lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACGkMEvukuV5UZqb=MOaPqWfuJKOokZW1986GE4cRwt=Vx9Unw@mail.gmail.com>
Date:   Thu, 3 Aug 2023 11:19:47 +0800
From:   Jason Wang <jasowang@...hat.com>
To:     Jesper Dangaard Brouer <hawk@...nel.org>
Cc:     Andrew Kanner <andrew.kanner@...il.com>, davem@...emloft.net,
        edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com,
        netdev@...r.kernel.org, dsahern@...il.com, jbrouer@...hat.com,
        john.fastabend@...il.com, linux-kernel@...r.kernel.org,
        linux-kernel-mentees@...ts.linuxfoundation.org,
        syzbot+f817490f5bd20541b90a@...kaller.appspotmail.com
Subject: Re: [PATCH v4 1/2] drivers: net: prevent tun_build_skb() to exceed
 the packet size limit

On Wed, Aug 2, 2023 at 10:14 PM Jesper Dangaard Brouer <hawk@...nel.org> wrote:
>
>
>
> On 02/08/2023 00.07, Andrew Kanner wrote:
> > Using the syzkaller repro with reduced packet size it was discovered
> > that XDP_PACKET_HEADROOM is not checked in tun_can_build_skb(),
> > although pad may be incremented in tun_build_skb(). This may end up
> > with exceeding the PAGE_SIZE limit in tun_build_skb().
> >
> > Fixes: 7df13219d757 ("tun: reserve extra headroom only when XDP is set")
> > Link: https://syzkaller.appspot.com/bug?extid=f817490f5bd20541b90a
> > Signed-off-by: Andrew Kanner <andrew.kanner@...il.com>
> > ---
> >
> > Notes:
> >      v3 -> v4:
> >      * fall back to v1, fixing only missing XDP_PACKET_HEADROOM in pad and
> >        removing bpf_xdp_adjust_tail() check for frame_sz.
> >      * added rcu read lock, noted by Jason Wang <jasowang@...hat.com> in v1
> >      * I decided to leave the packet length check in tun_can_build_skb()
> >        instead of moving to tun_build_skb() suggested by Jason Wang
> >        <jasowang@...hat.com>. Otherwise extra packets will be dropped
> >        without falling back to tun_alloc_skb(). And in the discussion of v3
> >        Jesper Dangaard Brouer <jbrouer@...hat.com> noticed that XDP is ok
> >        with a higher order pages if it's a contiguous physical memory
> >        allocation, so falling to tun_alloc_skb() -> do_xdp_generic() should
> >        be ok.
> >
> >      v2 -> v3:
> >      * attach the forgotten changelog
> >
> >      v1 -> v2:
> >      * merged 2 patches in 1, fixing both issues: WARN_ON_ONCE with
> >        syzkaller repro and missing XDP_PACKET_HEADROOM in pad
> >      * changed the title and description of the execution path, suggested
> >        by Jason Wang <jasowang@...hat.com>
> >      * move the limit check from tun_can_build_skb() to tun_build_skb() to
> >        remove duplication and locking issue, and also drop the packet in
> >        case of a failed check - noted by Jason Wang <jasowang@...hat.com>
> >
> >   drivers/net/tun.c | 11 ++++++++++-
> >   1 file changed, 10 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> > index d75456adc62a..a1d04bc9485f 100644
> > --- a/drivers/net/tun.c
> > +++ b/drivers/net/tun.c
> > @@ -1582,6 +1582,9 @@ static void tun_rx_batched(struct tun_struct *tun, struct tun_file *tfile,
> >   static bool tun_can_build_skb(struct tun_struct *tun, struct tun_file *tfile,
> >                             int len, int noblock, bool zerocopy)
> >   {
> > +     struct bpf_prog *xdp_prog;
> > +     int pad = TUN_RX_PAD;
> > +
> >       if ((tun->flags & TUN_TYPE_MASK) != IFF_TAP)
> >               return false;
> >
> > @@ -1594,7 +1597,13 @@ static bool tun_can_build_skb(struct tun_struct *tun, struct tun_file *tfile,
> >       if (zerocopy)
> >               return false;
> >
> > -     if (SKB_DATA_ALIGN(len + TUN_RX_PAD) +
> > +     rcu_read_lock();
> > +     xdp_prog = rcu_dereference(tun->xdp_prog);
> > +     if (xdp_prog)
> > +             pad += XDP_PACKET_HEADROOM;
> > +     rcu_read_unlock();
> > +
>
> Isolated seen, I guess, this is a correct fix to 7df13219d757.

I think so.

Actually, I think we can probably always count XDP_PACKET_HEADROOM
here. Since there's a window that XDP program might be attached in the
middle of tun_can_build_skb() and tun_build_skb().

>
> > +     if (SKB_DATA_ALIGN(len + pad) +
> >           SKB_DATA_ALIGN(sizeof(struct skb_shared_info)) > PAGE_SIZE)
> >               return false;
> >
>
> Question to Jason Wang:
> Why fall back (to e.g. tun_alloc_skb()) when size is above PAGE_SIZE?
>
> AFAIK tun_build_skb() *can* create get larger packets than PAGE_SIZE
> from it's page_frag.  Is there a reason for this limitation?

I couldn't recall but I think we can relax.

Thanks

>
> (To Andrew, I assume a change in this area is another patch).
>
> --Jesper
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ