[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CANn89iLJGbm0Jr9CVFo6K8jetF2jX0EqVBUR3a1L=PPSSLCygA@mail.gmail.com>
Date: Tue, 22 Oct 2024 12:29:21 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Wang Liang <wangliang74@...wei.com>
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, idosch@...dia.com,
kuniyu@...zon.com, stephen@...workplumber.org, dsahern@...nel.org,
lucien.xin@...il.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] net: fix crash when config small gso_max_size/gso_ipv4_max_size
On Tue, Oct 22, 2024 at 10:40 AM Wang Liang <wangliang74@...wei.com> wrote:
>
> Config a small gso_max_size/gso_ipv4_max_size can lead to large skb len,
> which may trigger a BUG_ON crash.
>
> If the gso_max_size/gso_ipv4_max_size is smaller than MAX_TCP_HEADER + 1,
> the sk->sk_gso_max_size is overflowed:
> sk_setup_caps
> // dst->dev->gso_ipv4_max_size = 252, MAX_TCP_HEADER = 320
> // GSO_LEGACY_MAX_SIZE = 65536, sk_is_tcp(sk) = 1
> sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dst);
> max_size = dst->dev->gso_ipv4_max_size;
> sk->sk_gso_max_size = max_size - (MAX_TCP_HEADER + 1);
> sk->sk_gso_max_size = 252-(320+1) = -69
>
> When send tcp msg, the wrong sk_gso_max_size can lead to a very large
> size_goal, which cause large skb length:
> tcp_sendmsg_locked
> tcp_send_mss(sk, &size_goal, flags);
> tcp_xmit_size_goal(sk, mss_now, !(flags & MSG_OOB));
>
> // tp->max_window = 65536, TCP_MSS_DEFAULT = 536
> new_size_goal = tcp_bound_to_half_wnd(tp, sk->sk_gso_max_size);
> new_size_goal = sk->sk_gso_max_size = -69
>
> // tp->gso_segs = 0, mss_now = 32768
> size_goal = tp->gso_segs * mss_now;
> size_goal = 0*32768 = 0
>
> // sk->sk_gso_max_segs = 65535, new_size_goal = -69
> new_size_goal < size_goal:
> tp->gso_segs = min_t(u16, new_size_goal / mss_now,
> sk->sk_gso_max_segs);
> // new_size_goal / mss_now = 0x1FFFF -> 65535
> // tp->gso_segs = 65535
> size_goal = tp->gso_segs * mss_now;
> size_goal = 65535*32768 = 2147450880
>
> if new_segment:
> skb = tcp_stream_alloc_skb()
> copy = size_goal; // copy = 2147450880
> if (copy > msg_data_left(msg)) // msg_data_left(msg) = 2147479552
> copy = msg_data_left(msg); // copy = 2147450880
> copy = min_t(int, copy, pfrag->size - pfrag->offset); // copy = 21360
> skb_copy_to_page_nocache
> skb_len_add
> skb->len += copy; // skb->len add to 524288
>
I find this explanation way too long. No one will bother to double
check your claims.
I would simply point out that an underflow in sk_dst_gso_max_size()
leads to a crash,
because sk->sk_gso_max_size would be much bigger than device limits.
> The large skb length may load to a overflowed tso_segs, which can trigger
> a BUG_ON crash:
> tcp_write_xmit
> tso_segs = tcp_init_tso_segs(skb, mss_now);
> tcp_set_skb_tso_segs
> tcp_skb_pcount_set
> // skb->len = 524288, mss_now = 8
> // u16 tso_segs = 524288/8 = 65535 -> 0
> tso_segs = DIV_ROUND_UP(skb->len, mss_now)
> BUG_ON(!tso_segs)
>
> To solve this issue, the minimum value of gso_max_size/gso_ipv4_max_size
> should be checked.
>
> Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation")
> Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")
> Signed-off-by: Wang Liang <wangliang74@...wei.com>
> ---
> net/core/rtnetlink.c | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index e30e7ea0207d..a0df1da5a0a6 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -2466,6 +2466,12 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[],
> return -EINVAL;
> }
>
> + if (tb[IFLA_GSO_MAX_SIZE] &&
> + (nla_get_u32(tb[IFLA_GSO_MAX_SIZE]) < MAX_TCP_HEADER + 1)) {
> + NL_SET_ERR_MSG(extack, "too small gso_max_size");
> + return -EINVAL;
> + }
Modern way would be to change ifla_policy[] : This is where we put such limits.
Look for NLA_POLICY_MIN() uses in the tree.
> +
> if (tb[IFLA_GSO_MAX_SEGS] &&
> (nla_get_u32(tb[IFLA_GSO_MAX_SEGS]) > GSO_MAX_SEGS ||
> nla_get_u32(tb[IFLA_GSO_MAX_SEGS]) > dev->tso_max_segs)) {
> @@ -2485,6 +2491,12 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[],
> return -EINVAL;
> }
>
> + if (tb[IFLA_GSO_IPV4_MAX_SIZE] &&
> + (nla_get_u32(tb[IFLA_GSO_IPV4_MAX_SIZE]) < MAX_TCP_HEADER + 1)) {
> + NL_SET_ERR_MSG(extack, "too small gso_ipv4_max_size");
> + return -EINVAL;
> + }
Same here.
> +
> if (tb[IFLA_GRO_IPV4_MAX_SIZE] &&
> nla_get_u32(tb[IFLA_GRO_IPV4_MAX_SIZE]) > GRO_MAX_SIZE) {
> NL_SET_ERR_MSG(extack, "too big gro_ipv4_max_size");
> --
> 2.34.1
>
Powered by blists - more mailing lists