git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Friedemann Gerold <f.gerold@b-c-s.de>
	Sat, 15 Sep 2018 15:03:39 +0000 (18:03 +0300)
committer	Juerg Haefliger <juergh@canonical.com>
	Wed, 24 Jul 2019 01:53:24 +0000 (19:53 -0600)
commit	6a21f3946ed7e32ec267cc991ee7cb34dcb945c5
tree	d250aa735377beee9e25c69bfa2fb1fe93aeecfe	tree
parent	b8427f5d370cc0567224dad239670906e3a167b3	commit \| diff

net: aquantia: memory corruption on jumbo frames

BugLink: https://bugs.launchpad.net/bugs/1836426
[ Upstream commit d26ed6b0e5e23190d43ab34bc69cbecdc464a2cf ]

This patch fixes skb_shared area, which will be corrupted
upon reception of 4K jumbo packets.

Originally build_skb usage purpose was to reuse page for skb to eliminate
needs of extra fragments. But that logic does not take into account that
skb_shared_info should be reserved at the end of skb data area.

In case packet data consumes all the page (4K), skb_shinfo location
overflows the page. As a consequence, __build_skb zeroed shinfo data above
the allocated page, corrupting next page.

The issue is rarely seen in real life because jumbo are normally larger
than 4K and that causes another code path to trigger.
But it 100% reproducible with simple scapy packet, like:

sendp(IP(dst="192.168.100.3") / TCP(dport=443) \
/ Raw(RandString(size=(4096-40))), iface="enp1s0")

Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code")
Reported-by: Friedemann Gerold <f.gerold@b-c-s.de>
Reported-by: Michael Rauch <michael@rauch.be>
Signed-off-by: Friedemann Gerold <f.gerold@b-c-s.de>
Tested-by: Nikita Danilov <nikita.danilov@aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>