| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Mar 2024 16:41:16 +0100
From: Paolo Abeni <pabeni@...hat.com>
To: Shiming Cheng <shiming.cheng@...iatek.com>, davem@...emloft.net,
edumazet@...gle.com, kuba@...nel.org
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
lena.wang@...iatek.com
Subject: Re: [PATCH net] udp: fix segmentation crash for untrusted source
packet
On Wed, 2024-03-13 at 21:34 +0800, Shiming Cheng wrote:
> Kernel exception is reported when making udp frag list segmentation.
> Backtrace is as below:
> at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/udp_offload.c:229
> at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/udp_offload.c:262
> features=features@...ry=19, is_ipv6=false)
> at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/udp_offload.c:289
> features=19)
> at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/udp_offload.c:399
> features=19)
> at out/android15-6.6/kernel-6.6/kernel-6.6/net/ipv4/af_inet.c:1418
> skb@...ry=0x0, features=19, features@...ry=0)
> at out/android15-6.6/kernel-6.6/kernel-6.6/net/core/gso.c:53
> tx_path=<optimized out>)
> at out/android15-6.6/kernel-6.6/kernel-6.6/net/core/gso.c:124
A full backtrace would help better understanding the issue.
> This packet's frag list is null while gso_type is not 0. Then it is treated
> as a GRO-ed packet and sent to segment frag list. Function call path is
> udp_rcv_segment => config features value
> __udpv4_gso_segment => skb_gso_ok returns false. Here it should be
> true.
Why? If I read correctly the above, this is GSO packet landing in an
UDP socket with no UDP_GRO sockopt. The packet is expected to be
segmented again.
> Failed reason is features doesn't
match
> gso_type.
> __udp_gso_segment_list
> skb_segment_list => packet is linear with skb->next = NULL
> __udpv4_gso_segment_list_csum => use skb->next directly and
> crash happens
>
> In rx-gro-list GRO-ed packet is set gso type as
> NETIF_F_GSO_UDP_L4 | NETIF_F_GSO_FRAGLIST in napi_gro_complete. In gso
> flow the features should also set them to match with gso_type. Or else it
> will always return false in skb_gso_ok. Then it can't discover the
> untrusted source packet and result crash in following function.
What is the 'untrusted source' here? I read the above as the packet
aggregation happened in the GRO engine???
Could you please give a complete description of the relevant scenario?
> Fixes: f2696099c6c6 ("udp: Avoid post-GRO UDP checksum recalculation")
> Signed-off-by: Shiming Cheng <shiming.cheng@...iatek.com>
> Signed-off-by: Lena Wang <lena.wang@...iatek.com>
> ---
> include/net/udp.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/include/net/udp.h b/include/net/udp.h
> index 488a6d2babcc..c87baa23b9da 100644
> --- a/include/net/udp.h
> +++ b/include/net/udp.h
> @@ -464,7 +464,7 @@ void udpv6_encap_enable(void);
> static inline struct sk_buff *udp_rcv_segment(struct sock *sk,
> struct sk_buff *skb, bool ipv4)
> {
> - netdev_features_t features = NETIF_F_SG;
> + netdev_features_t features = NETIF_F_SG | NETIF_F_GSO_UDP_L4 | NETIF_F_GSO_FRAGLIST;
This looks wrong: real UDP_L4 GSO packets will not segmented anymore
and should be dropped (?!?)
Powered by blists - more mailing lists