lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e826f337c3db612852c5f543d123ee53adc885bb.camel@redhat.com>
Date: Wed, 13 Mar 2024 16:41:16 +0100
From: Paolo Abeni <pabeni@...hat.com>
To: Shiming Cheng <shiming.cheng@...iatek.com>, davem@...emloft.net, 
	edumazet@...gle.com, kuba@...nel.org
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org, 
	lena.wang@...iatek.com
Subject: Re: [PATCH net] udp: fix segmentation crash for untrusted source
 packet

On Wed, 2024-03-13 at 21:34 +0800, Shiming Cheng wrote:
> Kernel exception is reported when making udp frag list segmentation.
> Backtrace is as below:
>     at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/udp_offload.c:229
>     at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/udp_offload.c:262
> features=features@...ry=19, is_ipv6=false)
>     at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/udp_offload.c:289
> features=19)
>     at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/udp_offload.c:399
> features=19)
>     at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/af_inet.c:1418
> skb@...ry=0x0, features=19, features@...ry=0)
>     at out/android15-6.6/kernel-6.6/kernel-6.6/net/core/gso.c:53
> tx_path=<optimized out>)
>     at out/android15-6.6/kernel-6.6/kernel-6.6/net/core/gso.c:124

A full backtrace would help better understanding the issue.

> This packet's frag list is null while gso_type is not 0. Then it is treated
> as a GRO-ed packet and sent to segment frag list. Function call path is
> udp_rcv_segment => config features value
>     __udpv4_gso_segment  => skb_gso_ok returns false. Here it should be
>                             true. 

Why? If I read correctly the above, this is GSO packet landing in an
UDP socket with no UDP_GRO sockopt. The packet is expected to be
segmented again.

>				Failed reason is features doesn't
match
>                             gso_type.
>         __udp_gso_segment_list
>             skb_segment_list => packet is linear with skb->next = NULL
>             __udpv4_gso_segment_list_csum => use skb->next directly and
>                                              crash happens
> 
> In rx-gro-list GRO-ed packet is set gso type as
> NETIF_F_GSO_UDP_L4 | NETIF_F_GSO_FRAGLIST in napi_gro_complete. In gso
> flow the features should also set them to match with gso_type. Or else it
> will always return false in skb_gso_ok. Then it can't discover the
> untrusted source packet and result crash in following function.

What is the 'untrusted source' here? I read the above as the packet
aggregation happened in the GRO engine???

Could you please give a complete description of the relevant scenario?

> Fixes: f2696099c6c6 ("udp: Avoid post-GRO UDP checksum recalculation")
> Signed-off-by: Shiming Cheng <shiming.cheng@...iatek.com>
> Signed-off-by: Lena Wang <lena.wang@...iatek.com>
> ---
>  include/net/udp.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/include/net/udp.h b/include/net/udp.h
> index 488a6d2babcc..c87baa23b9da 100644
> --- a/include/net/udp.h
> +++ b/include/net/udp.h
> @@ -464,7 +464,7 @@ void udpv6_encap_enable(void);
>  static inline struct sk_buff *udp_rcv_segment(struct sock *sk,
>  					      struct sk_buff *skb, bool ipv4)
>  {
> -	netdev_features_t features = NETIF_F_SG;
> +	netdev_features_t features = NETIF_F_SG | NETIF_F_GSO_UDP_L4 | NETIF_F_GSO_FRAGLIST;

This looks wrong: real UDP_L4 GSO packets will not segmented anymore
and should be dropped (?!?)



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ