mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-18 03:06:43 +00:00
b228c9b058
The referenced commit expands the skb_seq_state used by skb_find_text with a 4B frag_off field, growing it to 48B. This exceeds container ts_state->cb, causing a stack corruption: [ 73.238353] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: skb_find_text+0xc5/0xd0 [ 73.247384] CPU: 1 PID: 376 Comm: nping Not tainted 5.11.0+ #4 [ 73.252613] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 [ 73.260078] Call Trace: [ 73.264677] dump_stack+0x57/0x6a [ 73.267866] panic+0xf6/0x2b7 [ 73.270578] ? skb_find_text+0xc5/0xd0 [ 73.273964] __stack_chk_fail+0x10/0x10 [ 73.277491] skb_find_text+0xc5/0xd0 [ 73.280727] string_mt+0x1f/0x30 [ 73.283639] ipt_do_table+0x214/0x410 The struct is passed between skb_find_text and its callbacks skb_prepare_seq_read, skb_seq_read and skb_abort_seq read through the textsearch interface using TS_SKB_CB. I assumed that this mapped to skb->cb like other .._SKB_CB wrappers. skb->cb is 48B. But it maps to ts_state->cb, which is only 40B. skb->cb was increased from 40B to 48B after ts_state was introduced, in commit 3e3850e989c5 ("[NETFILTER]: Fix xfrm lookup in ip_route_me_harder/ip6_route_me_harder"). Increase ts_state.cb[] to 48 to fit the struct. Also add a BUILD_BUG_ON to avoid a repeat. The alternative is to directly add a dependency from textsearch onto linux/skbuff.h, but I think the intent is textsearch to have no such dependencies on its callers. Link: https://bugzilla.kernel.org/show_bug.cgi?id=211911 Fixes: 97550f6fa592 ("net: compound page support in skb_seq_read") Reported-by: Kris Karas <bugs-a17@moonlit-rail.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
180 lines
4.7 KiB
C
180 lines
4.7 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef __LINUX_TEXTSEARCH_H
|
|
#define __LINUX_TEXTSEARCH_H
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/list.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/err.h>
|
|
#include <linux/slab.h>
|
|
|
|
struct module;
|
|
|
|
struct ts_config;
|
|
|
|
#define TS_AUTOLOAD 1 /* Automatically load textsearch modules when needed */
|
|
#define TS_IGNORECASE 2 /* Searches string case insensitively */
|
|
|
|
/**
|
|
* struct ts_state - search state
|
|
* @offset: offset for next match
|
|
* @cb: control buffer, for persistent variables of get_next_block()
|
|
*/
|
|
struct ts_state
|
|
{
|
|
unsigned int offset;
|
|
char cb[48];
|
|
};
|
|
|
|
/**
|
|
* struct ts_ops - search module operations
|
|
* @name: name of search algorithm
|
|
* @init: initialization function to prepare a search
|
|
* @find: find the next occurrence of the pattern
|
|
* @destroy: destroy algorithm specific parts of a search configuration
|
|
* @get_pattern: return head of pattern
|
|
* @get_pattern_len: return length of pattern
|
|
* @owner: module reference to algorithm
|
|
*/
|
|
struct ts_ops
|
|
{
|
|
const char *name;
|
|
struct ts_config * (*init)(const void *, unsigned int, gfp_t, int);
|
|
unsigned int (*find)(struct ts_config *,
|
|
struct ts_state *);
|
|
void (*destroy)(struct ts_config *);
|
|
void * (*get_pattern)(struct ts_config *);
|
|
unsigned int (*get_pattern_len)(struct ts_config *);
|
|
struct module *owner;
|
|
struct list_head list;
|
|
};
|
|
|
|
/**
|
|
* struct ts_config - search configuration
|
|
* @ops: operations of chosen algorithm
|
|
* @flags: flags
|
|
* @get_next_block: callback to fetch the next block to search in
|
|
* @finish: callback to finalize a search
|
|
*/
|
|
struct ts_config
|
|
{
|
|
struct ts_ops *ops;
|
|
int flags;
|
|
|
|
/**
|
|
* @get_next_block: fetch next block of data
|
|
* @consumed: number of bytes consumed by the caller
|
|
* @dst: destination buffer
|
|
* @conf: search configuration
|
|
* @state: search state
|
|
*
|
|
* Called repeatedly until 0 is returned. Must assign the
|
|
* head of the next block of data to &*dst and return the length
|
|
* of the block or 0 if at the end. consumed == 0 indicates
|
|
* a new search. May store/read persistent values in state->cb.
|
|
*/
|
|
unsigned int (*get_next_block)(unsigned int consumed,
|
|
const u8 **dst,
|
|
struct ts_config *conf,
|
|
struct ts_state *state);
|
|
|
|
/**
|
|
* @finish: finalize/clean a series of get_next_block() calls
|
|
* @conf: search configuration
|
|
* @state: search state
|
|
*
|
|
* Called after the last use of get_next_block(), may be used
|
|
* to cleanup any leftovers.
|
|
*/
|
|
void (*finish)(struct ts_config *conf,
|
|
struct ts_state *state);
|
|
};
|
|
|
|
/**
|
|
* textsearch_next - continue searching for a pattern
|
|
* @conf: search configuration
|
|
* @state: search state
|
|
*
|
|
* Continues a search looking for more occurrences of the pattern.
|
|
* textsearch_find() must be called to find the first occurrence
|
|
* in order to reset the state.
|
|
*
|
|
* Returns the position of the next occurrence of the pattern or
|
|
* UINT_MAX if not match was found.
|
|
*/
|
|
static inline unsigned int textsearch_next(struct ts_config *conf,
|
|
struct ts_state *state)
|
|
{
|
|
unsigned int ret = conf->ops->find(conf, state);
|
|
|
|
if (conf->finish)
|
|
conf->finish(conf, state);
|
|
|
|
return ret;
|
|
}
|
|
|
|
/**
|
|
* textsearch_find - start searching for a pattern
|
|
* @conf: search configuration
|
|
* @state: search state
|
|
*
|
|
* Returns the position of first occurrence of the pattern or
|
|
* UINT_MAX if no match was found.
|
|
*/
|
|
static inline unsigned int textsearch_find(struct ts_config *conf,
|
|
struct ts_state *state)
|
|
{
|
|
state->offset = 0;
|
|
return textsearch_next(conf, state);
|
|
}
|
|
|
|
/**
|
|
* textsearch_get_pattern - return head of the pattern
|
|
* @conf: search configuration
|
|
*/
|
|
static inline void *textsearch_get_pattern(struct ts_config *conf)
|
|
{
|
|
return conf->ops->get_pattern(conf);
|
|
}
|
|
|
|
/**
|
|
* textsearch_get_pattern_len - return length of the pattern
|
|
* @conf: search configuration
|
|
*/
|
|
static inline unsigned int textsearch_get_pattern_len(struct ts_config *conf)
|
|
{
|
|
return conf->ops->get_pattern_len(conf);
|
|
}
|
|
|
|
extern int textsearch_register(struct ts_ops *);
|
|
extern int textsearch_unregister(struct ts_ops *);
|
|
extern struct ts_config *textsearch_prepare(const char *, const void *,
|
|
unsigned int, gfp_t, int);
|
|
extern void textsearch_destroy(struct ts_config *conf);
|
|
extern unsigned int textsearch_find_continuous(struct ts_config *,
|
|
struct ts_state *,
|
|
const void *, unsigned int);
|
|
|
|
|
|
#define TS_PRIV_ALIGNTO 8
|
|
#define TS_PRIV_ALIGN(len) (((len) + TS_PRIV_ALIGNTO-1) & ~(TS_PRIV_ALIGNTO-1))
|
|
|
|
static inline struct ts_config *alloc_ts_config(size_t payload,
|
|
gfp_t gfp_mask)
|
|
{
|
|
struct ts_config *conf;
|
|
|
|
conf = kzalloc(TS_PRIV_ALIGN(sizeof(*conf)) + payload, gfp_mask);
|
|
if (conf == NULL)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
return conf;
|
|
}
|
|
|
|
static inline void *ts_config_priv(struct ts_config *conf)
|
|
{
|
|
return ((u8 *) conf + TS_PRIV_ALIGN(sizeof(struct ts_config)));
|
|
}
|
|
|
|
#endif
|