lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CANn89iLJGbm0Jr9CVFo6K8jetF2jX0EqVBUR3a1L=PPSSLCygA@mail.gmail.com>
Date: Tue, 22 Oct 2024 12:29:21 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Wang Liang <wangliang74@...wei.com>
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com, idosch@...dia.com, 
	kuniyu@...zon.com, stephen@...workplumber.org, dsahern@...nel.org, 
	lucien.xin@...il.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] net: fix crash when config small gso_max_size/gso_ipv4_max_size

On Tue, Oct 22, 2024 at 10:40 AM Wang Liang <wangliang74@...wei.com> wrote:
>
> Config a small gso_max_size/gso_ipv4_max_size can lead to large skb len,
> which may trigger a BUG_ON crash.
>
> If the gso_max_size/gso_ipv4_max_size is smaller than MAX_TCP_HEADER + 1,
> the sk->sk_gso_max_size is overflowed:
> sk_setup_caps
>     // dst->dev->gso_ipv4_max_size = 252, MAX_TCP_HEADER = 320
>     // GSO_LEGACY_MAX_SIZE = 65536, sk_is_tcp(sk) = 1
>     sk->sk_gso_max_size = sk_dst_gso_max_size(sk, dst);
>         max_size = dst->dev->gso_ipv4_max_size;
>             sk->sk_gso_max_size = max_size - (MAX_TCP_HEADER + 1);
>             sk->sk_gso_max_size = 252-(320+1) = -69
>
> When send tcp msg, the wrong sk_gso_max_size can lead to a very large
> size_goal, which cause large skb length:
> tcp_sendmsg_locked
>     tcp_send_mss(sk, &size_goal, flags);
>         tcp_xmit_size_goal(sk, mss_now, !(flags & MSG_OOB));
>
>             // tp->max_window = 65536, TCP_MSS_DEFAULT = 536
>             new_size_goal = tcp_bound_to_half_wnd(tp, sk->sk_gso_max_size);
>                 new_size_goal = sk->sk_gso_max_size = -69
>
>             // tp->gso_segs = 0, mss_now = 32768
>             size_goal = tp->gso_segs * mss_now;
>                 size_goal = 0*32768 = 0
>
>             // sk->sk_gso_max_segs = 65535, new_size_goal = -69
>             new_size_goal < size_goal:
>                 tp->gso_segs = min_t(u16, new_size_goal / mss_now,
>                      sk->sk_gso_max_segs);
>                 // new_size_goal / mss_now = 0x1FFFF -> 65535
>                 // tp->gso_segs = 65535
>                 size_goal = tp->gso_segs * mss_now;
>                 size_goal = 65535*32768 = 2147450880
>
>     if new_segment:
>         skb = tcp_stream_alloc_skb()
>         copy = size_goal; // copy = 2147450880
>     if (copy > msg_data_left(msg)) // msg_data_left(msg) = 2147479552
>         copy = msg_data_left(msg); // copy = 2147450880
>     copy = min_t(int, copy, pfrag->size - pfrag->offset); // copy = 21360
>     skb_copy_to_page_nocache
>         skb_len_add
>             skb->len += copy; // skb->len add to 524288
>

I find this explanation way too long. No one will bother to double
check your claims.

I would simply point out that an underflow in sk_dst_gso_max_size()
leads to a crash,
because sk->sk_gso_max_size would be much bigger than device limits.


> The large skb length may load to a overflowed tso_segs, which can trigger
> a BUG_ON crash:
> tcp_write_xmit
>     tso_segs = tcp_init_tso_segs(skb, mss_now);
>         tcp_set_skb_tso_segs
>             tcp_skb_pcount_set
>                 // skb->len = 524288, mss_now = 8
>                 // u16 tso_segs = 524288/8 = 65535 -> 0
>                 tso_segs = DIV_ROUND_UP(skb->len, mss_now)
>     BUG_ON(!tso_segs)
>
> To solve this issue, the minimum value of gso_max_size/gso_ipv4_max_size
> should be checked.
>
> Fixes: 46e6b992c250 ("rtnetlink: allow GSO maximums to be set on device creation")
> Fixes: 9eefedd58ae1 ("net: add gso_ipv4_max_size and gro_ipv4_max_size per device")
> Signed-off-by: Wang Liang <wangliang74@...wei.com>
> ---
>  net/core/rtnetlink.c | 12 ++++++++++++
>  1 file changed, 12 insertions(+)
>
> diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
> index e30e7ea0207d..a0df1da5a0a6 100644
> --- a/net/core/rtnetlink.c
> +++ b/net/core/rtnetlink.c
> @@ -2466,6 +2466,12 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[],
>                 return -EINVAL;
>         }
>
> +       if (tb[IFLA_GSO_MAX_SIZE] &&
> +           (nla_get_u32(tb[IFLA_GSO_MAX_SIZE]) < MAX_TCP_HEADER + 1)) {
> +               NL_SET_ERR_MSG(extack, "too small gso_max_size");
> +               return -EINVAL;
> +       }

Modern way would be to change ifla_policy[] : This is where we put such limits.

Look for NLA_POLICY_MIN() uses in the tree.

> +
>         if (tb[IFLA_GSO_MAX_SEGS] &&
>             (nla_get_u32(tb[IFLA_GSO_MAX_SEGS]) > GSO_MAX_SEGS ||
>              nla_get_u32(tb[IFLA_GSO_MAX_SEGS]) > dev->tso_max_segs)) {
> @@ -2485,6 +2491,12 @@ static int validate_linkmsg(struct net_device *dev, struct nlattr *tb[],
>                 return -EINVAL;
>         }
>
> +       if (tb[IFLA_GSO_IPV4_MAX_SIZE] &&
> +           (nla_get_u32(tb[IFLA_GSO_IPV4_MAX_SIZE]) < MAX_TCP_HEADER + 1)) {
> +               NL_SET_ERR_MSG(extack, "too small gso_ipv4_max_size");
> +               return -EINVAL;
> +       }

Same here.

> +
>         if (tb[IFLA_GRO_IPV4_MAX_SIZE] &&
>             nla_get_u32(tb[IFLA_GRO_IPV4_MAX_SIZE]) > GRO_MAX_SIZE) {
>                 NL_SET_ERR_MSG(extack, "too big gro_ipv4_max_size");
> --
> 2.34.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ