lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1474997505-5059-1-git-send-email-shmulik.ladkani@gmail.com>
Date:   Tue, 27 Sep 2016 20:31:45 +0300
From:   Shmulik Ladkani <shmulik.ladkani@...il.com>
To:     "David S . Miller" <davem@...emloft.net>,
        Pravin Shelar <pshelar@....org>
Cc:     Jiri Pirko <jiri@...lanox.com>,
        Daniel Borkmann <daniel@...earbox.net>, netdev@...r.kernel.org,
        Shmulik Ladkani <shmulik.ladkani@...il.com>
Subject: [PATCH net] net: skbuff: Fix incorrect skb->mac_len adjustment in skb_vlan_push()

In case 'skb_vlan_push' is called on an skb with a hw-accel vlan tag
already present, the existing hw-accel tag is inserted into payload, and
the new given tag is placed as new hw-accel tag.

After the insertion:
 - 'mac_header' is adjusted to point to the new start of the vlan_ethhdr
 - 'data' is adjusted to point to the vlan_hdr portion
   (since packet's payload is the inner 802.1q)

However, 'mac_len' is incorrectly incremented with additional VLAN_HLEN
bytes, resulting in a total value of 18 bytes.

Meaning, when issuing 'skb_push(skb, skb->mac_len)' the data points
to random content, 4 bytes PRIOR the ethhdr location.

This is problematic, as many constructs in the stack are issuing
'skb_push(skb, skb->mac_len)' prior xmit to a device (e.g tcf_mirred,
tcf_bpf, nf_dup_netdev_egress), resulting in bogus frames being
xmitted (having random 4 bytes at start of frame).

For example:

 # ip l add dev d0 type dummy
 # tc filter add dev eth0 parent ffff: pref 1 basic \
     action vlan push protocol 802.1ad id 5 pipe \
     action mirred egress redirect dev d0

Any 802.1q (hw-accel) tagged frames arriving on eth0 are xmitted as
bogus frames on d0; whereas the expected behavior is having QinQ frames.

Fix, removing the unnecessary VLAN_HLEN adjustment of mac_len.

Fixes: 93515d53b1 ("net: move vlan pop/push functions into common code")
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@...il.com>
Cc: Pravin Shelar <pshelar@....org>
Cc: Jiri Pirko <jiri@...lanox.com>
---

 - David, if patch ok, suggest this goes to -stable

 - Pravin, original push_vlan() code in openvswitch/actions.c prior Jiri
   has moved it into skbuff.c had the following comment:
        /* Update mac_len for subsequent MPLS actions */
        skb->mac_len += VLAN_HLEN;
   Can you please acknowlegde OvS code is also ok with suggested change?

 net/core/skbuff.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index d36c754895..0cf961868b 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4607,7 +4607,6 @@ int skb_vlan_push(struct sk_buff *skb, __be16 vlan_proto, u16 vlan_tci)
 		}
 
 		skb->protocol = skb->vlan_proto;
-		skb->mac_len += VLAN_HLEN;
 
 		skb_postpush_rcsum(skb, skb->data + (2 * ETH_ALEN), VLAN_HLEN);
 		__skb_pull(skb, offset);
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ