mainline inclusion from mainline-v6.12-rc6 commit 9ab5cf19fb0e4680f95e506d6c544259bf1111c4 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IAY2B4 CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Config a small gso_max_size/gso_ipv4_max_size will lead to an underflow in sk_dst_gso_max_size(), which may trigger a BUG_ON crash, because sk->sk_gso_max_size would be much bigger than device limits. Call Trace: tcp_write_xmit tso_segs = tcp_init_tso_segs(skb, mss_now); tcp_set_skb_tso_segs tcp_skb_pcount_set // skb->len = 524288, mss_now = 8 // u16 tso_segs = 524288/8 = 65535 -> 0 tso_segs = DIV_ROUND_UP(skb->len, mss_now) BUG_ON(!tso_segs) Add check for the minimum value of gso_max_size and gso_ipv4_max_size.
Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation") Conflicts: net/core/rtnetlink.c [conflicts due to not mergered 3e48be05f3c7 ("netlink: add attribute range validation to policy"), conflicts due to not mergered 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")] Signed-off-by: Wang Liang wangliang74@huawei.com Reviewed-by: Eric Dumazet edumazet@google.com Link: https://patch.msgid.link/20241023035213.517386-1-wangliang74@huawei.com Signed-off-by: Jakub Kicinski kuba@kernel.org --- net/core/rtnetlink.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c index 9209623ab644..c66f60941e5b 100644 --- a/net/core/rtnetlink.c +++ b/net/core/rtnetlink.c @@ -2072,6 +2072,11 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[]) if (tb[IFLA_BROADCAST] && nla_len(tb[IFLA_BROADCAST]) < dev->addr_len) return -EINVAL; + + if (tb[IFLA_GSO_MAX_SIZE] && + (nla_get_u32(tb[IFLA_GSO_MAX_SIZE]) < MAX_TCP_HEADER + 1)) { + return -EINVAL; + } }
if (tb[IFLA_AF_SPEC]) {