From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 536FCC43381 for ; Fri, 15 Feb 2019 17:15:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1A96E2190C for ; Fri, 15 Feb 2019 17:15:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="qyOpccKa" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728424AbfBORPx (ORCPT ); Fri, 15 Feb 2019 12:15:53 -0500 Received: from mail-qk1-f193.google.com ([209.85.222.193]:36102 "EHLO mail-qk1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726028AbfBORPw (ORCPT ); Fri, 15 Feb 2019 12:15:52 -0500 Received: by mail-qk1-f193.google.com with SMTP id o125so6139664qkf.3 for ; Fri, 15 Feb 2019 09:15:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=5hxCeBJIgCu0168uefMSMHnGzfbQEeemniD4DImM8EI=; b=qyOpccKatWO6M9jKAbE8P15U1uDfmWgKrPeDonyWE0D3e0MOR/RTOItAj5AvREX0JL fCwPwe2WI6z+0I9Ac4aVVI6k5RsPEB9l7SF7bMd/Ul4NUw6CtkZMB/JCF5CgtkdTToaQ Eb+wM0jydb+NnCEChyOgkLXIpfd785H6xqNSxeuzb9qC1oIFNsptNmDAUKVQobZR3lwj sHnHuoI6TYq/SomxuK1COfRk8wogXBzjty9pGhg2aRlkMkzox5jC5+1fGSYRVz43dpNt 10bqK1Dq8+NLU/G+FSZYEBTPp+bmJO4QWsKP71idLKGhcY1KJNeq08GqXDMRWjlLK8YP r88A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=5hxCeBJIgCu0168uefMSMHnGzfbQEeemniD4DImM8EI=; b=Oda/gEzBUIV8+NktqQN1gxWIVF5wkIr4ttPMCZUU0Bc2FFEpiSBx2S3sxON71lNpy2 xuDvL1qmGnklEi/wZYMRH440F9v1n53N8SN0MOwfdkgYe3dXR/qI/eBNMrBHDd6I5mgp idUfk0BGAD3iVLXEuDkOlx5fHI0UcbqsVvexUNoegAVbjg0qXq2d0h5PE92CoK45wVoO geu87nAnhPBTwZ88I8VrBYyxMPsqbXKRVGyQUp8zF1Xfte6axO5/Tu8IjepXmSip9N7C coYpAXfXSBZQx9s5dehDz7t/48eeC7fdpWpXFuH/Ch4ZJycptB58X9fbDqDeVFXkfweB R1Mg== X-Gm-Message-State: AHQUAubMJ5JXru6c35C8K11tx975j8xsZCCjtP/81dkN9GJKucd7Gf80 w1zD9QxiHbq4XtMDjLSmxOVcBIWR X-Google-Smtp-Source: AHgI3IZahHF+eJ5NRllqsgmgnAzhYDdEuuRx/N/DFcoww30IjpYQorWc8YeC0a9YQuc7td0y949Wow== X-Received: by 2002:a37:6dc3:: with SMTP id i186mr7755510qkc.104.1550250950735; Fri, 15 Feb 2019 09:15:50 -0800 (PST) Received: from willemb1.nyc.corp.google.com ([2620:0:1003:315:3fa1:a34c:1128:1d39]) by smtp.gmail.com with ESMTPSA id t40sm3732081qth.46.2019.02.15.09.15.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 15 Feb 2019 09:15:49 -0800 (PST) From: Willem de Bruijn To: netdev@vger.kernel.org Cc: davem@davemloft.net, edumazet@google.com, jasowang@redhat.com, maximmi@mellanox.com, Willem de Bruijn , syzbot Subject: [PATCH net] net: validate untrusted gso packets without csum offload Date: Fri, 15 Feb 2019 12:15:47 -0500 Message-Id: <20190215171547.247018-1-willemdebruijn.kernel@gmail.com> X-Mailer: git-send-email 2.21.0.rc0.258.g878e2cd30e-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Willem de Bruijn Syzkaller again found a path to a kernel crash through bad gso input. By building an excessively large packet to cause an skb field to wrap. If VIRTIO_NET_HDR_F_NEEDS_CSUM was set this would have been dropped in skb_partial_csum_set. GSO packets that do not set checksum offload are suspicious and rare. Most callers of virtio_net_hdr_to_skb already pass them to skb_probe_transport_header. Move that test forward, change it to detect parse failure and drop packets on failure as those cleary are not one of the legitimate VIRTIO_NET_HDR_GSO types. Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") Fixes: f43798c27684 ("tun: Allow GSO using virtio_net_hdr") Reported-by: syzbot Signed-off-by: Willem de Bruijn --- This captures a variety of bad gso packets, but to tighten further: - drop SKB_GSO_DODGY packets with ipip/sit/.. , which cannot be legal. by ipip_gso_segment wrappers around inet_gso_segment expands on 121d57af308d ("gso: validate gso_type in GSO handlers") - limit the number of ipv6 exthdrs allowed from dodgy sources. not sure where to draw the line. but not at 64K ;) - validate the network and transport protocol returned in skb_probe_transport_header against the VIRTIO_NET_HDR_GSO type - probe all dodgy GSO packets, also those that set checksum offload. this will have a performance impact, discussed previously in http://patchwork.ozlabs.org/patch/861874/ but it would have blocked this latest bug as well All but the last one seem pretty uncontroversial to me. If no one objects I plan to send those to net-next. --- include/linux/skbuff.h | 2 +- include/linux/virtio_net.h | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 95d25b010a25..4c1c82a5678c 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -2434,7 +2434,7 @@ static inline void skb_probe_transport_header(struct sk_buff *skb, if (skb_flow_dissect_flow_keys_basic(skb, &keys, NULL, 0, 0, 0, 0)) skb_set_transport_header(skb, keys.control.thoff); - else + else if (offset_hint >= 0) skb_set_transport_header(skb, offset_hint); } diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index cb462f9ab7dd..71f2394abbf7 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -57,6 +57,15 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb, if (!skb_partial_csum_set(skb, start, off)) return -EINVAL; + } else { + /* gso packets without NEEDS_CSUM do not set transport_offset. + * probe and drop if does not match one of the above types. + */ + if (gso_type) { + skb_probe_transport_header(skb, -1); + if (!skb_transport_header_was_set(skb)) + return -EINVAL; + } } if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { -- 2.21.0.rc0.258.g878e2cd30e-goog