lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <65a16bd458ece_18f8a2294e8@willemb.c.googlers.com.notmuch>
Date: Fri, 12 Jan 2024 11:41:56 -0500
From: Willem de Bruijn <willemdebruijn.kernel@...il.com>
To: Eric Dumazet <edumazet@...gle.com>, 
 "David S . Miller" <davem@...emloft.net>, 
 Jakub Kicinski <kuba@...nel.org>, 
 Paolo Abeni <pabeni@...hat.com>
Cc: Willem de Bruijn <willemb@...gle.com>, 
 netdev@...r.kernel.org, 
 eric.dumazet@...il.com, 
 Eric Dumazet <edumazet@...gle.com>, 
 syzbot+7f4d0ea3df4d4fa9a65f@...kaller.appspotmail.com
Subject: Re: [PATCH net] net: add more sanity check in virtio_net_hdr_to_skb()

Eric Dumazet wrote:
> syzbot/KMSAN reports access to uninitialized data from gso_features_check() [1]
> 
> The repro use af_packet, injecting a gso packet and hdrlen == 0.
> 
> We could fix the issue making gso_features_check() more careful
> while dealing with NETIF_F_TSO_MANGLEID in fast path.
> 
> Or we can make sure virtio_net_hdr_to_skb() pulls minimal network and
> transport headers as intended.
> 
> Note that for GSO packets coming from untrusted sources, SKB_GSO_DODGY
> bit forces a proper header validation (and pull) before the packet can
> hit any device ndo_start_xmit(), thus we do not need a precise disection
> at virtio_net_hdr_to_skb() stage.
> 
> [1]
> BUG: KMSAN: uninit-value in skb_gso_segment include/net/gso.h:83 [inline]
> BUG: KMSAN: uninit-value in validate_xmit_skb+0x10f2/0x1930 net/core/dev.c:3629
>  skb_gso_segment include/net/gso.h:83 [inline]
>  validate_xmit_skb+0x10f2/0x1930 net/core/dev.c:3629
>  __dev_queue_xmit+0x1eac/0x5130 net/core/dev.c:4341
>  dev_queue_xmit include/linux/netdevice.h:3134 [inline]
>  packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
>  packet_snd net/packet/af_packet.c:3087 [inline]
>  packet_sendmsg+0x8b1d/0x9f30 net/packet/af_packet.c:3119
>  sock_sendmsg_nosec net/socket.c:730 [inline]
>  __sock_sendmsg net/socket.c:745 [inline]
>  ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
>  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
>  __sys_sendmsg net/socket.c:2667 [inline]
>  __do_sys_sendmsg net/socket.c:2676 [inline]
>  __se_sys_sendmsg net/socket.c:2674 [inline]
>  __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> 
> Uninit was created at:
>  slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
>  slab_alloc_node mm/slub.c:3478 [inline]
>  kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523
>  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
>  __alloc_skb+0x318/0x740 net/core/skbuff.c:651
>  alloc_skb include/linux/skbuff.h:1286 [inline]
>  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334
>  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2780
>  packet_alloc_skb net/packet/af_packet.c:2936 [inline]
>  packet_snd net/packet/af_packet.c:3030 [inline]
>  packet_sendmsg+0x70e8/0x9f30 net/packet/af_packet.c:3119
>  sock_sendmsg_nosec net/socket.c:730 [inline]
>  __sock_sendmsg net/socket.c:745 [inline]
>  ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
>  ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
>  __sys_sendmsg net/socket.c:2667 [inline]
>  __do_sys_sendmsg net/socket.c:2676 [inline]
>  __se_sys_sendmsg net/socket.c:2674 [inline]
>  __x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> 
> CPU: 0 PID: 5025 Comm: syz-executor279 Not tainted 6.7.0-rc7-syzkaller-00003-gfbafc3e621c3 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023
> 
> Reported-by: syzbot+7f4d0ea3df4d4fa9a65f@...kaller.appspotmail.com
> Link: https://lore.kernel.org/netdev/0000000000005abd7b060eb160cd@google.com/
> Fixes: 9274124f023b ("net: stricter validation of untrusted gso packets")
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Willem de Bruijn <willemb@...gle.com>

Reviewed-by: Willem de Bruijn <willemb@...gle.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ