From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Jason Wang <jasowang@redhat.com>
Cc: Network Development <netdev@vger.kernel.org>,
David Miller <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Willem de Bruijn <willemb@google.com>
Subject: Re: [PATCH net] net: validate untrusted gso packets
Date: Tue, 16 Jan 2018 23:56:33 -0500 [thread overview]
Message-ID: <CAF=yD-K-Jb6g-9ecQgxGbTTEW2ZCV4F0QouRfkCvCEEPt5gxQA@mail.gmail.com> (raw)
In-Reply-To: <CAF=yD-+LATRZ0X2+gQmDDLkgLnwgPZxvJMCu=zWqdLsOvwhcRw@mail.gmail.com>
On Tue, Jan 16, 2018 at 11:33 PM, Willem de Bruijn
<willemdebruijn.kernel@gmail.com> wrote:
> On Tue, Jan 16, 2018 at 11:04 PM, Jason Wang <jasowang@redhat.com> wrote:
>>
>>
>> On 2018年01月17日 04:29, Willem de Bruijn wrote:
>>>
>>> From: Willem de Bruijn<willemb@google.com>
>>>
>>> Validate gso packet type and headers on kernel entry. Reuse the info
>>> gathered by skb_probe_transport_header.
>>>
>>> Syzbot found two bugs by passing bad gso packets in packet sockets.
>>> Untrusted user packets are limited to a small set of gso types in
>>> virtio_net_hdr_to_skb. But segmentation occurs on packet contents.
>>> Syzkaller was able to enter gso callbacks that are not hardened
>>> against untrusted user input.
>>
>>
>> Do this mean there's something missed in exist header check for dodgy
>> packets?
>
> virtio_net_hdr_to_skb checks gso_type, but it does not verify that this
> type correctly describes the actual packet. Segmentation happens based
> on packet contents. So a packet was crafted to enter sctp gso, even
> though no such gso_type exists. This issue is not specific to sctp.
>
>>>
>>> User packets can also have corrupted headers, tripping up segmentation
>>> logic that expects sane packets from the trusted protocol stack.
>>> Hardening all segmentation paths against all bad packets is error
>>> prone and slows down the common path, so validate on kernel entry.
>>
>>
>> I think evil packets should be rare in common case, so I'm not sure validate
>> it on kernel entry is a good choice especially consider we've already had
>> header check.
>
> This just makes that check more strict. Frequency of malicious packets is
> not really relevant if a single bad packet can cause damage.
>
> The alternative to validate on kernel entry is to harden the entire segmentation
> layer and lower part of the stack. That is much harder to get right and not
> necessarily cheaper.
>
> As a matter of fact, it incurs a cost on all packets, including the common
> case generated by the protocol stack.
If packets can be fully validated at the source, we can eventually also
get rid of the entire SKB_GSO_DODGY and NETIF_F_GSO_ROBUST
logic. Then virtio packets won't have to enter the segmentation layer
at all for TSO capable devices.
next prev parent reply other threads:[~2018-01-17 4:57 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-16 20:29 [PATCH net] net: validate untrusted gso packets Willem de Bruijn
2018-01-17 4:04 ` Jason Wang
2018-01-17 4:33 ` Willem de Bruijn
2018-01-17 4:56 ` Willem de Bruijn [this message]
2018-01-17 11:58 ` Jason Wang
2018-01-17 11:54 ` Jason Wang
2018-01-17 14:27 ` Willem de Bruijn
2018-01-17 23:17 ` Willem de Bruijn
2018-01-18 3:35 ` Jason Wang
2018-01-18 5:09 ` Willem de Bruijn
2018-01-18 9:33 ` Jason Wang
2018-01-19 0:53 ` Willem de Bruijn
2018-01-19 8:19 ` Jason Wang
2018-01-19 14:39 ` Willem de Bruijn
2018-01-22 2:44 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAF=yD-K-Jb6g-9ecQgxGbTTEW2ZCV4F0QouRfkCvCEEPt5gxQA@mail.gmail.com' \
--to=willemdebruijn.kernel@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=jasowang@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).