diff mbox series

[SRU,B/linux] tap: fix use-after-free

Message ID 20200731082833.16568-1-juergh@canonical.com
State New
Headers show
Series [SRU,B/linux] tap: fix use-after-free | expand

Commit Message

Juerg Haefliger July 31, 2020, 8:28 a.m. UTC
From: "Michael S. Tsirkin" <mst@redhat.com>

BugLink: https://bugs.launchpad.net/bugs/1889735

Lockless access to __ptr_ring_full is only legal if ring is
never resized, otherwise it might cause use-after free errors.
Simply drop the lockless test, we'll drop the packet
a bit later when produce fails.

Fixes: 362899b8 ("macvtap: switch to use skb array")
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

(backported from commit 88fae87327a2261cf8db078f6ce4e5a3e55b30b1)
[juergh: __ptr_ring_full() -> __skb_array_full() due to lack of commit
 5990a30510ed ("tun/tap: use ptr_ring instead of skb_array").]
Signed-off-by: Juerg Haefliger <juergh@canonical.com>
---
 drivers/net/tap.c | 3 ---
 1 file changed, 3 deletions(-)

Comments

Colin Ian King July 31, 2020, 8:34 a.m. UTC | #1
On 31/07/2020 09:28, Juerg Haefliger wrote:
> From: "Michael S. Tsirkin" <mst@redhat.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1889735
> 
> Lockless access to __ptr_ring_full is only legal if ring is
> never resized, otherwise it might cause use-after free errors.
> Simply drop the lockless test, we'll drop the packet
> a bit later when produce fails.
> 
> Fixes: 362899b8 ("macvtap: switch to use skb array")
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> (backported from commit 88fae87327a2261cf8db078f6ce4e5a3e55b30b1)
> [juergh: __ptr_ring_full() -> __skb_array_full() due to lack of commit
>  5990a30510ed ("tun/tap: use ptr_ring instead of skb_array").]
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
> ---
>  drivers/net/tap.c | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/drivers/net/tap.c b/drivers/net/tap.c
> index afbe5bec2c33..f8b44d395c2f 100644
> --- a/drivers/net/tap.c
> +++ b/drivers/net/tap.c
> @@ -330,9 +330,6 @@ rx_handler_result_t tap_handle_frame(struct sk_buff **pskb)
>  	if (!q)
>  		return RX_HANDLER_PASS;
>  
> -	if (__skb_array_full(&q->skb_array))
> -		goto drop;
> -
>  	skb_push(skb, ETH_HLEN);
>  
>  	/* Apply the forward feature mask so that we perform segmentation
> 

Backport looks good to me. Thanks Juerg.

Acked-by: Colin Ian King <colin.king@canonical.com>
Stefan Bader July 31, 2020, 9:12 a.m. UTC | #2
On 31.07.20 10:28, Juerg Haefliger wrote:
> From: "Michael S. Tsirkin" <mst@redhat.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1889735
> 
> Lockless access to __ptr_ring_full is only legal if ring is
> never resized, otherwise it might cause use-after free errors.
> Simply drop the lockless test, we'll drop the packet
> a bit later when produce fails.
> 
> Fixes: 362899b8 ("macvtap: switch to use skb array")
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> (backported from commit 88fae87327a2261cf8db078f6ce4e5a3e55b30b1)
> [juergh: __ptr_ring_full() -> __skb_array_full() due to lack of commit
>  5990a30510ed ("tun/tap: use ptr_ring instead of skb_array").]
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---

You seem to have tried using the form of regression potential that was asked by
the sru team. Though I am not quite understanding the impact. Not sure how
anyone from sru team would cope. Maybe "some network packets going missing"
would be better.
The testcase should be defined before a kernel with this is hitting proposed.

-Stefan

>  drivers/net/tap.c | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/drivers/net/tap.c b/drivers/net/tap.c
> index afbe5bec2c33..f8b44d395c2f 100644
> --- a/drivers/net/tap.c
> +++ b/drivers/net/tap.c
> @@ -330,9 +330,6 @@ rx_handler_result_t tap_handle_frame(struct sk_buff **pskb)
>  	if (!q)
>  		return RX_HANDLER_PASS;
>  
> -	if (__skb_array_full(&q->skb_array))
> -		goto drop;
> -
>  	skb_push(skb, ETH_HLEN);
>  
>  	/* Apply the forward feature mask so that we perform segmentation
>
Khalid Elmously Aug. 7, 2020, 8:08 p.m. UTC | #3
On 2020-07-31 10:28:33 , Juerg Haefliger wrote:
> From: "Michael S. Tsirkin" <mst@redhat.com>
> 
> BugLink: https://bugs.launchpad.net/bugs/1889735
> 
> Lockless access to __ptr_ring_full is only legal if ring is
> never resized, otherwise it might cause use-after free errors.
> Simply drop the lockless test, we'll drop the packet
> a bit later when produce fails.
> 
> Fixes: 362899b8 ("macvtap: switch to use skb array")
> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> (backported from commit 88fae87327a2261cf8db078f6ce4e5a3e55b30b1)
> [juergh: __ptr_ring_full() -> __skb_array_full() due to lack of commit
>  5990a30510ed ("tun/tap: use ptr_ring instead of skb_array").]
> Signed-off-by: Juerg Haefliger <juergh@canonical.com>
> ---
>  drivers/net/tap.c | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/drivers/net/tap.c b/drivers/net/tap.c
> index afbe5bec2c33..f8b44d395c2f 100644
> --- a/drivers/net/tap.c
> +++ b/drivers/net/tap.c
> @@ -330,9 +330,6 @@ rx_handler_result_t tap_handle_frame(struct sk_buff **pskb)
>  	if (!q)
>  		return RX_HANDLER_PASS;
>  
> -	if (__skb_array_full(&q->skb_array))
> -		goto drop;
> -
>  	skb_push(skb, ETH_HLEN);
>  
>  	/* Apply the forward feature mask so that we perform segmentation
> -- 
> 2.25.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
diff mbox series

Patch

diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index afbe5bec2c33..f8b44d395c2f 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -330,9 +330,6 @@  rx_handler_result_t tap_handle_frame(struct sk_buff **pskb)
 	if (!q)
 		return RX_HANDLER_PASS;
 
-	if (__skb_array_full(&q->skb_array))
-		goto drop;
-
 	skb_push(skb, ETH_HLEN);
 
 	/* Apply the forward feature mask so that we perform segmentation