Commit fcd91dd4 authored by Sabrina Dubroca's avatar Sabrina Dubroca Committed by David S. Miller
Browse files

net: add recursion limit to GRO 



Currently, GRO can do unlimited recursion through the gro_receive
handlers.  This was fixed for tunneling protocols by limiting tunnel GRO
to one level with encap_mark, but both VLAN and TEB still have this
problem.  Thus, the kernel is vulnerable to a stack overflow, if we
receive a packet composed entirely of VLAN headers.

This patch adds a recursion counter to the GRO layer to prevent stack
overflow.  When a gro_receive function hits the recursion limit, GRO is
aborted for this skb and it is processed normally.  This recursion
counter is put in the GRO CB, but could be turned into a percpu counter
if we run out of space in the CB.

Thanks to Vladimír Beneš <vbenes@redhat.com> for the initial bug report.

Fixes: CVE-2016-7039
Fixes: 9b174d88 ("net: Add Transparent Ethernet Bridging GRO support.")
Fixes: 66e5133f ("vlan: Add GRO support for non hardware accelerated vlan")
Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
Reviewed-by: default avatarJiri Benc <jbenc@redhat.com>
Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: default avatarTom Herbert <tom@herbertland.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 7aa8e63f

drivers/net/geneve.c

+1 −1
Original line number Diff line number Diff line
@@ -453,7 +453,7 @@ static struct sk_buff **geneve_gro_receive(struct sock *sk, 


	skb_gro_pull(skb, gh_len);

	skb_gro_postpull_rcsum(skb, gh, gh_len);

	pp = ptype->callbacks.gro_receive(head, skb);

	pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);

	flush = 0;



out_unlock:

drivers/net/vxlan.c

+1 −1
Original line number Diff line number Diff line
@@ -583,7 +583,7 @@ static struct sk_buff **vxlan_gro_receive(struct sock *sk, 
		}

	}



	pp = eth_gro_receive(head, skb);

	pp = call_gro_receive(eth_gro_receive, head, skb);

	flush = 0;



out:

include/linux/netdevice.h

+38 −1
Original line number Diff line number Diff line
@@ -2169,7 +2169,10 @@ struct napi_gro_cb { 
	/* Used to determine if flush_id can be ignored */

	u8	is_atomic:1;



	/* 5 bit hole */

	/* Number of gro_receive callbacks this packet already went through */

	u8 recursion_counter:4;



	/* 1 bit hole */



	/* used to support CHECKSUM_COMPLETE for tunneling protocols */

	__wsum	csum;
@@ -2180,6 +2183,40 @@ struct napi_gro_cb { 


#define NAPI_GRO_CB(skb) ((struct napi_gro_cb *)(skb)->cb)



#define GRO_RECURSION_LIMIT 15

static inline int gro_recursion_inc_test(struct sk_buff *skb)

{

	return ++NAPI_GRO_CB(skb)->recursion_counter == GRO_RECURSION_LIMIT;

}



typedef struct sk_buff **(*gro_receive_t)(struct sk_buff **, struct sk_buff *);

static inline struct sk_buff **call_gro_receive(gro_receive_t cb,

						struct sk_buff **head,

						struct sk_buff *skb)

{

	if (unlikely(gro_recursion_inc_test(skb))) {

		NAPI_GRO_CB(skb)->flush |= 1;

		return NULL;

	}



	return cb(head, skb);

}



typedef struct sk_buff **(*gro_receive_sk_t)(struct sock *, struct sk_buff **,

					     struct sk_buff *);

static inline struct sk_buff **call_gro_receive_sk(gro_receive_sk_t cb,

						   struct sock *sk,

						   struct sk_buff **head,

						   struct sk_buff *skb)

{

	if (unlikely(gro_recursion_inc_test(skb))) {

		NAPI_GRO_CB(skb)->flush |= 1;

		return NULL;

	}



	return cb(sk, head, skb);

}



struct packet_type {

	__be16			type;	/* This is really htons(ether_type). */

	struct net_device	*dev;	/* NULL is wildcarded here	     */

net/8021q/vlan.c

+1 −1
Original line number Diff line number Diff line
@@ -664,7 +664,7 @@ static struct sk_buff **vlan_gro_receive(struct sk_buff **head, 


	skb_gro_pull(skb, sizeof(*vhdr));

	skb_gro_postpull_rcsum(skb, vhdr, sizeof(*vhdr));

	pp = ptype->callbacks.gro_receive(head, skb);

	pp = call_gro_receive(ptype->callbacks.gro_receive, head, skb);



out_unlock:

	rcu_read_unlock();

net/core/dev.c

+1 −0
Original line number Diff line number Diff line
@@ -4511,6 +4511,7 @@ static enum gro_result dev_gro_receive(struct napi_struct *napi, struct sk_buff 
		NAPI_GRO_CB(skb)->flush = 0;

		NAPI_GRO_CB(skb)->free = 0;

		NAPI_GRO_CB(skb)->encap_mark = 0;

		NAPI_GRO_CB(skb)->recursion_counter = 0;

		NAPI_GRO_CB(skb)->is_fou = 0;

		NAPI_GRO_CB(skb)->is_atomic = 1;

		NAPI_GRO_CB(skb)->gro_remcsum_start = 0;

CRA Git | Maintained and supported by SUSTech CRA and CCSE