[linux] 01/01: macsec: dynamically allocate space for sglist
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Apr 27 05:43:08 UTC 2017
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch sid
in repository linux.
commit 6771be113806a762fae4a6c3ca0ad3d5d1ef303e
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Thu Apr 27 07:40:44 2017 +0200
macsec: dynamically allocate space for sglist
---
debian/changelog | 1 +
...sec-dynamically-allocate-space-for-sglist.patch | 117 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 119 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index d9552c1..8465536 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -347,6 +347,7 @@ linux (4.9.24-1) UNRELEASED; urgency=medium
[ Salvatore Bonaccorso ]
* ping: implement proper locking (CVE-2017-2671)
* macsec: avoid heap overflow in skb_to_sgvec (CVE-2017-7477)
+ * macsec: dynamically allocate space for sglist
[ Aurelien Jarno ]
* [mips*/octeon] Drop obsolete patch adding support for the UBNT E200
diff --git a/debian/patches/bugfix/all/macsec-dynamically-allocate-space-for-sglist.patch b/debian/patches/bugfix/all/macsec-dynamically-allocate-space-for-sglist.patch
new file mode 100644
index 0000000..da947b7
--- /dev/null
+++ b/debian/patches/bugfix/all/macsec-dynamically-allocate-space-for-sglist.patch
@@ -0,0 +1,117 @@
+From: "Jason A. Donenfeld" <Jason at zx2c4.com>
+Date: Tue, 25 Apr 2017 19:08:18 +0200
+Subject: macsec: dynamically allocate space for sglist
+Origin: https://git.kernel.org/linus/5294b83086cc1c35b4efeca03644cf9d12282e5b
+
+We call skb_cow_data, which is good anyway to ensure we can actually
+modify the skb as such (another error from prior). Now that we have the
+number of fragments required, we can safely allocate exactly that amount
+of memory.
+
+Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver")
+Signed-off-by: Jason A. Donenfeld <Jason at zx2c4.com>
+Acked-by: Sabrina Dubroca <sd at queasysnail.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ drivers/net/macsec.c | 29 ++++++++++++++++++++++-------
+ 1 file changed, 22 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
+index dbab05a..49ce4e9 100644
+--- a/drivers/net/macsec.c
++++ b/drivers/net/macsec.c
+@@ -617,7 +617,8 @@ static void macsec_encrypt_done(struct crypto_async_request *base, int err)
+
+ static struct aead_request *macsec_alloc_req(struct crypto_aead *tfm,
+ unsigned char **iv,
+- struct scatterlist **sg)
++ struct scatterlist **sg,
++ int num_frags)
+ {
+ size_t size, iv_offset, sg_offset;
+ struct aead_request *req;
+@@ -629,7 +630,7 @@ static struct aead_request *macsec_alloc_req(struct crypto_aead *tfm,
+
+ size = ALIGN(size, __alignof__(struct scatterlist));
+ sg_offset = size;
+- size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1);
++ size += sizeof(struct scatterlist) * num_frags;
+
+ tmp = kmalloc(size, GFP_ATOMIC);
+ if (!tmp)
+@@ -649,6 +650,7 @@ static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
+ {
+ int ret;
+ struct scatterlist *sg;
++ struct sk_buff *trailer;
+ unsigned char *iv;
+ struct ethhdr *eth;
+ struct macsec_eth_header *hh;
+@@ -723,7 +725,14 @@ static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
+ return ERR_PTR(-EINVAL);
+ }
+
+- req = macsec_alloc_req(tx_sa->key.tfm, &iv, &sg);
++ ret = skb_cow_data(skb, 0, &trailer);
++ if (unlikely(ret < 0)) {
++ macsec_txsa_put(tx_sa);
++ kfree_skb(skb);
++ return ERR_PTR(ret);
++ }
++
++ req = macsec_alloc_req(tx_sa->key.tfm, &iv, &sg, ret);
+ if (!req) {
+ macsec_txsa_put(tx_sa);
+ kfree_skb(skb);
+@@ -732,7 +741,7 @@ static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
+
+ macsec_fill_iv(iv, secy->sci, pn);
+
+- sg_init_table(sg, MAX_SKB_FRAGS + 1);
++ sg_init_table(sg, ret);
+ skb_to_sgvec(skb, sg, 0, skb->len);
+
+ if (tx_sc->encrypt) {
+@@ -917,6 +926,7 @@ static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
+ {
+ int ret;
+ struct scatterlist *sg;
++ struct sk_buff *trailer;
+ unsigned char *iv;
+ struct aead_request *req;
+ struct macsec_eth_header *hdr;
+@@ -927,7 +937,12 @@ static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
+ if (!skb)
+ return ERR_PTR(-ENOMEM);
+
+- req = macsec_alloc_req(rx_sa->key.tfm, &iv, &sg);
++ ret = skb_cow_data(skb, 0, &trailer);
++ if (unlikely(ret < 0)) {
++ kfree_skb(skb);
++ return ERR_PTR(ret);
++ }
++ req = macsec_alloc_req(rx_sa->key.tfm, &iv, &sg, ret);
+ if (!req) {
+ kfree_skb(skb);
+ return ERR_PTR(-ENOMEM);
+@@ -936,7 +951,7 @@ static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
+ hdr = (struct macsec_eth_header *)skb->data;
+ macsec_fill_iv(iv, sci, ntohl(hdr->packet_number));
+
+- sg_init_table(sg, MAX_SKB_FRAGS + 1);
++ sg_init_table(sg, ret);
+ skb_to_sgvec(skb, sg, 0, skb->len);
+
+ if (hdr->tci_an & MACSEC_TCI_E) {
+@@ -2716,7 +2731,7 @@ static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
+ }
+
+ #define MACSEC_FEATURES \
+- (NETIF_F_SG | NETIF_F_HIGHDMA)
++ (NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
+ static struct lock_class_key macsec_netdev_addr_lock_key;
+
+ static int macsec_dev_init(struct net_device *dev)
+--
+2.1.4
+
diff --git a/debian/patches/series b/debian/patches/series
index ca0b6f5..47b1db7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -111,6 +111,7 @@ bugfix/all/ping-implement-proper-locking.patch
bugfix/all/keys-disallow-keyrings-beginning-with-.-to-be-joined.patch
bugfix/all/keys-fix-keyctl_set_reqkey_keyring-to-not-leak-threa.patch
bugfix/all/macsec-avoid-heap-overflow-in-skb_to_sgvec.patch
+bugfix/all/macsec-dynamically-allocate-space-for-sglist.patch
# Fix exported symbol versions
bugfix/ia64/revert-ia64-move-exports-to-definitions.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list