lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Aug 2021 00:36:30 +0530 From: Shreyansh Chouhan <chouhan.shreyansh630@...il.com> To: davem@...emloft.net, kuba@...nel.org, edumazet@...gle.com, willemb@...gle.com, xie.he.0141@...il.com, gustavoars@...nel.org, wanghai38@...wei.com, tannerlove@...gle.com, eyal.birger@...il.com, rsanger@...d.net.nz, jiapeng.chong@...ux.alibaba.com Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Can a valid vnet header have both csum_start and csum_offset 0? Hi, When parsing the vnet header in __packet_snd_vnet_parse[1], we do not check for if the values of csum_start and csum_offset given in the header are both 0. Having both these values 0, however, causes a crash[2] further down the gre xmit code path. In the function ipgre_xmit, we pull the ip header and gre header from skb->data, this results in an invalid skb->csum_start which was calculated from the vnet header. The skb->csum_start offset in this case turns out to be lower than skb->transport_header. This causes us to pass a negative number as an argument to csum_partial[3] and eventually to do_csum[4], which then causes a kernel oops in the while loop. I do not understand what should the correct behavior be in this scenario, should we consider this vnet header as invalid? (Which I think is the most likely solution, however I do not have experience with networking.) Or should we rather accomodate for both csum_start and csum_offset values to be 0 in ipgre_xmit? Regards, Shreyansh Chouhan -- [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/packet/af_packet.c#n2480 [2] https://syzkaller.appspot.com/bug?id=c391f74aac26dd8311c45743ae618f9d5e38b674 [3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/skbuff.h#n4662 [4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/lib/csum-partial_64.c#n35
Powered by blists - more mailing lists