UBUNTU: SAUCE: tcp: limit payload size of sacked skbs

Jonathan Looney reported that TCP can trigger the following crash in tcp_shifted_skb() : BUG_ON(tcp_skb_pcount(skb) < pcount); This can happen if the remote peer has advertized the smallest MSS that linux TCP accepts : 48 An skb can hold 17 fragments, and each fragment can hold 32KB on x86, or 64KB on PowerPC. This means that the 16bit witdh of TCP_SKB_CB(skb)->tcp_gso_segs can overflow. Note that tcp_sendmsg() builds skbs with less than 64KB of payload, so this problem needs SACK to be enabled. SACK blocks allow TCP to coalesce multiple skbs in the retransmit queue, thus filling the 17 fragments to maximal capacity. Fixes: 832d11c5 ("tcp: Try to restore large SKBs while SACK processing") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Jonathan Looney <jtl@netflix.com> Acked-by: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Cc: Bruce Curtis <brucec@netflix.com> BugLink: https://bugs.launchpad.net/bugs/1831637 (Remote denial of service (system crash) caused by integer overflow in TCP SACK handling (LP: #1831637)) [tyhicks: Backport to Xenial: - Adjust context in linux/tcp.h and tcp.c - tcp_shifted_skb() doesn't take the prev skb as a parameter - tcp_collapse_retrans() doesn't do frag shifting since commit f8071cde ("tcp: enhance tcp_collapse_retrans() with skb_shift()") isn't present so no changes are needed to that function] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

UBUNTU: SAUCE: tcp: limit payload size of sacked skbs
Jonathan Looney reported that TCP can trigger the following crash in tcp_shifted_skb() : BUG_ON(tcp_skb_pcount(skb) < pcount); This can happen if the remote peer has advertized the smallest MSS that linux TCP accepts : 48 An skb can hold 17 fragments, and each fragment can hold 32KB on x86, or 64KB on PowerPC. This means that the 16bit witdh of TCP_SKB_CB(skb)->tcp_gso_segs can overflow. Note that tcp_sendmsg() builds skbs with less than 64KB of payload, so this problem needs SACK to be enabled. SACK blocks allow TCP to coalesce multiple skbs in the retransmit queue, thus filling the 17 fragments to maximal capacity. Fixes: 832d11c5 ("tcp: Try to restore large SKBs while SACK processing") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Jonathan Looney <jtl@netflix.com> Acked-by: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Cc: Bruce Curtis <brucec@netflix.com> BugLink: https://bugs.launchpad.net/bugs/1831637 (Remote denial of service (system crash) caused by integer overflow in TCP SACK handling (LP: #1831637)) [tyhicks: Backport to Xenial: - Adjust context in linux/tcp.h and tcp.c - tcp_shifted_skb() doesn't take the prev skb as a parameter - tcp_collapse_retrans() doesn't do frag shifting since commit f8071cde ("tcp: enhance tcp_collapse_retrans() with skb_shift()") isn't present so no changes are needed to that function] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
db455250 · Eric Dumazet · Stefan Bader · bbdaf4e8 · db455250 · db455250
Commit db455250 authored May 31, 2019 by Eric Dumazet Committed by Stefan Bader Jun 05, 2019
5 changed files
--- a/include/linux/tcp.h
+++ b/include/linux/tcp.h
@@ -419,4 +419,7 @@ static inline void tcp_saved_syn_free(struct tcp_sock *tp)
 	tp->saved_syn = NULL;
 }
+int tcp_skb_shift(struct sk_buff *to, struct sk_buff *from, int pcount,
+		  int shiftlen);
 #endif	/* _LINUX_TCP_H */
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -54,6 +54,8 @@ void tcp_time_wait(struct sock *sk, int state, int timeo);
 #define MAX_TCP_HEADER	(128 + MAX_HEADER)
 #define MAX_TCP_OPTION_SPACE 40
+#define TCP_MIN_SND_MSS		48
+#define TCP_MIN_GSO_SIZE	(TCP_MIN_SND_MSS - MAX_TCP_OPTION_SPACE)
 /*
 * Never offer a window over 32767 without using window scaling. Some

--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3144,6 +3144,7 @@ void __init tcp_init(void)
 	int max_rshare, max_wshare, cnt;
 	unsigned int i;
+	BUILD_BUG_ON(TCP_MIN_SND_MSS <= MAX_TCP_OPTION_SPACE);
 	sock_skb_cb_check_size(sizeof(struct tcp_skb_cb));
 	percpu_counter_init(&tcp_sockets_allocated, 0, GFP_KERNEL);

--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -1275,7 +1275,7 @@ static bool tcp_shifted_skb(struct sock *sk, struct sk_buff *skb,
 	TCP_SKB_CB(skb)->seq += shifted;
 	tcp_skb_pcount_add(prev, pcount);
-	BUG_ON(tcp_skb_pcount(skb) < pcount);
+	WARN_ON_ONCE(tcp_skb_pcount(skb) < pcount);
 	tcp_skb_pcount_add(skb, -pcount);
 	/* When we're adding to gso_segs == 1, gso_size will be zero,
@@ -1337,6 +1337,21 @@ static int skb_can_shift(const struct sk_buff *skb)
 	return !skb_headlen(skb) && skb_is_nonlinear(skb);
 }
+int tcp_skb_shift(struct sk_buff *to, struct sk_buff *from,
+		  int pcount, int shiftlen)
+{
+	/* TCP min gso_size is 8 bytes (TCP_MIN_GSO_SIZE)
+	 * Since TCP_SKB_CB(skb)->tcp_gso_segs is 16 bits, we need
+	 * to make sure not storing more than 65535 * 8 bytes per skb,
+	 * even if current MSS is bigger.
+	 */
+	if (unlikely(to->len + shiftlen >= 65535 * TCP_MIN_GSO_SIZE))
+		return 0;
+	if (unlikely(tcp_skb_pcount(to) + pcount > 65535))
+		return 0;
+	return skb_shift(to, from, shiftlen);
+}
 /* Try collapsing SACK blocks spanning across multiple skbs to a single
 * skb.
 */
@@ -1442,7 +1457,7 @@ static struct sk_buff *tcp_shift_skb_data(struct sock *sk, struct sk_buff *skb,
 	if (!after(TCP_SKB_CB(skb)->seq + len, tp->snd_una))
 		goto fallback;
-	if (!skb_shift(prev, skb, len))
+	if (!tcp_skb_shift(prev, skb, pcount, len))
 		goto fallback;
 	if (!tcp_shifted_skb(sk, skb, state, pcount, len, mss, dup_sack))
 		goto out;
@@ -1461,10 +1476,9 @@ static struct sk_buff *tcp_shift_skb_data(struct sock *sk, struct sk_buff *skb,
 		goto out;
 	len = skb->len;
-	if (skb_shift(prev, skb, len)) {
+	pcount = tcp_skb_pcount(skb);
-		pcount += tcp_skb_pcount(skb);
+	if (tcp_skb_shift(prev, skb, pcount, len))
-		tcp_shifted_skb(sk, skb, state, tcp_skb_pcount(skb), len, mss, 0);
+		tcp_shifted_skb(sk, skb, state, pcount, len, mss, 0);
-	}
 out:
 	state->fack_count += pcount;

--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1329,8 +1329,8 @@ static inline int __tcp_mtu_to_mss(struct sock *sk, int pmtu)
 	mss_now -= icsk->icsk_ext_hdr_len;
 	/* Then reserve room for full set of TCP options and 8 bytes of data */
-	if (mss_now < 48)
+	if (mss_now < TCP_MIN_SND_MSS)
-		mss_now = 48;
+		mss_now = TCP_MIN_SND_MSS;
 	return mss_now;
 }