lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 26 Jan 2021 16:54:55 -0500
From:   Willem de Bruijn <willemdebruijn.kernel@...il.com>
To:     kernelnewbies@...nelnewbies.org,
        Network Development <netdev@...r.kernel.org>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        Jakub Sitnicki <jakub@...udflare.com>,
        Paolo Abeni <pabeni@...hat.com>
Subject: Re: UDP implementation and the MSG_MORE flag

On Tue, Jan 26, 2021 at 9:58 AM Oliver Graute <oliver.graute@...il.com> wrote:
>
> Hello,
>
> we observe some unexpected behavior in the UDP implementation of the
> linux kernel.
>
> Some UDP packets send via the loopback interface are dropped in the
> kernel on the receive side when using sendto with the MSG_MORE flag.
> Every drop increases the InCsumErrors in /proc/self/net/snmp. Some
> example code to reproduce it is appended below.
>
> In the code we tracked it down to this code section. ( Even a little
> further but its unclear to me wy the csum() is wrong in the bad case)
>
> udpv6_recvmsg()
> ...
> if (checksum_valid || udp_skb_csum_unnecessary(skb)) {
>                 if (udp_skb_is_linear(skb))
>                         err = copy_linear_skb(skb, copied, off, &msg->msg_iter);
>                 else
>                         err = skb_copy_datagram_msg(skb, off, msg, copied);
>         } else {
>                 err = skb_copy_and_csum_datagram_msg(skb, off, msg);
>                 if (err == -EINVAL) {
>                         goto csum_copy_err;
>                 }
>         }
> ...
>

Thanks for the report with a full reproducer.

I don't have a full answer yet, but can reproduce this easily.

The third program, without MSG_MORE, builds an skb with
CHECKSUM_PARTIAL in __ip_append_data. When looped to the receive path
that ip_summed means no additional validation is needed. As encoded in
skb_csum_unnecessary.

The first and second programs are essentially the same, bar for a
slight difference in length. In both cases packet length is very short
compared to the loopback device MTU. Because of MSG_MORE, these
packets have CHECKSUM_NONE.

On receive in

  __udp4_lib_rcv()
    udp4_csum_init()
      err = skb_checksum_init_zero_check()

The second program validates and sets ip_summed = CHECKSUM_COMPLETE
and csum_valid = 1.
The first does not, though err == 0.

This appears to succeed consistently for packets <= 68B of payload,
fail consistently otherwise. It is not clear to me yet what causes
this distinction.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ