From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Subject: Re: [PATCH net v3] gso: validate gso_type in GSO handlers
Date: Mon, 22 Jan 2018 16:02:23 -0500 (EST)
Message-ID: <20180122.160223.56363029606360667.davem@davemloft.net>
References: <20180119142918.115831-1-willemdebruijn.kernel@gmail.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org, edumazet@google.com, jasowang@redhat.com,
        tom@herbertland.com, herbert@gondor.apana.org.au,
        willemb@google.com
To: willemdebruijn.kernel@gmail.com
Return-path: <netdev-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([184.105.139.130]:40934 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750892AbeAVVCZ (ORCPT
        <rfc822;netdev@vger.kernel.org>); Mon, 22 Jan 2018 16:02:25 -0500
In-Reply-To: <20180119142918.115831-1-willemdebruijn.kernel@gmail.com>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Date: Fri, 19 Jan 2018 09:29:18 -0500

> From: Willem de Bruijn <willemb@google.com>
> 
> Validate gso_type during segmentation as SKB_GSO_DODGY sources
> may pass packets where the gso_type does not match the contents.
> 
> Syzkaller was able to enter the SCTP gso handler with a packet of
> gso_type SKB_GSO_TCPV4.
> 
> On entry of transport layer gso handlers, verify that the gso_type
> matches the transport protocol.
> 
> Fixes: 90017accff61 ("sctp: Add GSO support")
> Link: http://lkml.kernel.org/r/<001a1137452496ffc305617e5fe0@google.com>
> Reported-by: syzbot+fee64147a25aecd48055@syzkaller.appspotmail.com
> Signed-off-by: Willem de Bruijn <willemb@google.com>
> 
> ---
> Similar checks existed until removed in commit 5c7cdf339af5 ("gso:
> Remove arbitrary checks for unsupported GSO"). But those were limited
> to the TSO path, not software GSO. I believe that this issue goes
> back further, hence the Fixes at the first user of virtio_net_hdr.

Applied and queued up for -stable, thanks Willem.