From patchwork Fri May 12 18:01:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1780754 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Md8GGL/e; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QHxRf2nJhz20dB for ; Sat, 13 May 2023 04:02:06 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pxX5X-0002D2-Fe; Fri, 12 May 2023 18:01:55 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pxX5V-00029S-3G for kernel-team@lists.ubuntu.com; Fri, 12 May 2023 18:01:53 +0000 Received: from mail-oi1-f200.google.com (mail-oi1-f200.google.com [209.85.167.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 63F423F11A for ; Fri, 12 May 2023 18:01:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1683914511; bh=9A3BN5RX4wncZQyiYBlZDAXkY8F8MUJdztGKqNf1GSs=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Md8GGL/eSZgY6s91evmBNCzYi/TxM2qWS30WXiEdEB+84NtYGhak7cIN806iwkygU RbgCcf7G3QUyk2HHcE752x0kCcyqH6f3P9VMDB3QbjH/5rCHKhVZIYDd8URaRdoGdN xjI464iYirmalDMZJh50PzcnkHfQ4LjBnljboRMOTElIqLeP6y1CUvQflELhQkS+JB o5ZonRWz6JdwCQDn2bnmI2vZAe9+3/Bwe1Cmb0ltYPXFIjJJTwJOvcwBNjnJxlNyHO VbDrk8V7ttL5xA1GnLri8u7Uda0L6THbYhXGx3bLQmPPaSNbfa58LsmhfBcYs3EuDY KdmDiPfg9ca+Q== Received: by mail-oi1-f200.google.com with SMTP id 5614622812f47-394275e473cso3468979b6e.2 for ; Fri, 12 May 2023 11:01:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683914509; x=1686506509; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9A3BN5RX4wncZQyiYBlZDAXkY8F8MUJdztGKqNf1GSs=; b=Sdg5vA/T4kBBZRKIVpXqB57kPXV4G0XV3qTTPFpprxxv4hq27SOgB6l1/MXaei/Zvl AGur2EfXaO2jpQFh3KraDEoUlUOeJ8n3h+COlXti+VuwBOLViZ7lKXsWIWsG2FjjHhpp o+9nGX9/rnlTOqGlnczNmSnm9O3bAdtP7G9Qt7ZImTIqWA92DPh6jeGpyEhZY6V1F41V z7nnrlJRFw5QeEyOjBr3YY2zZsWCtMPll2i4Dv5OpxaSvv4mnKPnxFYCGAtw0smAMeJI yDhD0pJwdvLAWmcPp4MXbmCysXy/Y40TPjAgSvHg7EWxJzKodFrsSjhlvhbEKnnamuaZ EJ8g== X-Gm-Message-State: AC+VfDwX8FPnkBHqN70HfzglO+mggw8ybnMl7IejeJ147bWuZ1GjL4Lq VZi3SJPvkRCH/i5SAwC1EwxieIOJhcvhJ2huZA49SlBBT6Z8ABZI+TYv430apWUhrQ6VyP6ut9e on530eH4VePPh3Bwyac//nESW7h26lpFkf2u4AmMHmODEVjmUTA== X-Received: by 2002:aca:2808:0:b0:38e:473c:7a72 with SMTP id 8-20020aca2808000000b0038e473c7a72mr6342902oix.35.1683914509283; Fri, 12 May 2023 11:01:49 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6zbz3MTzO7mtNv75+iqfsYK4cvkcXH/4baSRIsrWCMgAL9mbVBFbpNMGMUN0ohIiXOoUG8tQ== X-Received: by 2002:aca:2808:0:b0:38e:473c:7a72 with SMTP id 8-20020aca2808000000b0038e473c7a72mr6342883oix.35.1683914508893; Fri, 12 May 2023 11:01:48 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:a85b:cbdf:4a2e:9f8c]) by smtp.gmail.com with ESMTPSA id u19-20020a05622a199300b003f37e7b6f11sm3237189qtc.88.2023.05.12.11.01.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 May 2023 11:01:48 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal][PATCH v2 5/6] net/sched: act_mirred: better wording on protection against excessive stack growth Date: Fri, 12 May 2023 14:01:38 -0400 Message-Id: <20230512180139.27507-8-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230512180139.27507-1-yuxuan.luo@canonical.com> References: <20230512180139.27507-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Davide Caratti with commit e2ca070f89ec ("net: sched: protect against stack overflow in TC act_mirred"), act_mirred protected itself against excessive stack growth using per_cpu counter of nested calls to tcf_mirred_act(), and capping it to MIRRED_RECURSION_LIMIT. However, such protection does not detect recursion/loops in case the packet is enqueued to the backlog (for example, when the mirred target device has RPS or skb timestamping enabled). Change the wording from "recursion" to "nesting" to make it more clear to readers. CC: Jamal Hadi Salim Signed-off-by: Davide Caratti Reviewed-by: Marcelo Ricardo Leitner Acked-by: Jamal Hadi Salim Signed-off-by: Paolo Abeni (cherry picked from commit 78dcdffe0418ac8f3f057f26fe71ccf4d8ed851f) CVE-2022-4269 Signed-off-by: Yuxuan Luo --- net/sched/act_mirred.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c index a523a67268178..1f2187c929304 100644 --- a/net/sched/act_mirred.c +++ b/net/sched/act_mirred.c @@ -28,8 +28,8 @@ static LIST_HEAD(mirred_list); static DEFINE_SPINLOCK(mirred_list_lock); -#define MIRRED_RECURSION_LIMIT 4 -static DEFINE_PER_CPU(unsigned int, mirred_rec_level); +#define MIRRED_NEST_LIMIT 4 +static DEFINE_PER_CPU(unsigned int, mirred_nest_level); static bool tcf_mirred_is_act_redirect(int action) { @@ -225,7 +225,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, struct sk_buff *skb2 = skb; bool m_mac_header_xmit; struct net_device *dev; - unsigned int rec_level; + unsigned int nest_level; int retval, err = 0; bool use_reinsert; bool want_ingress; @@ -236,11 +236,11 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, int mac_len; bool at_nh; - rec_level = __this_cpu_inc_return(mirred_rec_level); - if (unlikely(rec_level > MIRRED_RECURSION_LIMIT)) { + nest_level = __this_cpu_inc_return(mirred_nest_level); + if (unlikely(nest_level > MIRRED_NEST_LIMIT)) { net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n", netdev_name(skb->dev)); - __this_cpu_dec(mirred_rec_level); + __this_cpu_dec(mirred_nest_level); return TC_ACT_SHOT; } @@ -309,7 +309,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, err = tcf_mirred_forward(want_ingress, skb); if (err) tcf_action_inc_overlimit_qstats(&m->common); - __this_cpu_dec(mirred_rec_level); + __this_cpu_dec(mirred_nest_level); return TC_ACT_CONSUMED; } } @@ -321,7 +321,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, if (tcf_mirred_is_act_redirect(m_eaction)) retval = TC_ACT_SHOT; } - __this_cpu_dec(mirred_rec_level); + __this_cpu_dec(mirred_nest_level); return retval; }