lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <2024082854-reassign-uniformed-2c2f@gregkh>
Date: Wed, 28 Aug 2024 09:30:08 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Michal Koutný <mkoutny@...e.com>
Cc: cve@...nel.org, linux-kernel@...r.kernel.org,
	Tao Liu <thomas.liu@...oud.cn>,
	Willem de Bruijn <willemb@...gle.com>
Subject: Re: CVE-2022-48936: gso: do not skip outer ip header in case of ipip
 and net_failover

On Tue, Aug 27, 2024 at 05:02:36PM +0200, Michal Koutný wrote:
> On Thu, Aug 22, 2024 at 11:31:37AM GMT, Greg Kroah-Hartman <gregkh@...uxfoundation.org> wrote:
> > We encounter a tcp drop issue in our cloud environment. Packet GROed in
> > host forwards to a VM virtio_net nic with net_failover enabled. VM acts
> > as a IPVS LB with ipip encapsulation. The full path like:
> > host gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat
> >  -> ipip encap -> net_failover tx -> virtio_net tx
> > 
> > When net_failover transmits a ipip pkt (gso_type = 0x0103, which means
> > SKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso
> > did because it supports TSO and GSO_IPXIP4. But network_header points to
> > inner ip header.
> > 
> > Call Trace:
> >  tcp4_gso_segment        ------> return NULL
> >  inet_gso_segment        ------> inner iph, network_header points to
> >  ipip_gso_segment
> >  inet_gso_segment        ------> outer iph
> >  skb_mac_gso_segment
> 
> > Afterwards virtio_net transmits the pkt, only inner ip header is modified.
> > And the outer one just keeps unchanged. The pkt will be dropped in remote
> > host.
> 
> That may appear like a transient connection issue or permanently
> impossible connection?

I don't know.

> > Call Trace:
> >  inet_gso_segment        ------> inner iph, outer iph is skipped
> >  skb_mac_gso_segment
> >  __skb_gso_segment
> >  validate_xmit_skb
> >  validate_xmit_skb_list
> >  sch_direct_xmit
> >  __qdisc_run
> >  __dev_queue_xmit        ------> virtio_net
> >  dev_hard_start_xmit
> >  __dev_queue_xmit        ------> net_failover
> >  ip_finish_output2
> >  ip_output
> >  iptunnel_xmit
> >  ip_tunnel_xmit
> >  ipip_tunnel_xmit        ------> ipip
> >  dev_hard_start_xmit
> >  __dev_queue_xmit
> >  ip_finish_output2
> >  ip_output
> >  ip_forward
> >  ip_rcv
> >  __netif_receive_skb_one_core
> >  netif_receive_skb_internal
> >  napi_gro_receive
> >  receive_buf
> >  virtnet_poll
> >  net_rx_action
> > 
> > The root cause of this issue is specific with the rare combination of
> > SKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option.
> > SKB_GSO_DODGY is set from external virtio_net. We need to reset network
> > header when callbacks.gso_segment() returns NULL.
> 
> Who's in control of these configuration (who can cause this incorrect
> packet being sent)?
> 
> > This patch also includes ipv6_gso_segment(), considering SIT, etc.
> > 
> > The Linux kernel CVE team has assigned CVE-2022-48936 to this issue.
> 
> What is the security issue here?

This was assigned as part of the import of the Linux kernel GSD entries
into CVEs as required by the CVE board of directors (hence the 2022
date).  If you don't feel this should be assigned a CVE, just let me
know and I will be glad to reject it.

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ