| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bef878c0-4d7f-4e9a-a05d-30f6fde31e3c@huawei.com>
Date: Fri, 25 Jul 2025 15:55:15 +0800
From: Wang Liang <wangliang74@...wei.com>
To: Willem de Bruijn <willemdebruijn.kernel@...il.com>, <mst@...hat.com>,
<jasowang@...hat.com>, <xuanzhuo@...ux.alibaba.com>, <eperezma@...hat.com>,
<pabeni@...hat.com>, <davem@...emloft.net>, <willemb@...gle.com>,
<atenart@...nel.org>
CC: <yuehaibing@...wei.com>, <zhangchangzhong@...wei.com>,
<netdev@...r.kernel.org>, <virtualization@...ts.linux.dev>,
<linux-kernel@...r.kernel.org>, <steffen.klassert@...unet.com>
Subject: Re: [PATCH net] net: check the minimum value of gso size in
virtio_net_hdr_to_skb()
在 2025/7/24 21:29, Willem de Bruijn 写道:
> Wang Liang wrote:
>> When sending a packet with virtio_net_hdr to tun device, if the gso_type
>> in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr
>> size, below crash may happen.
>>
> gso_size is the size of the segment payload, excluding the transport
> header.
>
> This is probably not the right approach.
>
> Not sure how a GSO skb can be built that is shorter than even the
> transport header. Maybe an skb_dump of the GSO skb can be elucidating.
>> return -EINVAL;
>>
>> /* Too small packets are not really GSO ones. */
>> --
>> 2.34.1
>>
Thanks for your review!
Here is the skb_dump result:
skb len=4 headroom=98 headlen=4 tailroom=282
mac=(64,14) mac_len=14 net=(78,20) trans=98
shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
csum(0x8c start=140 offset=0 ip_summed=1 complete_sw=0 valid=1 level=0)
hash(0x0 sw=0 l4=0) proto=0x0800 pkttype=2 iif=4
priority=0x0 mark=0x0 alloc_cpu=0 vlan_all=0x0
encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
dev name=tun0 feat=0x00002000000048c1
skb headroom: 00000000: 20 00 00 00 10 00 05 00 c4 2c 83 68 00 00 00 00
skb headroom: 00000010: 00 00 00 00 04 00 00 00 01 00 00 00 01 00 00 00
skb headroom: 00000020: 08 00 1d 00 09 00 00 00 09 00 03 00 74 75 6e 30
skb headroom: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb headroom: 00000040: 01 80 c2 00 00 00 ff ff ff ff ff ff 08 00 45 00
skb headroom: 00000050: 00 18 00 00 20 00 00 11 ba d4 00 00 00 00 e0 00
skb headroom: 00000060: 00 01
skb linear: 00000000: 00 9c d0 90
skb tailroom: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 000000f0: 00 00 00 00 00 00 00 00 00 00 00 0b 0e 04 80 88
skb tailroom: 00000100: ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00
skb tailroom: 00000110: 00 00 00 00 00 00 00 00 00 00
The following C code can reproduce this issue:
#include <string.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <linux/if.h>
#include <linux/if_tun.h>
#include <linux/virtio_net.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
int main(void)
{
// create udp socket, set option UDP_ENCAP_ESPINUDP
int udp_fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
struct sockaddr_in server_addr = {
.sin_family = AF_INET,
.sin_port = htons(20004),
.sin_addr.s_addr = inet_addr("224.0.0.1"),
};
bind(udp_fd, (struct sockaddr *)&server_addr, sizeof(server_addr));
int val = UDP_ENCAP_ESPINUDP;
setsockopt(udp_fd, IPPROTO_UDP, UDP_ENCAP, &val, sizeof(val));
// send udp packet to tun/tap dev
system("ip tuntap add dev tun0 mode tap");
system("ip link set dev tun0 up");
int fd = open("/dev/net/tun", O_RDWR);
struct ifreq ifr = {
.ifr_flags = IFF_TAP | IFF_NAPI | IFF_NAPI_FRAGS |
IFF_ONE_QUEUE | IFF_VNET_HDR,
.ifr_name = "tun0",
};
ioctl(fd, TUNSETIFF, &ifr);
struct tun_pi pi = { 0 };
struct virtio_net_hdr gso = {
.flags = VIRTIO_NET_HDR_F_NEEDS_CSUM,
.gso_type = VIRTIO_NET_HDR_GSO_UDP,
.hdr_len = 64,
.gso_size = 4,
.csum_start = 76,
.csum_offset = 0,
};
struct ethhdr eth = {
.h_dest = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00},
.h_source = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
.h_proto = htons(0x0800),
};
struct iphdr iph = {
.version = 4,
.ihl = 5,
.tot_len = htons(176),
.protocol = IPPROTO_UDP,
.saddr = 0,
.daddr = inet_addr("224.0.0.1"),
.check = 0x3cda,
};
struct udphdr uh = {
.source = 0,
.dest = htons(20004),
.len = htons(156),
.check = 0x2363,
};
char buf[204] = { 0 };
memcpy(buf, &pi, 4);
memcpy(buf + 4, &gso, 10);
memcpy(buf + 14, ð, 14);
memcpy(buf + 28, &iph, 20);
memcpy(buf + 48, &uh, 8);
write(fd, buf, sizeof(buf));
close(fd);
return 0;
}
------
Best regards
Wang Liang
>
Powered by blists - more mailing lists