lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 22 Dec 2022 10:35:43 +0200
From:   Tudor Ambarus <tudor.ambarus@...aro.org>
To:     stable@...r.kernel.org
Cc:     willemdebruijn.kernel@...il.com, mst@...hat.com,
        jasowang@...hat.com, edumazet@...gle.com,
        virtualization@...ts.linux-foundation.org, davem@...emloft.net,
        kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org,
        willemb@...gle.com, syzkaller@...glegroups.com,
        liuhangbin@...il.com, linux-kernel@...r.kernel.org,
        joneslee@...gle.com, Tudor Ambarus <tudor.ambarus@...aro.org>
Subject: [PATCH 0/2] net/af_packet: Fix kernel BUG in __skb_gso_segment

The series is intended for stable@...r.kernel.org # 5.4+

Syzkaller reported the following bug on linux-5.{4, 10, 15}.y:
https://syzkaller.appspot.com/bug?id=ce5575575f074c33ff80d104f5baee26f22e95f5

The upstream commit that introduces this bug is:
1ed1d5921139 ("net: skip virtio_net_hdr_set_proto if protocol already set")

Upstream fixes the bug with the following commits, one of which introduces
new support:
e9d3f80935b6 ("net/af_packet: make sure to pull mac header")
dfed913e8b55 ("net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO") 

The additional logic and risk backported seems manageable.

The blammed commit introduces a kernel BUG in __skb_gso_segment for
AF_PACKET SOCK_RAW GSO VLAN tagged packets. What happens is that
virtio_net_hdr_set_proto() exists early as skb->protocol is already set to
ETH_P_ALL. Then in packet_parse_headers() skb->protocol is set to
ETH_P_8021AD, but neither the network header position is adjusted, nor the
mac header is pulled. Thus when we get to validate the xmit skb and enter
skb_mac_gso_segment(), skb->mac_len has value 14, but vlan_depth gets
updated to 18 after skb_network_protocol() is called. This causes the
BUG_ON from __skb_pull(skb, vlan_depth) to be hit, as the mac header has
not been pulled yet.

The fixes from upstream backported cleanly without conflicts. I updated
the commit message of the first patch to describe the problem encountered,
and added Cc, Fixes, Reported-by and Tested-by tags. For the second patch
I just added Cc to stable indicating the versions to be fixed, and added
my Tested and Signed-off-by tags.

I tested the patches on linux-5.{4, 10, 15}.y.

Eric Dumazet (1):
  net/af_packet: make sure to pull mac header

Hangbin Liu (1):
  net/af_packet: add VLAN support for AF_PACKET SOCK_RAW GSO

 net/packet/af_packet.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

-- 
2.34.1

Powered by blists - more mailing lists