4+payload size (e.g. IP forwarding)
+ * - L2+L3+L4+payload size (e.g. sanity check before passing to driver)
+ *
+ * This is a helper to do that correctly considering GSO_BY_FRAGS.
+ *
+ * @seg_len: The segmented length (from skb_gso_*_seglen). In the
+ * GSO_BY_FRAGS case this will be [header sizes + GSO_BY_FRAGS].
+ *
+ * @max_len: The maximum permissible length.
+ *
+ * Returns true if the segmented length <= max length.
*/
-bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu)
-{
+static inline bool skb_gso_size_check(const struct sk_buff *skb,
+ unsigned int seg_len,
+ unsigned int max_len) {
const struct skb_shared_info *shinfo = skb_shinfo(skb);
const struct sk_buff *iter;
- unsigned int hlen;
-
- hlen = skb_gso_network_seglen(skb);
if (shinfo->gso_size != GSO_BY_FRAGS)
- return hlen <= mtu;
+ return seg_len <= max_len;
/* Undo this so we can re-use header sizes */
- hlen -= GSO_BY_FRAGS;
+ seg_len -= GSO_BY_FRAGS;
skb_walk_frags(skb, iter) {
- if (hlen + skb_headlen(iter) > mtu)
+ if (seg_len + skb_headlen(iter) > max_len)
return false;
}
return true;
}
+
+/**
+ * skb_gso_validate_mtu - Return in case such skb fits a given MTU
+ *
+ * @skb: GSO skb
+ * @mtu: MTU to validate against
+ *
+ * skb_gso_validate_mtu validates if a given skb will fit a wanted MTU
+ * once split.
+ */
+bool skb_gso_validate_mtu(const struct sk_buff *skb, unsigned int mtu)
+{
+ return skb_gso_size_check(skb, skb_gso_network_seglen(skb), mtu);
+}
EXPORT_SYMBOL_GPL(skb_gso_validate_mtu);
+/**
+ * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length?
+ *
+ * @skb: GSO skb
+ * @len: length to validate against
+ *
+ * skb_gso_validate_mac_len validates if a given skb will fit a wanted
+ * length once split, including L2, L3 and L4 headers and the payload.
+ */
+bool skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len)
+{
+ return skb_gso_size_check(skb, skb_gso_mac_seglen(skb), len);
+}
+EXPORT_SYMBOL_GPL(skb_gso_validate_mac_len);
+
static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb)
{
int mac_len;
diff --git a/net/sched/sch_tbf.c b/net/sched/sch_tbf.c
index b36ecb58aa6e..107cc76b6e24 100644
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -142,16 +142,6 @@ static u64 psched_ns_t2l(const struct psched_ratecfg *r,
return len;
}
-/*
- * Return length of individual segments of a gso packet,
- * including all headers (MAC, IP, TCP/UDP)
- */
-static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
-{
- unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
- return hdr_len + skb_gso_transport_seglen(skb);
-}
-
/* GSO packet is too big, segment it so that tbf can transmit
* each segment in time
*/
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [stable-4.9 && 4.14 2/2] bnx2x: disable GSO where gso_size is too big for hardware
2019-02-14 10:31 [stable-4.9 && 4.14 0/2] CVE 2018-1000026 fixes Jack Wang
2019-02-14 10:31 ` [stable-4.9 && 4.14 1/2] net: create skb_gso_validate_mac_len() Jack Wang
@ 2019-02-14 10:31 ` Jack Wang
2019-02-17 19:26 ` [stable-4.9 && 4.14 0/2] CVE 2018-1000026 fixes Sasha Levin
2 siblings, 0 replies; 4+ messages in thread
From: Jack Wang @ 2019-02-14 10:31 UTC (permalink / raw)
To: gregkh, stable; +Cc: Daniel Axtens, David S . Miller, Jack Wang
From: Daniel Axtens <dja@axtens.net>
commit 8914a595110a6eca69a5e275b323f5d09e18f4f9 upstream
If a bnx2x card is passed a GSO packet with a gso_size larger than
~9700 bytes, it will cause a firmware error that will bring the card
down:
bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert!
bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2
bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052
bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1
... (dump of values continues) ...
Detect when the mac length of a GSO packet is greater than the maximum
packet size (9700 bytes) and disable GSO.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[jwang: cherry pick for CVE-2018-1000026]
Signed-off-by: Jack Wang <jinpu.wang@cloud.ionos.com>
---
.../net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
index 022b06e770d1..41ac9a2bc153 100644
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
@@ -12978,6 +12978,24 @@ static netdev_features_t bnx2x_features_check(struct sk_buff *skb,
struct net_device *dev,
netdev_features_t features)
{
+ /*
+ * A skb with gso_size + header length > 9700 will cause a
+ * firmware panic. Drop GSO support.
+ *
+ * Eventually the upper layer should not pass these packets down.
+ *
+ * For speed, if the gso_size is <= 9000, assume there will
+ * not be 700 bytes of headers and pass it through. Only do a
+ * full (slow) validation if the gso_size is > 9000.
+ *
+ * (Due to the way SKB_BY_FRAGS works this will also do a full
+ * validation in that case.)
+ */
+ if (unlikely(skb_is_gso(skb) &&
+ (skb_shinfo(skb)->gso_size > 9000) &&
+ !skb_gso_validate_mac_len(skb, 9700)))
+ features &= ~NETIF_F_GSO_MASK;
+
features = vlan_features_check(skb, features);
return vxlan_features_check(skb, features);
}
--
2.17.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [stable-4.9 && 4.14 0/2] CVE 2018-1000026 fixes
2019-02-14 10:31 [stable-4.9 && 4.14 0/2] CVE 2018-1000026 fixes Jack Wang
2019-02-14 10:31 ` [stable-4.9 && 4.14 1/2] net: create skb_gso_validate_mac_len() Jack Wang
2019-02-14 10:31 ` [stable-4.9 && 4.14 2/2] bnx2x: disable GSO where gso_size is too big for hardware Jack Wang
@ 2019-02-17 19:26 ` Sasha Levin
2 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2019-02-17 19:26 UTC (permalink / raw)
To: Jack Wang; +Cc: gregkh, stable
On Thu, Feb 14, 2019 at 11:31:16AM +0100, Jack Wang wrote:
>Hi Greg,
>
>This is clean cherry-pick from upstream 4.16 for CVE 2018-1000026
>
>Other OS vendors have the fixes in their kernels[1][2], but not yet in upstream
>stable tree for 4.9 and 4.14.
>
>Compile tested with 4.14.93.
>
>Please consider to include them.
Queued for 4.14 and 4.9, thank you.
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-02-17 19:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-14 10:31 [stable-4.9 && 4.14 0/2] CVE 2018-1000026 fixes Jack Wang
2019-02-14 10:31 ` [stable-4.9 && 4.14 1/2] net: create skb_gso_validate_mac_len() Jack Wang
2019-02-14 10:31 ` [stable-4.9 && 4.14 2/2] bnx2x: disable GSO where gso_size is too big for hardware Jack Wang
2019-02-17 19:26 ` [stable-4.9 && 4.14 0/2] CVE 2018-1000026 fixes Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).