From: Jakub Kicinski <kuba@kernel.org>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: netdev@vger.kernel.org, davem@davemloft.net, edumazet@google.com,
pabeni@redhat.com, Willem de Bruijn <willemb@google.com>,
syzbot <syzkaller@googlegroups.com>,
Alexander Duyck <alexander.duyck@gmail.com>
Subject: Re: [PATCH net] ip_gre: test csum_start instead of transport header
Date: Tue, 7 Jun 2022 17:18:21 -0700 [thread overview]
Message-ID: <20220607171821.74bc4f87@kernel.org> (raw)
In-Reply-To: <20220606132107.3582565-1-willemdebruijn.kernel@gmail.com>
On Mon, 6 Jun 2022 09:21:07 -0400 Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@google.com>
>
> GRE with TUNNEL_CSUM will apply local checksum offload on
> CHECKSUM_PARTIAL packets.
>
> ipgre_xmit must validate csum_start after an optional skb_pull,
> else lco_csum may trigger an overflow. The original check was
>
> if (csum && skb_checksum_start(skb) < skb->data)
> return -EINVAL;
>
> This had false positives when skb_checksum_start is undefined:
> when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement
> was straightforward
>
> if (csum && skb->ip_summed == CHECKSUM_PARTIAL &&
> skb_checksum_start(skb) < skb->data)
> return -EINVAL;
>
> But was eventually revised more thoroughly:
> - restrict the check to the only branch where needed, in an
> uncommon GRE path that uses header_ops and calls skb_pull.
> - test skb_transport_header, which is set along with csum_start
> in skb_partial_csum_set in the normal header_ops datapath.
>
> Turns out skbs can arrive in this branch without the transport
> header set, e.g., through BPF redirection.
>
> Revise the check back to check csum_start directly, and only if
> CHECKSUM_PARTIAL. Do leave the check in the updated location.
> Check field regardless of whether TUNNEL_CSUM is configured.
>
> Link: https://lore.kernel.org/netdev/YS+h%2FtqCJJiQei+W@shredder/
> Link: https://lore.kernel.org/all/20210902193447.94039-2-willemdebruijn.kernel@gmail.com/T/#u
> Fixes: 8a0ed250f911 ("ip_gre: validate csum_start only on pull")
> Reported-by: syzbot <syzkaller@googlegroups.com>
> Signed-off-by: Willem de Bruijn <willemb@google.com>
Missing a CC for Alex, adding now.
next prev parent reply other threads:[~2022-06-08 2:46 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-06 13:21 [PATCH net] ip_gre: test csum_start instead of transport header Willem de Bruijn
2022-06-07 17:33 ` Eric Dumazet
2022-06-08 0:18 ` Jakub Kicinski [this message]
2022-06-08 14:54 ` Alexander H Duyck
2022-06-09 3:40 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220607171821.74bc4f87@kernel.org \
--to=kuba@kernel.org \
--cc=alexander.duyck@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzkaller@googlegroups.com \
--cc=willemb@google.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.