From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=q6Zc=QS=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-5.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY,
	SPF_PASS,URIBL_BLOCKED,USER_AGENT_MUTT autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6AB02C169C4
	for <netdev@archiver.kernel.org>; Mon, 11 Feb 2019 11:44:39 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 3375C21773
	for <netdev@archiver.kernel.org>; Mon, 11 Feb 2019 11:44:39 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=default; t=1549885479;
	bh=ozm52KVmEZUE0po8Y/rL4SyCUCGv1u2vIxD5DpJ5oBI=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:List-ID:From;
	b=07p/59/C0mAHPUxtv9FZ3CJOchisUKZNl970CEWcwWdA3UOhY7uSjKofxYQXcBZEY
	 xWQc8WBtOrG/YzHJTdp7z0O2swI4OCLJm/asgHPgi3jy+sYV7SU8zfKQhJcxfRXlHY
	 nTtH3jAsj0iYPPzlWychfega02RlGled9nLCp0UA=
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726263AbfBKLoh (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Mon, 11 Feb 2019 06:44:37 -0500
Received: from mail.kernel.org ([198.145.29.99]:53700 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726041AbfBKLoh (ORCPT <rfc822;netdev@vger.kernel.org>);
        Mon, 11 Feb 2019 06:44:37 -0500
Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 6A5022070B;
        Mon, 11 Feb 2019 11:44:36 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1549885476;
        bh=ozm52KVmEZUE0po8Y/rL4SyCUCGv1u2vIxD5DpJ5oBI=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=e+FdS8h2e9QVxJDVrRabpqvrHxHt6ZmptCSDnVrHuOJfh1ovauztazlZ7bO9wTBx5
         sh3NaZLY2JieFxSL/NcPDy4hAjd7TKt7UoKoNIvE7V69mN+nPxy+SywAE5wWcRaAKr
         0TlQpIvsW0aBEgKCsyVvTPKxTtzq0QCVEDIkmqno=
Date:   Mon, 11 Feb 2019 12:44:34 +0100
From:   Greg KH <gregkh@linuxfoundation.org>
To:     Zubin Mithra <zsm@chromium.org>
Cc:     netdev@vger.kernel.org, posk@google.com, edumazet@google.com,
        willemb@google.com, davem@davemloft.net
Subject: Re: [PATCH v4.19.y] ip: fail fast on IP defrag errors
Message-ID: <20190211114434.GA1459@kroah.com>
References: <20190122174344.112456-1-zsm@chromium.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190122174344.112456-1-zsm@chromium.org>
User-Agent: Mutt/1.11.3 (2019-02-01)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Tue, Jan 22, 2019 at 09:43:44AM -0800, Zubin Mithra wrote:
> From: Peter Oskolkov <posk@google.com>
> 
> commit 0ff89efb524631ac9901b81446b453c29711c376 upstream
> 
> The current behavior of IP defragmentation is inconsistent:
> - some overlapping/wrong length fragments are dropped without
>   affecting the queue;
> - most overlapping fragments cause the whole frag queue to be dropped.
> 
> This patch brings consistency: if a bad fragment is detected,
> the whole frag queue is dropped. Two major benefits:
> - fail fast: corrupted frag queues are cleared immediately, instead of
>   by timeout;
> - testing of overlapping fragments is now much easier: any kind of
>   random fragment length mutation now leads to the frag queue being
>   discarded (IP packet dropped); before this patch, some overlaps were
>   "corrected", with tests not seeing expected packet drops.
> 
> Note that in one case (see "if (end&7)" conditional) the current
> behavior is preserved as there are concerns that this could be
> legitimate padding.
> 
> Signed-off-by: Peter Oskolkov <posk@google.com>
> Reviewed-by: Eric Dumazet <edumazet@google.com>
> Reviewed-by: Willem de Bruijn <willemb@google.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Zubin Mithra <zsm@chromium.org>
> ---
> Backport Note:
> - Syzkaller reported a UAF, as 0ff89efb5246 ("ip: fail fast on IP defrag
> errors") was not applied prior to applying d5f9565c8d5a ("net: ipv4: do
> not handle duplicate fragments as overlapping").
> Conflicts occur when 0ff89efb5246 is now applied onto 4.14.y/4.19.y,
> which this patch addresses.
> - An alternative to this patch would be to do the following :-
>     - revert "net: ipv4: do not handle duplicate fragments as overlapping"
>       (d5f9565c8d5ad on 4.19.y, 95b4b711444a on 4.14.y)
>     - apply "ip: fail fast on IP defrag errors" (0ff89efb5246)
>     - apply "net: ipv4: do not handle duplicate fragments as overlapping"
>       (ade446403bfb)

This patch does not apply to the current 4.19.y tree (well, on top of my
latest patches that are queued for the next release).

Can you refresh it after the next 4.19.y release in a few days and
resend it along with a new 4.14.y patch as well?

thanks,

greg k-h