From 8a57bfcd3f10dc67a037b95b7cfc1c2e862828c0 Mon Sep 17 00:00:00 2001 From: Michal Kubecek Date: May 09 2023 05:21:29 +0000 Subject: net/sched: act_mirred: better wording on protection against excessive stack growth (CVE-2022-4269 bsc#1206024). --- diff --git a/patches.suse/net-sched-act_mirred-better-wording-on-protection-ag.patch b/patches.suse/net-sched-act_mirred-better-wording-on-protection-ag.patch new file mode 100644 index 0000000..386477f --- /dev/null +++ b/patches.suse/net-sched-act_mirred-better-wording-on-protection-ag.patch @@ -0,0 +1,81 @@ +From: Davide Caratti +Date: Fri, 20 Jan 2023 18:01:39 +0100 +Subject: net/sched: act_mirred: better wording on protection against excessive stack growth +Patch-mainline: v6.3-rc1 +Git-commit: 78dcdffe0418ac8f3f057f26fe71ccf4d8ed851f +References: CVE-2022-4269 bsc#1206024 + +with commit e2ca070f89ec ("net: sched: protect against stack overflow in +TC act_mirred"), act_mirred protected itself against excessive stack growth +using per_cpu counter of nested calls to tcf_mirred_act(), and capping it +to MIRRED_RECURSION_LIMIT. However, such protection does not detect +recursion/loops in case the packet is enqueued to the backlog (for example, +when the mirred target device has RPS or skb timestamping enabled). Change +the wording from "recursion" to "nesting" to make it more clear to readers. + +CC: Jamal Hadi Salim +Signed-off-by: Davide Caratti +Reviewed-by: Marcelo Ricardo Leitner +Acked-by: Jamal Hadi Salim +Signed-off-by: Paolo Abeni +Acked-by: Michal Kubecek + +--- + net/sched/act_mirred.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -27,8 +27,8 @@ + static LIST_HEAD(mirred_list); + static DEFINE_SPINLOCK(mirred_list_lock); + +-#define MIRRED_RECURSION_LIMIT 4 +-static DEFINE_PER_CPU(unsigned int, mirred_rec_level); ++#define MIRRED_NEST_LIMIT 4 ++static DEFINE_PER_CPU(unsigned int, mirred_nest_level); + + static bool tcf_mirred_is_act_redirect(int action) + { +@@ -226,7 +226,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + struct sk_buff *skb2 = skb; + bool m_mac_header_xmit; + struct net_device *dev; +- unsigned int rec_level; ++ unsigned int nest_level; + int retval, err = 0; + bool use_reinsert; + bool want_ingress; +@@ -236,11 +236,11 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + int mac_len; + bool at_nh; + +- rec_level = __this_cpu_inc_return(mirred_rec_level); +- if (unlikely(rec_level > MIRRED_RECURSION_LIMIT)) { ++ nest_level = __this_cpu_inc_return(mirred_nest_level); ++ if (unlikely(nest_level > MIRRED_NEST_LIMIT)) { + net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n", + netdev_name(skb->dev)); +- __this_cpu_dec(mirred_rec_level); ++ __this_cpu_dec(mirred_nest_level); + return TC_ACT_SHOT; + } + +@@ -304,7 +304,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + err = tcf_mirred_forward(res->ingress, skb); + if (err) + tcf_action_inc_overlimit_qstats(&m->common); +- __this_cpu_dec(mirred_rec_level); ++ __this_cpu_dec(mirred_nest_level); + return TC_ACT_CONSUMED; + } + } +@@ -316,7 +316,7 @@ static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a, + if (tcf_mirred_is_act_redirect(m_eaction)) + retval = TC_ACT_SHOT; + } +- __this_cpu_dec(mirred_rec_level); ++ __this_cpu_dec(mirred_nest_level); + + return retval; + } diff --git a/series.conf b/series.conf index 36e09da..570fb14 100644 --- a/series.conf +++ b/series.conf @@ -23096,6 +23096,7 @@ patches.suse/net-sched-tcindex-update-imperfect-hash-filters-resp.patch patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch patches.suse/0001-kvm-initialize-all-of-the-kvm_debugregs-structure-be.patch + patches.suse/net-sched-act_mirred-better-wording-on-protection-ag.patch patches.suse/net-add-sock_init_data_uid.patch patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch