lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 1 Sep 2015 14:25:10 -0700
From:	Tom Herbert <tom@...bertland.com>
To:	Pravin Shelar <pshelar@...ira.com>
Cc:	Linux Kernel Network Developers <netdev@...r.kernel.org>
Subject: Re: [PATCH net] skbuff: Fix skb checksum flag on skb pull

On Tue, Sep 1, 2015 at 2:10 PM, Pravin Shelar <pshelar@...ira.com> wrote:
> On Tue, Sep 1, 2015 at 12:55 PM, Tom Herbert <tom@...bertland.com> wrote:
>> On Tue, Sep 1, 2015 at 12:20 PM, Pravin Shelar <pshelar@...ira.com> wrote:
>>> On Tue, Sep 1, 2015 at 7:19 AM, Tom Herbert <tom@...bertland.com> wrote:
>>>> On Mon, Aug 31, 2015 at 10:15 PM, Pravin Shelar <pshelar@...ira.com> wrote:
>>>>> On Mon, Aug 31, 2015 at 9:12 PM, Tom Herbert <tom@...bertland.com> wrote:
>>>>>> On Mon, Aug 31, 2015 at 3:55 PM, Pravin B Shelar <pshelar@...ira.com> wrote:
>>>>>>> VXLAN device can receive skb with checksum partial. But the checksum
>>>>>>> offset could be in outer header which is pulled on receive. Such skb
>>>>>>> can cause the panic when checksum is calculated on skb. Following patch
>>>>>>> fixes the bug by setting checksum unnecessary while pulling outer header.
>>>>>>>
>>>>>> Okay, I think I understand what you are doing. I suggest in the
>>>>>> openvswitch path, if there is a checksum CHECKSUM_PARTIAL that refers
>>>>>> to the outer headers which must have been verified at this point then
>>>>>> set to CHECKSUM_NONE-- assuming CHECKSUM_UNNECESSARY on the inner
>>>>>> header is not correct in this case. If the CHECKSUM_PARTIAL refers to
>>>>>> the inner header then you can call skb_checksum_help to resolve an
>>>>>> inner checksum.
>>>>>>
>>>>>
>>>>> That would be OVS specific fix, But I do see skb_checksum_help()
>>>>> called in multiple places outside OVS that could result in similar
>>>>> kernel panic. Therefore I want to solve it up in networking stack
>>>>> rather than in OVS.
>>>>>
>>>> Please try to reproduce this out of OVS from the top of the tree then
>>>> and report down exactly where panic is occurring the code. Unlike most
>>>> of the of the other cases where skb_checksum_help() is being called
>>>> this in the RX path so skb is probably not pulled over the checksum
>>>> offset for those. Even so, if the skb is pulled beyond the checksum
>>>> offset then this should result in a negative offset in
>>>> skb_checksum_start_offset(skb) which should be okay. It looks like
>>>> this in itself should not be causing your panic.
>>>>
>>>
>>> ip_do_fragment() also calls skb_checksum_help() that can results in
>>> similar panic. But it is not easy to reproduce it in this case due to
>>> call site is in exception path.
>>> The negative checksum offset can atleast cause assert failure in
>>> skb_checksum_help(). I will send patch to fix that.
>>
>> Which BUG_ON do you see is hitting?
>
> BUG_ON(offset >= skb_headlen(skb));
> where skb_headlen() returns unsigned int, therefore negative offset
> cast to unsigned int.

Thanks, looks like skb_headlen() needs to be case to int for this
comparison. Does this fix your issue?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ