lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <53d71eb564c341f1b7082169d78689be@huawei.com>
Date:   Wed, 22 Jul 2020 09:22:58 +0000
From:   "Guodeqing (A)" <geffrey.guo@...wei.com>
To:     Cong Wang <xiyou.wangcong@...il.com>
CC:     David Miller <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Mahesh Bandewar <maheshb@...gle.com>,
        Eric Dumazet <edumazet@...gle.com>,
        Linux Kernel Network Developers <netdev@...r.kernel.org>
Subject: 答复: [PATCH] ipvlan: add the check of ip header checksum

This check of ip head checksum should be add in ipvlan_get_L3_hdr,if the ipvlan_get_L3_hdr return value is null, the packet should be dropped.
Because the IP packet will do ip forward in the ipvlan l3/l3s mode and the corrupted ip packet should not go ahead, the other type packet will be dropped in ipvlan_process_outbound latter.
If the corrupted ip packet go ahead,this will cause a panic in a arm64 VM.

Linux 5.8.0-rc6+ #1 SMP Wed Jul 22 07:57:11 UTC 2020 aarch64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
# ifconfig eth0 up
# ip netns add ns1
# ip link add gw link eth0 type ipvlan
# ip addr add 168.16.0.1/24 dev gw
# ip link set dev gw up
# ip link add ip1 link eth0 type ipvlan
# ip link set ip1 netns ns1
# ip netns exec ns1 ip link set ip1 up
# ip netns exec ns1 ip addr add 168.16.0.2/24 dev ip1
# ip netns exec ns1 ip link set lo up
# ip netns exec ns1 ip addr add 127.0.0.1/8 dev lo
RTNETLINK answers: File exists
# ip netns exec ns1 tc qdisc add dev ip1 root netem corrupt 100%
# ip netns exec ns1 ping 168.16.0.1
PING 168.16.0.1 (168.16.0.1) 56(84) bytes of data.
64 bytes from 168.16.0.1: icmp_seq=14 ttl=64 time=0.063 ms
64 bytes from 168.16.0.1: icmp_seq=18 ttl=64 time=0.060 ms
From 168.16.0.1 icmp_seq=22 Destination Host Unreachable
From 168.16.0.1 icmp_seq=26 Destination Host Unreachable
From 168.16.0.1 icmp_seq=50 Destination Host Unreachable
64 bytes from 168.16.0.1: icmp_seq=62 ttl=64 time=0.051 ms
64 bytes from 168.16.0.1: icmp_seq=64 ttl=64 time=0.059 ms
64 bytes from 168.16.0.1: icmp_seq=70 ttl=64 time=0.056 ms
64 bytes from 168.16.0.1: icmp_seq=100 ttl=64 time=0.058 ms
64 bytes from 168.16.0.1: icmp_seq=114 ttl=64 time=0.059 ms
64 bytes from 168.16.0.1: icmp_seq=115 ttl=64 time=0.052 ms
64 bytes from 168.16.0.1: icmp_seq=117 ttl=64 time=0.061 ms
64 bytes from 168.16.0.1: icmp_seq=134 ttl=64 time=0.059 ms
From 168.16.0.1 icmp_seq=164 Destination Host Unreachable
From 168.16.0.1 icmp_seq=183 Destination Host Unreachable
64 bytes from 168.16.0.1: icmp_seq=253 ttl=64 time=0.061 ms
64 bytes from 168.16.0.1: icmp_seq=256 ttl=64 time=0.060 ms
64 bytes from 168.16.0.1: icmp_seq=258 ttl=64 time=0.061 ms
64 bytes from 168.16.0.1: icmp_seq=262 ttl=64 time=0.046 ms
64 bytes from 168.16.0.1: icmp_seq=274 ttl=64 time=0.062 ms
64 bytes from 168.16.0.1: icmp_seq=278 ttl=64 time=0.061 ms
64 bytes from 168.16.0.1: icmp_seq=293 ttl=64 time=0.062 ms
From 168.16.0.1 icmp_seq=292 Destination Host Unreachable
64 bytes from 168.16.0.1: icmp_seq=309 ttl=64 time=0.065 ms
64 bytes from 168.16.0.1: icmp_seq=322 ttl=64 time=0.061 ms
64 bytes from 168.16.0.1: icmp_seq=329 ttl=64 time=0.041 ms
64 bytes from 168.16.0.1: icmp_seq=377 ttl=64 time=0.061 ms
64 bytes from 168.16.0.1: icmp_seq=380 ttl=64 time=0.062 ms
64 bytes from 168.16.0.1: icmp_seq=385 ttl=64 time=0.065 ms
From 168.16.0.1 icmp_seq=384 Destination Host Unreachable
64 bytes from 168.16.0.1: icmp_seq=389 ttl=64 time=0.061 ms
64 bytes from 168.16.0.1: icmp_seq=392 ttl=64 time=0.060 ms
64 bytes from 168.16.0.1: icmp_seq=398 ttl=64 time=0.061 ms
64 bytes from 168.16.0.1: icmp_seq=399 ttl=64 time=0.062 ms
64 bytes from 168.16.0.1: icmp_seq=402 ttl=64 time=0.056 ms
64 bytes from 168.16.0.1: icmp_seq=435 ttl=64 time=0.053 ms
64 bytes from 168.16.0.1: icmp_seq=443 ttl=64 time=0.054 ms
64 bytes from 168.16.0.1: icmp_seq=448 ttl=64 time=0.059 ms
64 bytes from 168.16.0.1: icmp_seq=450 ttl=64 time=0.059 ms
64 bytes from 168.16.0.1: icmp_seq=456 ttl=64 time=0.060 ms
[  506.647291] Unable to handle kernel paging request at virtual address ffff0000f85f0000
[  506.648121] Mem abort info:
[  506.648481]   ESR = 0x96000007
[  506.648777]   EC = 0x25: DABT (current EL), IL = 32 bits
[  506.649270]   SET = 0, FnV = 0
[  506.649698]   EA = 0, S1PTW = 0
[  506.650103] Data abort info:
[  506.650407]   ISV = 0, ISS = 0x00000007
[  506.651025]   CM = 0, WnR = 0
[  506.651363] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000000012dab7000
[  506.652252] [ffff0000f85f0000] pgd=000000013fff8003, p4d=000000013fff8003, pud=000000013f9f4003, pmd=000000013f838003, pte=0000000000000000
[  506.653729] Internal error: Oops: 96000007 [#1] SMP
[  506.654316] Modules linked in:
[  506.654748] CPU: 0 PID: 526 Comm: ping Not tainted 5.8.0-rc6+ #1
[  506.655594] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
[  506.656604] pstate: 20400005 (nzCv daif +PAN -UAO BTYPE=--)
[  506.657432] pc : __ip_local_out+0x84/0x188
[  506.658061] lr : ip_local_out+0x34/0x68
[  506.658602] sp : ffff80001324b440
[  506.659116] x29: ffff80001324b440 x28: 0000000000000001
[  506.659913] x27: ffff8000111d2018 x26: ffff8000114cba80
[  506.660703] x25: ffff0000ec419400 x24: 0000000000000000
[  506.661578] x23: 0000000000000062 x22: ffff8000114c9000
[  506.662401] x21: ffff0000fe4c3d00 x20: ffff0000ec4bd800
[  506.663180] x19: ffff8000115b5bc0 x18: 0000000000000000
[  506.663999] x17: 0000000000000000 x16: 0000000000000000
[  506.664749] x15: 0000000000000000 x14: 0000000000000000
[  506.665544] x13: 0000000000000000 x12: 0000000000000001
[  506.666333] x11: ffff800010d21838 x10: 0000000000000001
[  506.667145] x9 : 0000000000000001 x8 : 0000000000000000
[  506.667921] x7 : 0000000000000000 x6 : ffff0000ec531200
[  506.668682] x5 : 0240334854000184 x4 : ffff0000ec531210
[  506.669529] x3 : 0000000000000000 x2 : ffff0004ec531220
[  506.670311] x1 : ffff0000f85f0000 x0 : 031dd0d820c74d91
[  506.671116] Call trace:
[  506.671516]  __ip_local_out+0x84/0x188
[  506.672077]  ip_local_out+0x34/0x68
[  506.672618]  ipvlan_queue_xmit+0x548/0x5c0
[  506.673222]  ipvlan_start_xmit+0x2c/0x90
[  506.673863]  dev_hard_start_xmit+0xb4/0x260
[  506.674526]  sch_direct_xmit+0x1b4/0x550
[  506.675126]  __qdisc_run+0x140/0x648
[  506.675662]  __dev_queue_xmit+0x6a4/0x8b8
[  506.676259]  dev_queue_xmit+0x24/0x30
[  506.676813]  ip_finish_output2+0x324/0x580
[  506.677430]  __ip_finish_output+0x130/0x218
[  506.678084]  ip_finish_output+0x38/0xd0
[  506.678647]  ip_output+0xb4/0x130
[  506.679123]  ip_local_out+0x58/0x68
[  506.679629]  ip_send_skb+0x2c/0x88
[  506.680140]  ip_push_pending_frames+0x44/0x50
[  506.680798]  raw_sendmsg+0x7a4/0x988
[  506.681343]  inet_sendmsg+0x4c/0x78
[  506.681916]  sock_sendmsg+0x58/0x68
[  506.682440]  ____sys_sendmsg+0x284/0x2c0
[  506.683060]  ___sys_sendmsg+0x90/0xd0
[  506.683605]  __sys_sendmsg+0x78/0xd0
[  506.684150]  __arm64_sys_sendmsg+0x2c/0x38
[  506.684787]  el0_svc_common.constprop.2+0x70/0x128
[  506.685525]  do_el0_svc+0x34/0xa0
[  506.686018]  el0_sync_handler+0xec/0x128
[  506.686611]  el0_sync+0x140/0x180
[  506.687123] Code: ab030005 91001442 9a030000 8b020882 (b8404423)
[  506.688020] ---[ end trace 016adaee3c782b08 ]---
[  506.688694] Kernel panic - not syncing: Fatal exception in interrupt
[  506.689669] SMP: stopping secondary CPUs
[  506.690283] Kernel Offset: 0xc0000 from 0xffff800010000000
[  506.691043] PHYS_OFFSET: 0x40000000
[  506.691558] CPU features: 0x040002,22a08238
[  506.692170] Memory Limit: none
[  506.692642] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

This panic is because the ip header is corrupted.
I think this panic may be a problem, I will modify the patch to fix this panic,thanks.




-----邮件原件-----
发件人: Cong Wang [mailto:xiyou.wangcong@...il.com] 
发送时间: Wednesday, July 22, 2020 3:39
收件人: Guodeqing (A) <geffrey.guo@...wei.com>
抄送: David Miller <davem@...emloft.net>; Jakub Kicinski <kuba@...nel.org>; Mahesh Bandewar <maheshb@...gle.com>; Eric Dumazet <edumazet@...gle.com>; Linux Kernel Network Developers <netdev@...r.kernel.org>
主题: Re: [PATCH] ipvlan: add the check of ip header checksum

On Tue, Jul 21, 2020 at 6:17 AM guodeqing <geffrey.guo@...wei.com> wrote:
>
> The ip header checksum can be error in the following steps.
> $ ip netns add ns1
> $ ip link add gw link eth0 type ipvlan $ ip addr add 168.16.0.1/24 dev 
> gw $ ip link set dev gw up $ ip link add ip1 link eth0 type ipvlan $ 
> ip link set ip1 netns ns1 $ ip netns exec ns1 ip link set ip1 up $ ip 
> netns exec ns1 ip addr add 168.16.0.2/24 dev ip1 $ ip netns exec ns1 
> tc qdisc add dev ip1 root netem corrupt 50% $ ip netns exec ns1 ping 
> 168.16.0.1
>
> The ip header of a packet maybe modified when it steps in 
> ipvlan_process_v4_outbound because of the netem, the corruptted 
> packets should be dropped.

This does not make much sense, as you intentionally corrupt the header. More importantly, the check you add is too late, right?
ipvlan_xmit_mode_l3() already does the addr lookup with IP header,

Thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ