From patchwork Tue Feb 13 18:09:59 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1898361 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TZ8WJ5f7lz23j4 for ; Wed, 14 Feb 2024 05:10:19 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rZxEQ-0004wN-Nt; Tue, 13 Feb 2024 18:10:10 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rZxEL-0004vm-AR for kernel-team@lists.ubuntu.com; Tue, 13 Feb 2024 18:10:05 +0000 Received: from mail-qv1-f70.google.com (mail-qv1-f70.google.com [209.85.219.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 55EE03FE34 for ; Tue, 13 Feb 2024 18:10:03 +0000 (UTC) Received: by mail-qv1-f70.google.com with SMTP id 6a1803df08f44-68c43a4cc11so93005336d6.1 for ; Tue, 13 Feb 2024 10:10:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707847802; x=1708452602; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=QBK6QgMfE4McuBb8SwYH2ie6SE3QnWoPdpc6/+eXgbo=; b=pOWuR+51G+v/pfMiJYY1fPp2UPK1AWyod1C4J9o3SYOnxGSOos7BkFV8OCNSu/Dnnt 2dZhQyv7a8uY1z2RcGxiegHcPve2PPKFBTXkgv9J078mzx7bzLbCVLBfjTuWzIbleFV0 Fe9EeofeJQs4azMALYad4vsmPDMR7pqFoqcPKLZlps9toSV1MQSCp/e3Y3JD6k1qtULK 86efqtJtsJ+9nQG5W+i9qTMzYjHoWTsEpx0UOuUNN5KpY6rNv6lUxGav6FnHV2XpnefM zPL3vRW/kinmuIO8RXNTdj6VEMPGKn5thUqG6nQeIAVr5ieBUVShP/VEs1YFl3pDA9bG NuNA== X-Gm-Message-State: AOJu0YzunJS67M0G5QpUQ/V2mVEe1nXGo0KFAYwDArwqlVQWm0jpfl7r AtusI+VkYnzjY1421aYcNIhU26JaJR5b8xRZBDx8r4U94Qp9N6VTIwGvB1TapKXiuamjklMFcnM sckbO2WIGT2m5CcjDJ+eweMKrm0Re9wvhu/RM0RvKrLlrKXl3gRNdMx0XAiNxwLrJogkdTfZUjT C3y1IfGAZsNw== X-Received: by 2002:a05:6214:1c07:b0:68c:8422:6dec with SMTP id u7-20020a0562141c0700b0068c84226decmr289145qvc.37.1707847801891; Tue, 13 Feb 2024 10:10:01 -0800 (PST) X-Google-Smtp-Source: AGHT+IHusMvPkDXJdlYhIUAIZXhB6cDNviFr2US9eZG/Kj171EzmuXE5PPIhNzW9YNbWXrnCia8eMg== X-Received: by 2002:a05:6214:1c07:b0:68c:8422:6dec with SMTP id u7-20020a0562141c0700b0068c84226decmr289122qvc.37.1707847801596; Tue, 13 Feb 2024 10:10:01 -0800 (PST) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id pi11-20020a0562144a8b00b0068c80f69ce8sm573233qvb.142.2024.02.13.10.10.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Feb 2024 10:10:01 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Mantic][Jammy][Focal][PATCH 1/1] xen-netback: don't produce zero-size SKB frags Date: Tue, 13 Feb 2024 12:09:59 -0600 Message-Id: <20240213180959.27262-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240213180959.27262-1-bethany.jamison@canonical.com> References: <20240213180959.27262-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jan Beulich While frontends may submit zero-size requests (wasting a precious slot), core networking code as of at least 3ece782693c4b ("sock: skb_copy_ubufs support for compound pages") can't deal with SKBs when they have all zero-size fragments. Respond to empty requests right when populating fragments; all further processing is fragment based and hence won't encounter these empty requests anymore. In a way this should have been that way from the beginning: When no data is to be transferred for a particular request, there's not even a point in validating the respective grant ref. That's no different from e.g. passing NULL into memcpy() when at the same time the size is 0. This is XSA-448 / CVE-2023-46838. Cc: stable@vger.kernel.org Signed-off-by: Jan Beulich Reviewed-by: Juergen Gross Reviewed-by: Paul Durrant (cherry picked from commit c7ec4f2d684e17d69bbdd7c4324db0ef5daac26a) CVE-2023-46838 Signed-off-by: Bethany Jamison --- drivers/net/xen-netback/netback.c | 44 ++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 6 deletions(-) diff --git a/drivers/net/xen-netback/netback.c b/drivers/net/xen-netback/netback.c index 88f760a7cbc35..d7503aef599f0 100644 --- a/drivers/net/xen-netback/netback.c +++ b/drivers/net/xen-netback/netback.c @@ -463,12 +463,25 @@ static void xenvif_get_requests(struct xenvif_queue *queue, } for (shinfo->nr_frags = 0; nr_slots > 0 && shinfo->nr_frags < MAX_SKB_FRAGS; - shinfo->nr_frags++, gop++, nr_slots--) { + nr_slots--) { + if (unlikely(!txp->size)) { + unsigned long flags; + + spin_lock_irqsave(&queue->response_lock, flags); + make_tx_response(queue, txp, 0, XEN_NETIF_RSP_OKAY); + push_tx_responses(queue); + spin_unlock_irqrestore(&queue->response_lock, flags); + ++txp; + continue; + } + index = pending_index(queue->pending_cons++); pending_idx = queue->pending_ring[index]; xenvif_tx_create_map_op(queue, pending_idx, txp, txp == first ? extra_count : 0, gop); frag_set_pending_idx(&frags[shinfo->nr_frags], pending_idx); + ++shinfo->nr_frags; + ++gop; if (txp == first) txp = txfrags; @@ -481,20 +494,39 @@ static void xenvif_get_requests(struct xenvif_queue *queue, shinfo = skb_shinfo(nskb); frags = shinfo->frags; - for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; - shinfo->nr_frags++, txp++, gop++) { + for (shinfo->nr_frags = 0; shinfo->nr_frags < nr_slots; ++txp) { + if (unlikely(!txp->size)) { + unsigned long flags; + + spin_lock_irqsave(&queue->response_lock, flags); + make_tx_response(queue, txp, 0, + XEN_NETIF_RSP_OKAY); + push_tx_responses(queue); + spin_unlock_irqrestore(&queue->response_lock, + flags); + continue; + } + index = pending_index(queue->pending_cons++); pending_idx = queue->pending_ring[index]; xenvif_tx_create_map_op(queue, pending_idx, txp, 0, gop); frag_set_pending_idx(&frags[shinfo->nr_frags], pending_idx); + ++shinfo->nr_frags; + ++gop; } - skb_shinfo(skb)->frag_list = nskb; - } else if (nskb) { + if (shinfo->nr_frags) { + skb_shinfo(skb)->frag_list = nskb; + nskb = NULL; + } + } + + if (nskb) { /* A frag_list skb was allocated but it is no longer needed - * because enough slots were converted to copy ops above. + * because enough slots were converted to copy ops above or some + * were empty. */ kfree_skb(nskb); }