macvtap: zerocopy: validate vectors before building skb

There're several reasons that the vectors need to be validated: - Return error when caller provides vectors whose num is greater than UIO_MAXIOV. - Linearize part of skb when userspace provides vectors grater than MAX_SKB_FRAGS. - Return error when userspace provides vectors whose total length may exceed - MAX_SKB_FRAGS * PAGE_SIZE. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
author: Jason Wang <jasowang@redhat.com> 2012-05-01 23:42:15 -0400
committer: Michael S. Tsirkin <mst@redhat.com> 2012-05-02 11:22:21 -0400
commit: b92946e2919134ebe2a4083e4302236295ea2a73 (patch)
tree: 46887b70dd309f7bdd358f32b47b0aee766788d3 /drivers/net/macvtap.c
parent: 01d6657b388438def19c8baaea28e742b6ed32ec (diff)
1 files changed, 21 insertions, 4 deletions
diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
index a4ff694cea22..163559c16988 100644
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -529,9 +529,10 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from,
                }
                base = (unsigned long)from->iov_base + offset;
                size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT;
+                if (i + size > MAX_SKB_FRAGS)
+                        return -EMSGSIZE;
                num_pages = get_user_pages_fast(base, size, 0, &page[i]);
-                if ((num_pages != size) ||
+                if (num_pages != size) {
-                    (num_pages > MAX_SKB_FRAGS - skb_shinfo(skb)->nr_frags)) {
                        for (i = 0; i < num_pages; i++)
                                put_page(page[i]);
                        return -EFAULT;
@@ -651,7 +652,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
        int err;
        struct virtio_net_hdr vnet_hdr = { 0 };
        int vnet_hdr_len = 0;
-        int copylen;
+        int copylen = 0;
        bool zerocopy = false;
        if (q->flags & IFF_VNET_HDR) {
@@ -680,15 +681,31 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m,
        if (unlikely(len < ETH_HLEN))
                goto err;
+        err = -EMSGSIZE;
+        if (unlikely(count > UIO_MAXIOV))
+                goto err;
        if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY))
                zerocopy = true;
        if (zerocopy) {
+                /* Userspace may produce vectors with count greater than
+                 * MAX_SKB_FRAGS, so we need to linearize parts of the skb
+                 * to let the rest of data to be fit in the frags.
+                 */
+                if (count > MAX_SKB_FRAGS) {
+                        copylen = iov_length(iv, count - MAX_SKB_FRAGS);
+                        if (copylen < vnet_hdr_len)
+                                copylen = 0;
+                        else
+                                copylen -= vnet_hdr_len;
+                }
                /* There are 256 bytes to be copied in skb, so there is enough
                 * room for skb expand head in case it is used.
                 * The rest buffer is mapped from userspace.
                 */
-                copylen = vnet_hdr.hdr_len;
+                if (copylen < vnet_hdr.hdr_len)
+                        copylen = vnet_hdr.hdr_len;
                if (!copylen)
                        copylen = GOODCOPY_LEN;
        } else
author	Jason Wang <jasowang@redhat.com>	2012-05-01 23:42:15 -0400
committer	Michael S. Tsirkin <mst@redhat.com>	2012-05-02 11:22:21 -0400
commit	b92946e2919134ebe2a4083e4302236295ea2a73 (patch)
tree	46887b70dd309f7bdd358f32b47b0aee766788d3 /drivers/net/macvtap.c
parent	01d6657b388438def19c8baaea28e742b6ed32ec (diff)