linux-stable/include/linux/textsearch.h
Willem de Bruijn b228c9b058 net: expand textsearch ts_state to fit skb_seq_state
The referenced commit expands the skb_seq_state used by
skb_find_text with a 4B frag_off field, growing it to 48B.

This exceeds container ts_state->cb, causing a stack corruption:

[   73.238353] Kernel panic - not syncing: stack-protector: Kernel stack
is corrupted in: skb_find_text+0xc5/0xd0
[   73.247384] CPU: 1 PID: 376 Comm: nping Not tainted 5.11.0+ #4
[   73.252613] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.14.0-2 04/01/2014
[   73.260078] Call Trace:
[   73.264677]  dump_stack+0x57/0x6a
[   73.267866]  panic+0xf6/0x2b7
[   73.270578]  ? skb_find_text+0xc5/0xd0
[   73.273964]  __stack_chk_fail+0x10/0x10
[   73.277491]  skb_find_text+0xc5/0xd0
[   73.280727]  string_mt+0x1f/0x30
[   73.283639]  ipt_do_table+0x214/0x410

The struct is passed between skb_find_text and its callbacks
skb_prepare_seq_read, skb_seq_read and skb_abort_seq read through
the textsearch interface using TS_SKB_CB.

I assumed that this mapped to skb->cb like other .._SKB_CB wrappers.
skb->cb is 48B. But it maps to ts_state->cb, which is only 40B.

skb->cb was increased from 40B to 48B after ts_state was introduced,
in commit 3e3850e989 ("[NETFILTER]: Fix xfrm lookup in
ip_route_me_harder/ip6_route_me_harder").

Increase ts_state.cb[] to 48 to fit the struct.

Also add a BUILD_BUG_ON to avoid a repeat.

The alternative is to directly add a dependency from textsearch onto
linux/skbuff.h, but I think the intent is textsearch to have no such
dependencies on its callers.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=211911
Fixes: 97550f6fa5 ("net: compound page support in skb_seq_read")
Reported-by: Kris Karas <bugs-a17@moonlit-rail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2021-03-01 15:25:24 -08:00

180 lines
4.7 KiB
C

/* SPDX-License-Identifier: GPL-2.0 */
#ifndef __LINUX_TEXTSEARCH_H
#define __LINUX_TEXTSEARCH_H
#include <linux/types.h>
#include <linux/list.h>
#include <linux/kernel.h>
#include <linux/err.h>
#include <linux/slab.h>
struct module;
struct ts_config;
#define TS_AUTOLOAD 1 /* Automatically load textsearch modules when needed */
#define TS_IGNORECASE 2 /* Searches string case insensitively */
/**
* struct ts_state - search state
* @offset: offset for next match
* @cb: control buffer, for persistent variables of get_next_block()
*/
struct ts_state
{
unsigned int offset;
char cb[48];
};
/**
* struct ts_ops - search module operations
* @name: name of search algorithm
* @init: initialization function to prepare a search
* @find: find the next occurrence of the pattern
* @destroy: destroy algorithm specific parts of a search configuration
* @get_pattern: return head of pattern
* @get_pattern_len: return length of pattern
* @owner: module reference to algorithm
*/
struct ts_ops
{
const char *name;
struct ts_config * (*init)(const void *, unsigned int, gfp_t, int);
unsigned int (*find)(struct ts_config *,
struct ts_state *);
void (*destroy)(struct ts_config *);
void * (*get_pattern)(struct ts_config *);
unsigned int (*get_pattern_len)(struct ts_config *);
struct module *owner;
struct list_head list;
};
/**
* struct ts_config - search configuration
* @ops: operations of chosen algorithm
* @flags: flags
* @get_next_block: callback to fetch the next block to search in
* @finish: callback to finalize a search
*/
struct ts_config
{
struct ts_ops *ops;
int flags;
/**
* @get_next_block: fetch next block of data
* @consumed: number of bytes consumed by the caller
* @dst: destination buffer
* @conf: search configuration
* @state: search state
*
* Called repeatedly until 0 is returned. Must assign the
* head of the next block of data to &*dst and return the length
* of the block or 0 if at the end. consumed == 0 indicates
* a new search. May store/read persistent values in state->cb.
*/
unsigned int (*get_next_block)(unsigned int consumed,
const u8 **dst,
struct ts_config *conf,
struct ts_state *state);
/**
* @finish: finalize/clean a series of get_next_block() calls
* @conf: search configuration
* @state: search state
*
* Called after the last use of get_next_block(), may be used
* to cleanup any leftovers.
*/
void (*finish)(struct ts_config *conf,
struct ts_state *state);
};
/**
* textsearch_next - continue searching for a pattern
* @conf: search configuration
* @state: search state
*
* Continues a search looking for more occurrences of the pattern.
* textsearch_find() must be called to find the first occurrence
* in order to reset the state.
*
* Returns the position of the next occurrence of the pattern or
* UINT_MAX if not match was found.
*/
static inline unsigned int textsearch_next(struct ts_config *conf,
struct ts_state *state)
{
unsigned int ret = conf->ops->find(conf, state);
if (conf->finish)
conf->finish(conf, state);
return ret;
}
/**
* textsearch_find - start searching for a pattern
* @conf: search configuration
* @state: search state
*
* Returns the position of first occurrence of the pattern or
* UINT_MAX if no match was found.
*/
static inline unsigned int textsearch_find(struct ts_config *conf,
struct ts_state *state)
{
state->offset = 0;
return textsearch_next(conf, state);
}
/**
* textsearch_get_pattern - return head of the pattern
* @conf: search configuration
*/
static inline void *textsearch_get_pattern(struct ts_config *conf)
{
return conf->ops->get_pattern(conf);
}
/**
* textsearch_get_pattern_len - return length of the pattern
* @conf: search configuration
*/
static inline unsigned int textsearch_get_pattern_len(struct ts_config *conf)
{
return conf->ops->get_pattern_len(conf);
}
extern int textsearch_register(struct ts_ops *);
extern int textsearch_unregister(struct ts_ops *);
extern struct ts_config *textsearch_prepare(const char *, const void *,
unsigned int, gfp_t, int);
extern void textsearch_destroy(struct ts_config *conf);
extern unsigned int textsearch_find_continuous(struct ts_config *,
struct ts_state *,
const void *, unsigned int);
#define TS_PRIV_ALIGNTO 8
#define TS_PRIV_ALIGN(len) (((len) + TS_PRIV_ALIGNTO-1) & ~(TS_PRIV_ALIGNTO-1))
static inline struct ts_config *alloc_ts_config(size_t payload,
gfp_t gfp_mask)
{
struct ts_config *conf;
conf = kzalloc(TS_PRIV_ALIGN(sizeof(*conf)) + payload, gfp_mask);
if (conf == NULL)
return ERR_PTR(-ENOMEM);
return conf;
}
static inline void *ts_config_priv(struct ts_config *conf)
{
return ((u8 *) conf + TS_PRIV_ALIGN(sizeof(struct ts_config)));
}
#endif