From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C026C43381 for ; Sat, 16 Feb 2019 04:31:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6091F222D9 for ; Sat, 16 Feb 2019 04:31:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2394480AbfBPEba (ORCPT ); Fri, 15 Feb 2019 23:31:30 -0500 Received: from shards.monkeyblade.net ([23.128.96.9]:49504 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726052AbfBPEba (ORCPT ); Fri, 15 Feb 2019 23:31:30 -0500 Received: from localhost (unknown [IPv6:2601:601:9f80:35cd::bf5]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 2538414F19FC5; Fri, 15 Feb 2019 20:31:29 -0800 (PST) Date: Fri, 15 Feb 2019 20:31:28 -0800 (PST) Message-Id: <20190215.203128.1003165694631138290.davem@davemloft.net> To: willemdebruijn.kernel@gmail.com Cc: netdev@vger.kernel.org, edumazet@google.com, jasowang@redhat.com, maximmi@mellanox.com, willemb@google.com, syzkaller@googlegroups.com Subject: Re: [PATCH net] net: validate untrusted gso packets without csum offload From: David Miller In-Reply-To: <20190215171547.247018-1-willemdebruijn.kernel@gmail.com> References: <20190215171547.247018-1-willemdebruijn.kernel@gmail.com> X-Mailer: Mew version 6.8 on Emacs 26.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Fri, 15 Feb 2019 20:31:29 -0800 (PST) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Willem de Bruijn Date: Fri, 15 Feb 2019 12:15:47 -0500 > From: Willem de Bruijn > > Syzkaller again found a path to a kernel crash through bad gso input. > By building an excessively large packet to cause an skb field to wrap. > > If VIRTIO_NET_HDR_F_NEEDS_CSUM was set this would have been dropped in > skb_partial_csum_set. > > GSO packets that do not set checksum offload are suspicious and rare. > Most callers of virtio_net_hdr_to_skb already pass them to > skb_probe_transport_header. > > Move that test forward, change it to detect parse failure and drop > packets on failure as those cleary are not one of the legitimate > VIRTIO_NET_HDR_GSO types. > > Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") > Fixes: f43798c27684 ("tun: Allow GSO using virtio_net_hdr") > Reported-by: syzbot > Signed-off-by: Willem de Bruijn Applied and queued up for -stable, thanks Willem. > This captures a variety of bad gso packets, but to tighten further: > > - drop SKB_GSO_DODGY packets with ipip/sit/.. , which cannot be legal. > by ipip_gso_segment wrappers around inet_gso_segment > expands on 121d57af308d ("gso: validate gso_type in GSO handlers") > > - limit the number of ipv6 exthdrs allowed from dodgy sources. > not sure where to draw the line. but not at 64K ;) > > - validate the network and transport protocol returned in > skb_probe_transport_header against the VIRTIO_NET_HDR_GSO type > > - probe all dodgy GSO packets, also those that set checksum offload. > this will have a performance impact, discussed previously in > http://patchwork.ozlabs.org/patch/861874/ > but it would have blocked this latest bug as well > > All but the last one seem pretty uncontroversial to me. If no one > objects I plan to send those to net-next. No objections from me.