From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
<netdev@vger.kernel.org>
Subject: [PATCH 09/15] xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output
Date: Fri, 29 May 2020 13:04:02 +0200 [thread overview]
Message-ID: <20200529110408.6349-10-steffen.klassert@secunet.com> (raw)
In-Reply-To: <20200529110408.6349-1-steffen.klassert@secunet.com>
From: Xin Long <lucien.xin@gmail.com>
An use-after-free crash can be triggered when sending big packets over
vxlan over esp with esp offload enabled:
[] BUG: KASAN: use-after-free in ipv6_gso_pull_exthdrs.part.8+0x32c/0x4e0
[] Call Trace:
[] dump_stack+0x75/0xa0
[] kasan_report+0x37/0x50
[] ipv6_gso_pull_exthdrs.part.8+0x32c/0x4e0
[] ipv6_gso_segment+0x2c8/0x13c0
[] skb_mac_gso_segment+0x1cb/0x420
[] skb_udp_tunnel_segment+0x6b5/0x1c90
[] inet_gso_segment+0x440/0x1380
[] skb_mac_gso_segment+0x1cb/0x420
[] esp4_gso_segment+0xae8/0x1709 [esp4_offload]
[] inet_gso_segment+0x440/0x1380
[] skb_mac_gso_segment+0x1cb/0x420
[] __skb_gso_segment+0x2d7/0x5f0
[] validate_xmit_skb+0x527/0xb10
[] __dev_queue_xmit+0x10f8/0x2320 <---
[] ip_finish_output2+0xa2e/0x1b50
[] ip_output+0x1a8/0x2f0
[] xfrm_output_resume+0x110e/0x15f0
[] __xfrm4_output+0xe1/0x1b0
[] xfrm4_output+0xa0/0x200
[] iptunnel_xmit+0x5a7/0x920
[] vxlan_xmit_one+0x1658/0x37a0 [vxlan]
[] vxlan_xmit+0x5e4/0x3ec8 [vxlan]
[] dev_hard_start_xmit+0x125/0x540
[] __dev_queue_xmit+0x17bd/0x2320 <---
[] ip6_finish_output2+0xb20/0x1b80
[] ip6_output+0x1b3/0x390
[] ip6_xmit+0xb82/0x17e0
[] inet6_csk_xmit+0x225/0x3d0
[] __tcp_transmit_skb+0x1763/0x3520
[] tcp_write_xmit+0xd64/0x5fe0
[] __tcp_push_pending_frames+0x8c/0x320
[] tcp_sendmsg_locked+0x2245/0x3500
[] tcp_sendmsg+0x27/0x40
As on the tx path of vxlan over esp, skb->inner_network_header would be
set on vxlan_xmit() and xfrm4_tunnel_encap_add(), and the later one can
overwrite the former one. It causes skb_udp_tunnel_segment() to use a
wrong skb->inner_network_header, then the issue occurs.
This patch is to fix it by calling xfrm_output_gso() instead when the
inner_protocol is set, in which gso_segment of inner_protocol will be
done first.
While at it, also improve some code around.
Fixes: 7862b4058b9f ("esp: Add gso handlers for esp4 and esp6")
Reported-by: Xiumei Mu <xmu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_output.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 2fd3d990d992..69c33cab8f49 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -583,18 +583,20 @@ int xfrm_output(struct sock *sk, struct sk_buff *skb)
xfrm_state_hold(x);
if (skb_is_gso(skb)) {
- skb_shinfo(skb)->gso_type |= SKB_GSO_ESP;
+ if (skb->inner_protocol)
+ return xfrm_output_gso(net, sk, skb);
- return xfrm_output2(net, sk, skb);
+ skb_shinfo(skb)->gso_type |= SKB_GSO_ESP;
+ goto out;
}
if (x->xso.dev && x->xso.dev->features & NETIF_F_HW_ESP_TX_CSUM)
goto out;
+ } else {
+ if (skb_is_gso(skb))
+ return xfrm_output_gso(net, sk, skb);
}
- if (skb_is_gso(skb))
- return xfrm_output_gso(net, sk, skb);
-
if (skb->ip_summed == CHECKSUM_PARTIAL) {
err = skb_checksum_help(skb);
if (err) {
--
2.17.1
next prev parent reply other threads:[~2020-05-29 11:04 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-29 11:03 pull request (net): ipsec 2020-05-29 Steffen Klassert
2020-05-29 11:03 ` [PATCH 01/15] xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input Steffen Klassert
2020-05-29 11:03 ` [PATCH 02/15] xfrm: do pskb_pull properly in __xfrm_transport_prep Steffen Klassert
2020-05-29 11:03 ` [PATCH 03/15] esp6: get the right proto for transport mode in esp6_gso_encap Steffen Klassert
2020-05-29 11:03 ` [PATCH 04/15] xfrm: remove the xfrm_state_put call becofe going to out_reset Steffen Klassert
2020-05-29 11:03 ` [PATCH 05/15] xfrm: fix error in comment Steffen Klassert
2020-05-29 11:03 ` [PATCH 06/15] xfrm: espintcp: save and call old ->sk_destruct Steffen Klassert
2020-05-29 11:04 ` [PATCH 07/15] esp6: support ipv6 nexthdrs process for beet gso segment Steffen Klassert
2020-05-29 11:04 ` [PATCH 08/15] esp4: " Steffen Klassert
2020-05-29 11:04 ` Steffen Klassert [this message]
2020-05-29 11:04 ` [PATCH 10/15] ip_vti: receive ipip packet by calling ip_tunnel_rcv Steffen Klassert
2020-05-29 11:04 ` [PATCH 11/15] xfrm interface: fix oops when deleting a x-netns interface Steffen Klassert
2020-05-29 11:04 ` [PATCH 12/15] esp6: calculate transport_header correctly when sel.family != AF_INET6 Steffen Klassert
2020-05-29 11:04 ` [PATCH 13/15] esp4: improve xfrm4_beet_gso_segment() to be more readable Steffen Klassert
2020-05-29 11:04 ` [PATCH 14/15] xfrm: fix a warning in xfrm_policy_insert_list Steffen Klassert
2020-05-29 11:04 ` [PATCH 15/15] xfrm: fix a NULL-ptr deref in xfrm_local_error Steffen Klassert
2020-05-29 20:06 ` pull request (net): ipsec 2020-05-29 David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200529110408.6349-10-steffen.klassert@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.