| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20200814162613.GP2975990@sasha-vm>
Date: Fri, 14 Aug 2020 12:26:13 -0400
From: Sasha Levin <sashal@...nel.org>
To: Eric Dumazet <edumazet@...gle.com>
Cc: Dexuan Cui <decui@...rosoft.com>,
"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>,
Sasha Levin <Alexander.Levin@...rosoft.com>,
"w@....eu" <w@....eu>,
Joseph Salisbury <Joseph.Salisbury@...rosoft.com>,
Michael Kelley <mikelley@...rosoft.com>,
"viro@...iv.linux.org.uk" <viro@...iv.linux.org.uk>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"davem@...emloft.net" <davem@...emloft.net>,
"ohering@...e.com" <ohering@...e.com>
Subject: Re: [PATCH][for v4.4 only] udp: drop corrupt packets earlier to
avoid data corruption
On Wed, Aug 12, 2020 at 05:09:37PM -0700, Eric Dumazet wrote:
>On Wed, Aug 12, 2020 at 5:06 PM Sasha Levin <sashal@...nel.org> wrote:
>>
>> On Fri, Aug 07, 2020 at 06:03:00PM +0000, Dexuan Cui wrote:
>> >> From: Dexuan Cui <decui@...rosoft.com>
>> >> Sent: Monday, July 27, 2020 6:55 PM
>> >> To: gregkh@...uxfoundation.org; edumazet@...gle.com;
>> >> stable@...r.kernel.org
>> >> Cc: w@....eu; Dexuan Cui <decui@...rosoft.com>; Joseph Salisbury
>> >> <Joseph.Salisbury@...rosoft.com>; Michael Kelley <mikelley@...rosoft.com>;
>> >> viro@...iv.linux.org.uk; netdev@...r.kernel.org; davem@...emloft.net;
>> >> ohering@...e.com
>> >> Subject: [PATCH][for v4.4 only] udp: drop corrupt packets earlier to avoid data
>> >> corruption
>> >>
>> >> The v4.4 stable kernel lacks this bugfix:
>> >> commit 327868212381 ("make skb_copy_datagram_msg() et.al. preserve
>> >> ->msg_iter on error").
>> >> As a result, the v4.4 kernel can deliver corrupt data to the application
>> >> when a corrupt UDP packet is closely followed by a valid UDP packet: the
>> >> same invocation of the recvmsg() syscall can deliver the corrupt packet's
>> >> UDP payload to the application with the UDP payload length and the
>> >> "from IP/Port" of the valid packet.
>> >>
>> >> Details:
>> >>
>> >> For a UDP packet longer than 76 bytes (see the v5.8-rc6 kernel's
>> >> include/linux/skbuff.h:3951), Linux delays the UDP checksum verification
>> >> until the application invokes the syscall recvmsg().
>> >>
>> >> In the recvmsg() syscall handler, while Linux is copying the UDP payload
>> >> to the application's memory, it calculates the UDP checksum. If the
>> >> calculated checksum doesn't match the received checksum, Linux drops the
>> >> corrupt UDP packet, and then starts to process the next packet (if any),
>> >> and if the next packet is valid (i.e. the checksum is correct), Linux
>> >> will copy the valid UDP packet's payload to the application's receiver
>> >> buffer.
>> >>
>> >> The bug is: before Linux starts to copy the valid UDP packet, the data
>> >> structure used to track how many more bytes should be copied to the
>> >> application memory is not reset to what it was when the application just
>> >> entered the kernel by the syscall! Consequently, only a small portion or
>> >> none of the valid packet's payload is copied to the application's
>> >> receive buffer, and later when the application exits from the kernel,
>> >> actually most of the application's receive buffer contains the payload
>> >> of the corrupt packet while recvmsg() returns the length of the UDP
>> >> payload of the valid packet.
>> >>
>> >> For the mainline kernel, the bug was fixed in commit 327868212381,
>> >> but unluckily the bugfix is only backported to v4.9+. It turns out
>> >> backporting 327868212381 to v4.4 means that some supporting patches
>> >> must be backported first, so the overall changes seem too big, so the
>> >> alternative is performs the csum validation earlier and drops the
>> >> corrupt packets earlier.
>> >>
>> >> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
>> >> Signed-off-by: Dexuan Cui <decui@...rosoft.com>
>> >> ---
>> >> net/ipv4/udp.c | 3 +--
>> >> net/ipv6/udp.c | 6 ++----
>> >> 2 files changed, 3 insertions(+), 6 deletions(-)
>> >>
>> >> diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
>> >> index bb30699..49ab587 100644
>> >> --- a/net/ipv4/udp.c
>> >> +++ b/net/ipv4/udp.c
>> >> @@ -1589,8 +1589,7 @@ int udp_queue_rcv_skb(struct sock *sk, struct
>> >> sk_buff *skb)
>> >> }
>> >> }
>> >>
>> >> - if (rcu_access_pointer(sk->sk_filter) &&
>> >> - udp_lib_checksum_complete(skb))
>> >> + if (udp_lib_checksum_complete(skb))
>> >> goto csum_error;
>> >>
>> >> if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
>> >> diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
>> >> index 73f1112..2d6703d 100644
>> >> --- a/net/ipv6/udp.c
>> >> +++ b/net/ipv6/udp.c
>> >> @@ -686,10 +686,8 @@ int udpv6_queue_rcv_skb(struct sock *sk, struct
>> >> sk_buff *skb)
>> >> }
>> >> }
>> >>
>> >> - if (rcu_access_pointer(sk->sk_filter)) {
>> >> - if (udp_lib_checksum_complete(skb))
>> >> - goto csum_error;
>> >> - }
>> >> + if (udp_lib_checksum_complete(skb))
>> >> + goto csum_error;
>> >>
>> >> if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
>> >> UDP6_INC_STATS_BH(sock_net(sk),
>> >> --
>> >> 1.8.3.1
>> >
>> >+Sasha
>> >
>> >This patch is targeted to the linux-4.4.y branch of the stable tree.
>>
>> Eric, will you ack this (or have a missed a previous ack)?
>
>Sure, although I have already a Signed-off-by: tag on this one, since
>I wrote this simpler fix for stable.
>
>If needed :
>Acked-by: Eric Dumazet <edumazet@...gle.com>
Ah, I see. Queued up, thanks!
--
Thanks,
Sasha
Powered by blists - more mailing lists