From patchwork Tue May  9 23:50:40 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1779139
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=i/qzl/Y6;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4QGFLG5w9Tz214c
	for <incoming@patchwork.ozlabs.org>; Wed, 10 May 2023 09:51:33 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1pwX79-0007QL-2v; Tue, 09 May 2023 23:51:27 +0000
Received: from smtp-relay-internal-1.internal ([10.131.114.114]
 helo=smtp-relay-internal-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <yuxuan.luo@canonical.com>) id 1pwX77-0007PK-Kj
 for kernel-team@lists.ubuntu.com; Tue, 09 May 2023 23:51:25 +0000
Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com
 [209.85.208.71])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 6DF313F486
 for <kernel-team@lists.ubuntu.com>; Tue,  9 May 2023 23:51:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1683676285;
 bh=FdG6r8xgs1juXwwmaF9vZGxCD3gEADbn/oMeSHCwVRA=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=i/qzl/Y6Kav7kLU7gGZNC9fJBRPshBj2r7KFbNA4rZfY3orPhM5jKBm7ShdBpqszi
 Aiin3sbvg7p3XrDEryzj6Xp5xdrMYUypjWRFJYw1EgNY2R8DfcDgvxoYCk67dxv6Wv
 zTmBWFhpHjUBZgHTc8FFmI9njplUK4LBcYRBV0ofOIE0uEwvPsV6NHkH2zRX8m8Ugv
 aqnonrqobkMbnoaGDzK5QqyV5i2FblAEJ5ES8eT21Hjsj9dk5ZwkE2ZGFoq6tAWuI6
 orsOISHv5ZRiVg6OcKusK41FBeSorKBKuGHr+y24qT3KE+goCOpsxwgs9PvfWO/OZd
 bEic3G4KGB48A==
Received: by mail-ed1-f71.google.com with SMTP id
 4fb4d7f45d1cf-50bffc723c5so6169787a12.1
 for <kernel-team@lists.ubuntu.com>; Tue, 09 May 2023 16:51:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1683676284; x=1686268284;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=FdG6r8xgs1juXwwmaF9vZGxCD3gEADbn/oMeSHCwVRA=;
 b=fUTlQia47hR47m3auBdsNcDn8gftang9xVV+6JzMAUXzJnXLa/FTG4NJFnO0sf0n3Z
 kUx9U2LJEqWM/O+ULdTakK/fuzxeZuG5LKCYnfE6w0fXlz2m2OEiX/N4AXf357EfVoEB
 m+GpB/y2mvPcZ7U3BMy6X+kaAWJsWF6VQJmSuVXx7kAC30DnfFcqVZmcg2Q8pdO//hoB
 y8M54yvGEbNjK5rygcD6t0vOHFrIZRu0YvxhpMHB7Jk1I/G8CIDpSEYndOTIM9MhK5FA
 b9MY6Q0S0bAqeAXMraCmlPyxQiYrJ6CZE7q+Jk5vtSAhDmBz7YQwHxWW6R7APqA6FG3x
 S0Dg==
X-Gm-Message-State: AC+VfDywzaBf5oaIClDCI0shS+6piN7EmXMaCMC3CKKWad5OCDgcz0Bi
 eE3z1rUlZOq/4dg1HPRLWZ2vcEYXAz2KOsZEsROC18jRMG31Y9bD3bLYRxLdVQg68fD4W0FaHLo
 yqOv2OnZ/IQOQT2O4Lx0GVN4DAe867oU1+Fip0pcGoWQhXrte5w==
X-Received: by 2002:aa7:ce0a:0:b0:506:af22:1271 with SMTP id
 d10-20020aa7ce0a000000b00506af221271mr13855145edv.0.1683676284184;
 Tue, 09 May 2023 16:51:24 -0700 (PDT)
X-Google-Smtp-Source: 
 ACHHUZ4GGwmoGpEQNiyRFmAM/tYGrDUBK7Ktj5EupSijJq58nGXbDRlBv4PsSd26K3VYxhXyOOhcYQ==
X-Received: by 2002:aa7:ce0a:0:b0:506:af22:1271 with SMTP id
 d10-20020aa7ce0a000000b00506af221271mr13855139edv.0.1683676283962;
 Tue, 09 May 2023 16:51:23 -0700 (PDT)
Received: from localhost.localdomain ([2001:67c:1562:8007::aac:4795])
 by smtp.gmail.com with ESMTPSA id
 p15-20020aa7cc8f000000b0050bcca2e459sm1295429edt.8.2023.05.09.16.51.22
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 09 May 2023 16:51:23 -0700 (PDT)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Focal][PATCH 1/3] net/sched: act_mirred: better wording on
 protection against excessive stack growth
Date: Tue,  9 May 2023 19:50:40 -0400
Message-Id: <20230509235043.69974-3-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230509235043.69974-1-yuxuan.luo@canonical.com>
References: <20230509235043.69974-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Davide Caratti <dcaratti@redhat.com>

with commit e2ca070f89ec ("net: sched: protect against stack overflow in
TC act_mirred"), act_mirred protected itself against excessive stack growth
using per_cpu counter of nested calls to tcf_mirred_act(), and capping it
to MIRRED_RECURSION_LIMIT. However, such protection does not detect
recursion/loops in case the packet is enqueued to the backlog (for example,
when the mirred target device has RPS or skb timestamping enabled). Change
the wording from "recursion" to "nesting" to make it more clear to readers.

CC: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(cherry picked from commit 78dcdffe0418ac8f3f057f26fe71ccf4d8ed851f)
CVE-2022-4269
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 net/sched/act_mirred.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index dad6a29f6e074..6ddc0b3304cd5 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -28,8 +28,8 @@
 static LIST_HEAD(mirred_list);
 static DEFINE_SPINLOCK(mirred_list_lock);
 
-#define MIRRED_RECURSION_LIMIT    4
-static DEFINE_PER_CPU(unsigned int, mirred_rec_level);
+#define MIRRED_NEST_LIMIT    4
+static DEFINE_PER_CPU(unsigned int, mirred_nest_level);
 
 static bool tcf_mirred_is_act_redirect(int action)
 {
@@ -225,7 +225,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
 	struct sk_buff *skb2 = skb;
 	bool m_mac_header_xmit;
 	struct net_device *dev;
-	unsigned int rec_level;
+	unsigned int nest_level;
 	int retval, err = 0;
 	bool use_reinsert;
 	bool want_ingress;
@@ -236,11 +236,11 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
 	int mac_len;
 	bool at_nh;
 
-	rec_level = __this_cpu_inc_return(mirred_rec_level);
-	if (unlikely(rec_level > MIRRED_RECURSION_LIMIT)) {
+	nest_level = __this_cpu_inc_return(mirred_nest_level);
+	if (unlikely(nest_level > MIRRED_NEST_LIMIT)) {
 		net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n",
 				     netdev_name(skb->dev));
-		__this_cpu_dec(mirred_rec_level);
+		__this_cpu_dec(mirred_nest_level);
 		return TC_ACT_SHOT;
 	}
 
@@ -309,7 +309,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
 			err = tcf_mirred_forward(want_ingress, skb);
 			if (err)
 				tcf_action_inc_overlimit_qstats(&m->common);
-			__this_cpu_dec(mirred_rec_level);
+			__this_cpu_dec(mirred_nest_level);
 			return TC_ACT_CONSUMED;
 		}
 	}
@@ -321,7 +321,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
 		if (tcf_mirred_is_act_redirect(m_eaction))
 			retval = TC_ACT_SHOT;
 	}
-	__this_cpu_dec(mirred_rec_level);
+	__this_cpu_dec(mirred_nest_level);
 
 	return retval;
 }