lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6450193c852ef_3163ce2944d@willemb.c.googlers.com.notmuch>
Date:   Mon, 01 May 2023 15:55:40 -0400
From:   Willem de Bruijn <willemdebruijn.kernel@...il.com>
To:     Kuniyuki Iwashima <kuniyu@...zon.com>,
        "David S. Miller" <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Jakub Kicinski <kuba@...nel.org>,
        Paolo Abeni <pabeni@...hat.com>,
        Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc:     Zhengchao Shao <shaozhengchao@...wei.com>,
        Kuniyuki Iwashima <kuniyu@...zon.com>,
        Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org,
        syzbot <syzkaller@...glegroups.com>
Subject: RE: [PATCH v1 net] af_packet: Don't send zero-byte data in
 packet_sendmsg_spkt().

Kuniyuki Iwashima wrote:
> syzkaller reported a warning below [0].
> 
> We can reproduce it by sending 0-byte data from the (AF_PACKET,
> SOCK_PACKET) socket via some devices whose dev->hard_header_len
> is 0.
> 
>     struct sockaddr_pkt addr = {
>         .spkt_family = AF_PACKET,
>         .spkt_device = "tun0",
>     };
>     int fd;
> 
>     fd = socket(AF_PACKET, SOCK_PACKET, 0);
>     sendto(fd, NULL, 0, 0, (struct sockaddr *)&addr, sizeof(addr));
> 
> We have a similar fix for the (AF_PACKET, SOCK_RAW) socket as
> commit dc633700f00f ("net/af_packet: check len when min_header_len
> equals to 0").
> 
> Let's add the same test for the SOCK_PACKET socket.
> 
> [0]:
> skb_assert_len
> WARNING: CPU: 1 PID: 19945 at include/linux/skbuff.h:2552 skb_assert_len include/linux/skbuff.h:2552 [inline]
> WARNING: CPU: 1 PID: 19945 at include/linux/skbuff.h:2552 __dev_queue_xmit+0x1f26/0x31d0 net/core/dev.c:4159
> Modules linked in:
> CPU: 1 PID: 19945 Comm: syz-executor.0 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> RIP: 0010:skb_assert_len include/linux/skbuff.h:2552 [inline]
> RIP: 0010:__dev_queue_xmit+0x1f26/0x31d0 net/core/dev.c:4159
> Code: 89 de e8 1d a2 85 fd 84 db 75 21 e8 64 a9 85 fd 48 c7 c6 80 2a 1f 86 48 c7 c7 c0 06 1f 86 c6 05 23 cf 27 04 01 e8 fa ee 56 fd <0f> 0b e8 43 a9 85 fd 0f b6 1d 0f cf 27 04 31 ff 89 de e8 e3 a1 85
> RSP: 0018:ffff8880217af6e0 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90001133000
> RDX: 0000000000040000 RSI: ffffffff81186922 RDI: 0000000000000001
> RBP: ffff8880217af8b0 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000000001 R11: 0000000000000001 R12: ffff888030045640
> R13: ffff8880300456b0 R14: ffff888030045650 R15: ffff888030045718
> FS:  00007fc5864da640(0000) GS:ffff88806cd00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020005740 CR3: 000000003f856003 CR4: 0000000000770ee0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> PKRU: 55555554
> Call Trace:
>  <TASK>
>  dev_queue_xmit include/linux/netdevice.h:3085 [inline]
>  packet_sendmsg_spkt+0xc4b/0x1230 net/packet/af_packet.c:2066
>  sock_sendmsg_nosec net/socket.c:724 [inline]
>  sock_sendmsg+0x1b4/0x200 net/socket.c:747
>  ____sys_sendmsg+0x331/0x970 net/socket.c:2503
>  ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2557
>  __sys_sendmmsg+0x18c/0x430 net/socket.c:2643
>  __do_sys_sendmmsg net/socket.c:2672 [inline]
>  __se_sys_sendmmsg net/socket.c:2669 [inline]
>  __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2669
>  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
>  do_syscall_64+0x3c/0x90 arch/x86/entry/common.c:80
>  entry_SYSCALL_64_after_hwframe+0x72/0xdc
> RIP: 0033:0x7fc58791de5d
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
> RSP: 002b:00007fc5864d9cc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
> RAX: ffffffffffffffda RBX: 00000000004bbf80 RCX: 00007fc58791de5d
> RDX: 0000000000000001 RSI: 0000000020005740 RDI: 0000000000000004
> RBP: 00000000004bbf80 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 000000000000000b R14: 00007fc58797e530 R15: 0000000000000000
>  </TASK>
> ---[ end trace 0000000000000000 ]---
> skb len=0 headroom=16 headlen=0 tailroom=304
> mac=(16,0) net=(16,-1) trans=-1
> shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
> csum(0x0 ip_summed=0 complete_sw=0 valid=0 level=0)
> hash(0x0 sw=0 l4=0) proto=0x0000 pkttype=0 iif=0
> dev name=sit0 feat=0x00000006401d7869
> sk family=17 type=10 proto=0
> 
> Fixes: fd1894224407 ("bpf: Don't redirect packets with invalid pkt_len")
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: syzbot <syzkaller@...glegroups.com>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>

This is a straightforward extension of the referenced commit.

But if the issue is only triggered by BPF shenanigans, as implied
by the Fixes and by commit fd1894224407 ("bpf: Don't redirect packets
with invalid pkt_len"), which introduces skb_assert_len, can that
be catched in BPF redirect, so that we don't have to add assertions
and checks elsewhere in the stack?

> ---
>  net/packet/af_packet.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
> index 6080c0db0814..640d94e34635 100644
> --- a/net/packet/af_packet.c
> +++ b/net/packet/af_packet.c
> @@ -2033,7 +2033,7 @@ static int packet_sendmsg_spkt(struct socket *sock, struct msghdr *msg,
>  		goto retry;
>  	}
>  
> -	if (!dev_validate_header(dev, skb->data, len)) {
> +	if (!dev_validate_header(dev, skb->data, len) || !skb->len) {
>  		err = -EINVAL;
>  		goto out_unlock;
>  	}
> -- 
> 2.30.2
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ