• Jason A. Donenfeld's avatar
    skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow · 48a1df65
    Jason A. Donenfeld authored
    This is a defense-in-depth measure in response to bugs like
    4d6fa57b ("macsec: avoid heap overflow in skb_to_sgvec"). There's
    not only a potential overflow of sglist items, but also a stack overflow
    potential, so we fix this by limiting the amount of recursion this function
    is allowed to do. Not actually providing a bounded base case is a future
    disaster that we can easily avoid here.
    
    As a small matter of house keeping, we take this opportunity to move the
    documentation comment over the actual function the documentation is for.
    
    While this could be implemented by using an explicit stack of skbuffs,
    when implementing this, the function complexity increased considerably,
    and I don't think such complexity and bloat is actually worth it. So,
    instead I built this and tested it on x86, x86_64, ARM, ARM64, and MIPS,
    and measured the stack usage there. I also reverted the recent MIPS
    changes that give it a separate IRQ stack, so that I could experience
    some worst-case situations. I found that limiting it to 24 layers deep
    yielded a good stack usage with room for safety, as well as being much
    deeper than any driver actually ever creates.
    Signed-off-by: default avatarJason A. Donenfeld <Jason@zx2c4.com>
    Cc: Steffen Klassert <steffen.klassert@secunet.com>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: "David S. Miller" <davem@davemloft.net>
    Cc: David Howells <dhowells@redhat.com>
    Cc: Sabrina Dubroca <sd@queasysnail.net>
    Cc: "Michael S. Tsirkin" <mst@redhat.com>
    Cc: Jason Wang <jasowang@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    48a1df65
skbuff.c 125 KB