From: Jason Wang <jasowang@redhat.com>
To: Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
netdev@vger.kernel.org
Cc: davem@davemloft.net, edumazet@google.com,
Willem de Bruijn <willemb@google.com>
Subject: Re: [PATCH net] net: validate untrusted gso packets
Date: Wed, 17 Jan 2018 12:04:19 +0800 [thread overview]
Message-ID: <fc5d31b8-4984-850f-fb27-c6879033d159@redhat.com> (raw)
In-Reply-To: <20180116202914.205914-1-willemdebruijn.kernel@gmail.com>
On 2018年01月17日 04:29, Willem de Bruijn wrote:
> From: Willem de Bruijn<willemb@google.com>
>
> Validate gso packet type and headers on kernel entry. Reuse the info
> gathered by skb_probe_transport_header.
>
> Syzbot found two bugs by passing bad gso packets in packet sockets.
> Untrusted user packets are limited to a small set of gso types in
> virtio_net_hdr_to_skb. But segmentation occurs on packet contents.
> Syzkaller was able to enter gso callbacks that are not hardened
> against untrusted user input.
Do this mean there's something missed in exist header check for dodgy
packets?
>
> User packets can also have corrupted headers, tripping up segmentation
> logic that expects sane packets from the trusted protocol stack.
> Hardening all segmentation paths against all bad packets is error
> prone and slows down the common path, so validate on kernel entry.
I think evil packets should be rare in common case, so I'm not sure
validate it on kernel entry is a good choice especially consider we've
already had header check.
>
> Introduce skb_probe_transport_header_hard to unconditionally probe,
> even if skb_partial_csum_set has already set an offset. That is under
> user control, so do not trust it. I did not see a measurable change
> in TCP_STREAM performance.
>
> Move tpacket probe call after virtio_net_hdr_to_skb has set gso_type.
>
> Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
> Fixes: f43798c27684 ("tun: Allow GSO using virtio_net_hdr")
> Fixes: f942dc2552b8 ("xen network backend driver")
> Link:http://lkml.kernel.org/r/<001a1137452496ffc305617e5fe0@google.com>
> Reported-by:syzbot+fee64147a25aecd48055@syzkaller.appspotmail.com
> Signed-off-by: Willem de Bruijn<willemb@google.com>
...
Thanks
next prev parent reply other threads:[~2018-01-17 4:04 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-16 20:29 [PATCH net] net: validate untrusted gso packets Willem de Bruijn
2018-01-17 4:04 ` Jason Wang [this message]
2018-01-17 4:33 ` Willem de Bruijn
2018-01-17 4:56 ` Willem de Bruijn
2018-01-17 11:58 ` Jason Wang
2018-01-17 11:54 ` Jason Wang
2018-01-17 14:27 ` Willem de Bruijn
2018-01-17 23:17 ` Willem de Bruijn
2018-01-18 3:35 ` Jason Wang
2018-01-18 5:09 ` Willem de Bruijn
2018-01-18 9:33 ` Jason Wang
2018-01-19 0:53 ` Willem de Bruijn
2018-01-19 8:19 ` Jason Wang
2018-01-19 14:39 ` Willem de Bruijn
2018-01-22 2:44 ` Jason Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fc5d31b8-4984-850f-fb27-c6879033d159@redhat.com \
--to=jasowang@redhat.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=netdev@vger.kernel.org \
--cc=willemb@google.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).