lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 14 Dec 2020 16:07:19 -0500
From:   Willem de Bruijn <willemdebruijn.kernel@...il.com>
To:     Jakub Kicinski <kuba@...nel.org>
Cc:     Willem de Bruijn <willemdebruijn.kernel@...il.com>,
        Vasily Averin <vvs@...tuozzo.com>,
        "David S. Miller" <davem@...emloft.net>,
        Network Development <netdev@...r.kernel.org>
Subject: Re: [PATCH] net: check skb partial checksum offset after trim

On Mon, Dec 14, 2020 at 3:56 PM Jakub Kicinski <kuba@...nel.org> wrote:
>
> On Sun, 13 Dec 2020 20:59:54 -0500 Willem de Bruijn wrote:
> > On Sun, Dec 13, 2020 at 2:37 PM Vasily Averin <vvs@...tuozzo.com> wrote:
> > > >> On 12/11/20 6:37 PM, Vasily Averin wrote:
> > > >>> It seems for me the similar problem can happen in __skb_trim_rcsum().
> > > >>> Also I doubt that that skb_checksum_start_offset(skb) checks in
> > > >>> __skb_postpull_rcsum() and skb_csum_unnecessary() are correct,
> > > >>> becasue they do not guarantee that skb have correct CHECKSUM_PARTIAL.
> > > >>> Could somebody confirm it?
> > > >>
> > > >> I've rechecked the code and I think now that other places are not affected,
> > > >> i.e. skb_push_rcsum() only should be patched.
> > > >
> > > > Thanks for investigating this. So tun was able to insert a packet with
> > > > csum_start + csum_off + 2 beyond the packet after trimming, using
> > > > virtio_net_hdr.csum_...
> > > >
> > > > Any packet with an offset beyond the end of the packet is bogus
> > > > really. No need to try to accept it by downgrading to CHECKSUM_NONE.
> > >
> > > Do you mean it's better to force pskb_trim_rcsum() to return -EINVAL instead?
> >
> > I would prefer to have more strict input validation in
> > tun/virtio/packet (virtio_net_hdr_to_skb), rather than new checks in
> > the hot path. But that is a larger change and not feasible
> > unconditionally due to performance impact and likely some false
> > positive drops. So out of scope here.
>
> Could you please elaborate? Is it the case that syzbot constructed some
> extremely convoluted frame to trigger this?

Somewhat convoluted, yes. A packet with a checksum offset beyond the
end of the ip packet.

skb_partial_csum_set (called from virtio_net_hdr_to_skb) verifies that
the offsets are within the linear buffer passed from userspace, but
without protocol parsing we don't know at that time that the offset is
beyond the end of the packet.

> Otherwise the validation
> at the source would work as well, no?

The problem with validation is two fold: it may add noticeable cost to
the hot path and it may have false positives: packets that the flow
dissector cannot fully dissect, but which are harmless and were
previously accepted.

I do want to add such strict source validation based on flow
dissection, but as an opt-in (sysctl) feature.

> Does it actually trigger upstream? The linked syzbot report is for 4.14
> but from the commit description it sounds like the problem should repro
> rather reliably.

>From the description, I would assume so, too. Haven't tested.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ