Date:   Wed, 11 Aug 2021 00:36:30 +0530
From:   Shreyansh Chouhan <chouhan.shreyansh630@...il.com>
To:     davem@...emloft.net, kuba@...nel.org, edumazet@...gle.com,
        willemb@...gle.com, xie.he.0141@...il.com, gustavoars@...nel.org,
        wanghai38@...wei.com, tannerlove@...gle.com, eyal.birger@...il.com,
        rsanger@...d.net.nz, jiapeng.chong@...ux.alibaba.com
Cc:     netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Can a valid vnet header have both csum_start and csum_offset 0?

Hi,

When parsing the vnet header in __packet_snd_vnet_parse[1], we do not
check for if the values of csum_start and csum_offset given in the
header are both 0.

Having both these values 0, however, causes a crash[2] further down the
gre xmit code path. In the function ipgre_xmit, we pull the ip header
and gre header from skb->data, this results in an invalid
skb->csum_start which was calculated from the vnet header. The
skb->csum_start offset in this case turns out to be lower than
skb->transport_header. This causes us to pass a negative number as an
argument to csum_partial[3] and eventually to do_csum[4], which then causes
a kernel oops in the while loop.

I do not understand what should the correct behavior be in this
scenario, should we consider this vnet header as invalid? (Which I think
is the most likely solution, however I do not have experience with
networking.) Or should we rather accomodate for both csum_start
and csum_offset values to be 0 in ipgre_xmit?

Regards,
Shreyansh Chouhan

--

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/packet/af_packet.c#n2480
[2] https://syzkaller.appspot.com/bug?id=c391f74aac26dd8311c45743ae618f9d5e38b674
[3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/skbuff.h#n4662
[4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/lib/csum-partial_64.c#n35

Powered by blists - more mailing lists