* [PATCH net] udp: prevent bugcheck if filter truncates packet too much
@ 2016-07-08 15:52 Michal Kubecek
2016-07-08 23:31 ` Eric Dumazet
2016-07-11 19:43 ` David Miller
0 siblings, 2 replies; 7+ messages in thread
From: Michal Kubecek @ 2016-07-08 15:52 UTC (permalink / raw)
To: David S. Miller
Cc: samanthakumar, Marco Grassi, netdev, linux-kernel,
Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI,
Patrick McHardy
If socket filter truncates an udp packet below the length of UDP header
in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a
BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if
kernel is configured that way) can be easily enforced by an unprivileged
user which was reported as CVE-2016-6162. For a reproducer, see
http://seclists.org/oss-sec/2016/q3/8
Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
---
net/ipv4/udp.c | 2 ++
net/ipv6/udp.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index ca5e8ea29538..4aed8fc23d32 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1583,6 +1583,8 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
if (sk_filter(sk, skb))
goto drop;
+ if (unlikely(skb->len < sizeof(struct udphdr)))
+ goto drop;
udp_csum_pull_header(skb);
if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
index 005dc82c2138..acc09705618b 100644
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -620,6 +620,8 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
if (sk_filter(sk, skb))
goto drop;
+ if (unlikely(skb->len < sizeof(struct udphdr)))
+ goto drop;
udp_csum_pull_header(skb);
if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
--
2.9.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH net] udp: prevent bugcheck if filter truncates packet too much
2016-07-08 15:52 [PATCH net] udp: prevent bugcheck if filter truncates packet too much Michal Kubecek
@ 2016-07-08 23:31 ` Eric Dumazet
2016-07-09 0:20 ` Alexei Starovoitov
2016-07-11 19:43 ` David Miller
1 sibling, 1 reply; 7+ messages in thread
From: Eric Dumazet @ 2016-07-08 23:31 UTC (permalink / raw)
To: Michal Kubecek, Willem de Bruijn
Cc: David S. Miller, samanthakumar, Marco Grassi, netdev,
linux-kernel, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI,
Patrick McHardy
On Fri, 2016-07-08 at 17:52 +0200, Michal Kubecek wrote:
> If socket filter truncates an udp packet below the length of UDP header
> in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a
> BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if
> kernel is configured that way) can be easily enforced by an unprivileged
> user which was reported as CVE-2016-6162. For a reproducer, see
> http://seclists.org/oss-sec/2016/q3/8
>
> Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
> Reported-by: Marco Grassi <marco.gra@gmail.com>
> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
> ---
> net/ipv4/udp.c | 2 ++
> net/ipv6/udp.c | 2 ++
> 2 files changed, 4 insertions(+)
>
> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> index ca5e8ea29538..4aed8fc23d32 100644
> --- a/net/ipv4/udp.c
> +++ b/net/ipv4/udp.c
> @@ -1583,6 +1583,8 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
>
> if (sk_filter(sk, skb))
> goto drop;
> + if (unlikely(skb->len < sizeof(struct udphdr)))
> + goto drop;
>
> udp_csum_pull_header(skb);
> if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> index 005dc82c2138..acc09705618b 100644
> --- a/net/ipv6/udp.c
> +++ b/net/ipv6/udp.c
> @@ -620,6 +620,8 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
>
> if (sk_filter(sk, skb))
> goto drop;
> + if (unlikely(skb->len < sizeof(struct udphdr)))
> + goto drop;
>
> udp_csum_pull_header(skb);
> if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
Arg :(
Acked-by: Eric Dumazet <edumazet@google.com>
Thanks !
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net] udp: prevent bugcheck if filter truncates packet too much
2016-07-08 23:31 ` Eric Dumazet
@ 2016-07-09 0:20 ` Alexei Starovoitov
2016-07-09 9:48 ` Daniel Borkmann
0 siblings, 1 reply; 7+ messages in thread
From: Alexei Starovoitov @ 2016-07-09 0:20 UTC (permalink / raw)
To: Eric Dumazet
Cc: Michal Kubecek, Willem de Bruijn, David S. Miller, samanthakumar,
Marco Grassi, netdev, linux-kernel, Alexey Kuznetsov,
James Morris, Hideaki YOSHIFUJI, Patrick McHardy
On Sat, Jul 09, 2016 at 01:31:40AM +0200, Eric Dumazet wrote:
> On Fri, 2016-07-08 at 17:52 +0200, Michal Kubecek wrote:
> > If socket filter truncates an udp packet below the length of UDP header
> > in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a
> > BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if
> > kernel is configured that way) can be easily enforced by an unprivileged
> > user which was reported as CVE-2016-6162. For a reproducer, see
> > http://seclists.org/oss-sec/2016/q3/8
> >
> > Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
> > Reported-by: Marco Grassi <marco.gra@gmail.com>
> > Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
> > ---
> > net/ipv4/udp.c | 2 ++
> > net/ipv6/udp.c | 2 ++
> > 2 files changed, 4 insertions(+)
> >
> > diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> > index ca5e8ea29538..4aed8fc23d32 100644
> > --- a/net/ipv4/udp.c
> > +++ b/net/ipv4/udp.c
> > @@ -1583,6 +1583,8 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
> >
> > if (sk_filter(sk, skb))
> > goto drop;
> > + if (unlikely(skb->len < sizeof(struct udphdr)))
> > + goto drop;
> >
> > udp_csum_pull_header(skb);
> > if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
> > diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> > index 005dc82c2138..acc09705618b 100644
> > --- a/net/ipv6/udp.c
> > +++ b/net/ipv6/udp.c
> > @@ -620,6 +620,8 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
> >
> > if (sk_filter(sk, skb))
> > goto drop;
> > + if (unlikely(skb->len < sizeof(struct udphdr)))
> > + goto drop;
> >
> > udp_csum_pull_header(skb);
> > if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
>
>
> Arg :(
>
> Acked-by: Eric Dumazet <edumazet@google.com>
this is incomplete fix. Please do not apply. See discussion at security@kernel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net] udp: prevent bugcheck if filter truncates packet too much
2016-07-09 0:20 ` Alexei Starovoitov
@ 2016-07-09 9:48 ` Daniel Borkmann
2016-07-09 10:43 ` Michal Kubecek
0 siblings, 1 reply; 7+ messages in thread
From: Daniel Borkmann @ 2016-07-09 9:48 UTC (permalink / raw)
To: Alexei Starovoitov, Eric Dumazet
Cc: Michal Kubecek, Willem de Bruijn, David S. Miller, samanthakumar,
Marco Grassi, netdev, linux-kernel, Alexey Kuznetsov,
James Morris, Hideaki YOSHIFUJI, Patrick McHardy
On 07/09/2016 02:20 AM, Alexei Starovoitov wrote:
> On Sat, Jul 09, 2016 at 01:31:40AM +0200, Eric Dumazet wrote:
>> On Fri, 2016-07-08 at 17:52 +0200, Michal Kubecek wrote:
>>> If socket filter truncates an udp packet below the length of UDP header
>>> in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a
>>> BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if
>>> kernel is configured that way) can be easily enforced by an unprivileged
>>> user which was reported as CVE-2016-6162. For a reproducer, see
>>> http://seclists.org/oss-sec/2016/q3/8
>>>
>>> Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
>>> Reported-by: Marco Grassi <marco.gra@gmail.com>
>>> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
>>> ---
>>> net/ipv4/udp.c | 2 ++
>>> net/ipv6/udp.c | 2 ++
>>> 2 files changed, 4 insertions(+)
>>>
>>> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
>>> index ca5e8ea29538..4aed8fc23d32 100644
>>> --- a/net/ipv4/udp.c
>>> +++ b/net/ipv4/udp.c
>>> @@ -1583,6 +1583,8 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
>>>
>>> if (sk_filter(sk, skb))
>>> goto drop;
>>> + if (unlikely(skb->len < sizeof(struct udphdr)))
>>> + goto drop;
>>>
>>> udp_csum_pull_header(skb);
>>> if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
>>> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
>>> index 005dc82c2138..acc09705618b 100644
>>> --- a/net/ipv6/udp.c
>>> +++ b/net/ipv6/udp.c
>>> @@ -620,6 +620,8 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
>>>
>>> if (sk_filter(sk, skb))
>>> goto drop;
>>> + if (unlikely(skb->len < sizeof(struct udphdr)))
>>> + goto drop;
>>>
>>> udp_csum_pull_header(skb);
>>> if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
>>
>>
>> Arg :(
>>
>> Acked-by: Eric Dumazet <edumazet@google.com>
>
> this is incomplete fix. Please do not apply. See discussion at security@kernel
Ohh well, didn't see it earlier before starting the discussion at security@...
I'm okay if we take this for now as a quick band aid and find a better way how
to deal with the underlying issue long-term so that it's /guaranteed/ that it
doesn't bite us any further in such fragile ways.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net] udp: prevent bugcheck if filter truncates packet too much
2016-07-09 9:48 ` Daniel Borkmann
@ 2016-07-09 10:43 ` Michal Kubecek
2016-07-09 13:05 ` Willem de Bruijn
0 siblings, 1 reply; 7+ messages in thread
From: Michal Kubecek @ 2016-07-09 10:43 UTC (permalink / raw)
To: Daniel Borkmann
Cc: Alexei Starovoitov, Eric Dumazet, Willem de Bruijn,
David S. Miller, samanthakumar, Marco Grassi, netdev,
linux-kernel, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI,
Patrick McHardy
On Sat, Jul 09, 2016 at 11:48:49AM +0200, Daniel Borkmann wrote:
> On 07/09/2016 02:20 AM, Alexei Starovoitov wrote:
> >On Sat, Jul 09, 2016 at 01:31:40AM +0200, Eric Dumazet wrote:
> >>On Fri, 2016-07-08 at 17:52 +0200, Michal Kubecek wrote:
> >>>If socket filter truncates an udp packet below the length of UDP header
> >>>in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a
> >>>BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if
> >>>kernel is configured that way) can be easily enforced by an unprivileged
> >>>user which was reported as CVE-2016-6162. For a reproducer, see
> >>>http://seclists.org/oss-sec/2016/q3/8
> >>>
> >>>Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
> >>>Reported-by: Marco Grassi <marco.gra@gmail.com>
> >>>Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
> >>>---
> >>> net/ipv4/udp.c | 2 ++
> >>> net/ipv6/udp.c | 2 ++
> >>> 2 files changed, 4 insertions(+)
> >>>
> >>>diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
> >>>index ca5e8ea29538..4aed8fc23d32 100644
> >>>--- a/net/ipv4/udp.c
> >>>+++ b/net/ipv4/udp.c
> >>>@@ -1583,6 +1583,8 @@ int udp_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
> >>>
> >>> if (sk_filter(sk, skb))
> >>> goto drop;
> >>>+ if (unlikely(skb->len < sizeof(struct udphdr)))
> >>>+ goto drop;
> >>>
> >>> udp_csum_pull_header(skb);
> >>> if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
> >>>diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
> >>>index 005dc82c2138..acc09705618b 100644
> >>>--- a/net/ipv6/udp.c
> >>>+++ b/net/ipv6/udp.c
> >>>@@ -620,6 +620,8 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
> >>>
> >>> if (sk_filter(sk, skb))
> >>> goto drop;
> >>>+ if (unlikely(skb->len < sizeof(struct udphdr)))
> >>>+ goto drop;
> >>>
> >>> udp_csum_pull_header(skb);
> >>> if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
> >>
> >>
> >>Arg :(
> >>
> >>Acked-by: Eric Dumazet <edumazet@google.com>
> >
> >this is incomplete fix. Please do not apply. See discussion at security@kernel
>
> Ohh well, didn't see it earlier before starting the discussion at security@...
>
> I'm okay if we take this for now as a quick band aid and find a better
> way how to deal with the underlying issue long-term so that it's
> /guaranteed/ that it doesn't bite us any further in such fragile ways.
Agreed. As rc7 is due in a day or two, rushing a complex and intrusive
solution in might be too risky.
Michal Kubecek
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net] udp: prevent bugcheck if filter truncates packet too much
2016-07-09 10:43 ` Michal Kubecek
@ 2016-07-09 13:05 ` Willem de Bruijn
0 siblings, 0 replies; 7+ messages in thread
From: Willem de Bruijn @ 2016-07-09 13:05 UTC (permalink / raw)
To: Michal Kubecek
Cc: Daniel Borkmann, Alexei Starovoitov, Eric Dumazet,
David S. Miller, samanthakumar, Marco Grassi, Network Development,
linux-kernel, Alexey Kuznetsov, James Morris, Hideaki YOSHIFUJI,
Patrick McHardy
On Sat, Jul 9, 2016 at 6:43 AM, Michal Kubecek <mkubecek@suse.cz> wrote:
> On Sat, Jul 09, 2016 at 11:48:49AM +0200, Daniel Borkmann wrote:
>> On 07/09/2016 02:20 AM, Alexei Starovoitov wrote:
>> >On Sat, Jul 09, 2016 at 01:31:40AM +0200, Eric Dumazet wrote:
>> >>On Fri, 2016-07-08 at 17:52 +0200, Michal Kubecek wrote:
>> >>>If socket filter truncates an udp packet below the length of UDP header
>> >>>in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a
>> >>>BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if
>> >>>kernel is configured that way) can be easily enforced by an unprivileged
>> >>>user which was reported as CVE-2016-6162. For a reproducer, see
>> >>>http://seclists.org/oss-sec/2016/q3/8
>> >>>
>> >>>Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
>> >>>Reported-by: Marco Grassi <marco.gra@gmail.com>
>> >>>Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
>> >>>---
>
>> >>Acked-by: Eric Dumazet <edumazet@google.com>
>> >
>> >this is incomplete fix. Please do not apply. See discussion at security@kernel
>>
>> Ohh well, didn't see it earlier before starting the discussion at security@...
>>
>> I'm okay if we take this for now as a quick band aid and find a better
>> way how to deal with the underlying issue long-term so that it's
>> /guaranteed/ that it doesn't bite us any further in such fragile ways.
>
> Agreed. As rc7 is due in a day or two, rushing a complex and intrusive
> solution in might be too risky.
Acked-by: Willem de Bruijn <willemb@google.com>
Thanks, Michal.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net] udp: prevent bugcheck if filter truncates packet too much
2016-07-08 15:52 [PATCH net] udp: prevent bugcheck if filter truncates packet too much Michal Kubecek
2016-07-08 23:31 ` Eric Dumazet
@ 2016-07-11 19:43 ` David Miller
1 sibling, 0 replies; 7+ messages in thread
From: David Miller @ 2016-07-11 19:43 UTC (permalink / raw)
To: mkubecek
Cc: samanthakumar, marco.gra, netdev, linux-kernel, kuznet, jmorris,
yoshfuji, kaber
From: Michal Kubecek <mkubecek@suse.cz>
Date: Fri, 8 Jul 2016 17:52:33 +0200 (CEST)
> If socket filter truncates an udp packet below the length of UDP header
> in udpv6_queue_rcv_skb() or udp_queue_rcv_skb(), it will trigger a
> BUG_ON in skb_pull_rcsum(). This BUG_ON (and therefore a system crash if
> kernel is configured that way) can be easily enforced by an unprivileged
> user which was reported as CVE-2016-6162. For a reproducer, see
> http://seclists.org/oss-sec/2016/q3/8
>
> Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
> Reported-by: Marco Grassi <marco.gra@gmail.com>
> Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Applied and queued up for -stable, thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-07-11 19:43 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-07-08 15:52 [PATCH net] udp: prevent bugcheck if filter truncates packet too much Michal Kubecek
2016-07-08 23:31 ` Eric Dumazet
2016-07-09 0:20 ` Alexei Starovoitov
2016-07-09 9:48 ` Daniel Borkmann
2016-07-09 10:43 ` Michal Kubecek
2016-07-09 13:05 ` Willem de Bruijn
2016-07-11 19:43 ` David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).