lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YS+h/tqCJJiQei+W@shredder>
Date:   Wed, 1 Sep 2021 18:53:34 +0300
From:   Ido Schimmel <idosch@...sch.org>
To:     Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc:     Shreyansh Chouhan <chouhan.shreyansh630@...il.com>,
        davem@...emloft.net, yoshfuji@...ux-ipv6.org, dsahern@...nel.org,
        kuba@...nel.org, pshelar@...ira.com, netdev@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        syzbot+ff8e1b9f2f36481e2efc@...kaller.appspotmail.com
Subject: Re: [PATCH 1/2 net] ip_gre: add validation for csum_start

Thanks for the quick reply, Willem.

On Wed, Sep 01, 2021 at 09:46:48AM -0400, Willem de Bruijn wrote:
> Thanks for the detailed report, Ido.
> 
> This is a gre tunnel device with csum/ocsum enabled, correct?

Correct.

> 
> How was this packet generated: does it come from the local stack or is
> it a custom packet injected from userspace, e.g., with a packet socket
> with vnet_hdr?

The packet is received by a physical port and injected to the kernel's
Rx path by mlxsw (which does not support checksumming). The IPv4 routing
code then forwards the packet to the GRE tunnel.

I was able to reproduce the issue using veth pairs and a packet socket
[1]. Running the reproducer with the debug patch from before, I get the
following output [2].

[1]
#!/bin/bash

ip link add name veth0 type veth peer name veth1
ip link add name veth2 type veth peer name veth3
ip link add name veth4 type veth peer name veth5

ip netns add h1
ip netns add r1
ip netns add r2
ip netns add h2

# h1
ip -n h1 link set dev lo up
ip link set dev veth0 netns h1
ip -n h1 link set dev veth0 up
ip -n h1 address add 192.0.2.1/28 dev veth0
ip -n h1 route add default via 192.0.2.2

# r1
## underlay
ip netns exec r1 sysctl -wq net.ipv4.conf.all.forwarding=1
ip -n r1 link set dev lo up
ip -n r1 address add 1.1.1.1/32 dev lo
ip link set dev veth1 netns r1
ip link set dev veth2 netns r1
ip -n r1 link set dev veth1 up
ip -n r1 link set dev veth2 up
ip -n r1 address add 192.0.2.2/28 dev veth1
ip -n r1 address add 192.0.2.17/28 dev veth2
ip -n r1 route add 2.2.2.2/32 via 192.0.2.18
## overlay
ip -n r1 tunnel add name gre2 mode gre local 1.1.1.1 remote 2.2.2.2 csum
ip -n r1 link set dev gre2 up
ip -n r1 route add 192.0.2.34/32 dev gre2

# r2
## underlay
ip netns exec r2 sysctl -wq net.ipv4.conf.all.forwarding=1
ip -n r2 link set dev lo up
ip -n r2 address add 2.2.2.2/32 dev lo
ip link set dev veth3 netns r2
ip link set dev veth4 netns r2
ip -n r2 link set dev veth3 up
ip -n r2 link set dev veth4 up
ip -n r2 address add 192.0.2.18/28 dev veth3
ip -n r2 address add 192.0.2.33/28 dev veth4
ip -n r2 route add 1.1.1.1/32 via 192.0.2.17
## overlay
ip -n r2 tunnel add name gre2 mode gre local 2.2.2.2 remote 1.1.1.1 csum
ip -n r2 link set dev gre2 up
ip -n r2 route add 192.0.2.1/32 dev gre2

# h2
ip -n h2 link set dev lo up
ip link set dev veth5 netns h2
ip -n h2 link set dev veth5 up
ip -n h2 address add 192.0.2.34/28 dev veth5
ip -n h2 route add default via 192.0.2.33

# test
dmac=$(ip -n r1 -j -p link show dev veth1 | jq -r '.[]["address"]')
ip netns exec h1 mausezahn -a own -b "$dmac" -A 192.0.2.1 -B 192.0.2.34 \
	-t udp "sp=12345,dp=54321" -p 100 -c 10 -d 1msec -q

ip -n r1 -s link show dev gre2

ip netns del h2
ip netns del r2
ip netns del r1
ip netns del h1

[2]
skb len=128 headroom=80 headlen=128 tailroom=496
mac=(80,0) net=(80,20) trans=100
shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
csum(0x0 ip_summed=0 complete_sw=0 valid=0 level=0)
hash(0x0 sw=0 l4=0) proto=0x0800 pkttype=0 iif=16
dev name=gre2 feat=0x0x00000006401d5869
skb linear:   00000000: 45 00 00 80 00 00 00 00 fe 11 38 49 c0 00 02 01
skb linear:   00000010: c0 00 02 22 30 39 d4 31 00 6c 85 96 42 42 42 42
skb linear:   00000020: 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
skb linear:   00000030: 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
skb linear:   00000040: 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
skb linear:   00000050: 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
skb linear:   00000060: 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42
skb linear:   00000070: 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ