lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANn89iL72ia+aCaRxPvBBaOcbKU_VTLZSPBjiUAQ14dhpSJrfw@mail.gmail.com>
Date: Wed, 3 Apr 2024 16:25:47 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Sabrina Dubroca <sd@...asysnail.net>
Cc: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, 
	Paolo Abeni <pabeni@...hat.com>, netdev@...r.kernel.org, eric.dumazet@...il.com, 
	syzbot+9ee20ec1de7b3168db09@...kaller.appspotmail.com, 
	Phillip Potter <phil@...lpotter.co.uk>
Subject: Re: [PATCH net] geneve: fix header validation in geneve[6]_xmit_skb

On Wed, Apr 3, 2024 at 4:21 PM Sabrina Dubroca <sd@...asysnail.net> wrote:
>
> 2024-04-03, 11:38:53 +0000, Eric Dumazet wrote:
> > syzbot is able to trigger an uninit-value in geneve_xmit() [1]
> >
> > Problem : While most ip tunnel helpers (like ip_tunnel_get_dsfield())
> > uses skb_protocol(skb, true), pskb_inet_may_pull() is only using
> > skb->protocol.
> >
> > If anything else than ETH_P_IPV6 or ETH_P_IP is found in skb->protocol,
> > pskb_inet_may_pull() does nothing at all.
> >
> > If a vlan tag was provided by the caller (af_packet in the syzbot case),
> > the network header might not point to the correct location, and skb
> > linear part could be smaller than expected.
> >
> > Add skb_vlan_inet_prepare() to perform a complete validation and pull.
> > If no IPv4/IPv6 header is found, it returns 0.
>
> And then geneve_xmit_skb/geneve6_xmit_skb drops the packet, which
> breaks ARP over a geneve tunnel, and other valid things like macsec.

geneve_xmit_skb() uses ip_hdr() blindly.

How can we cope properly with this mess ?

>
> > diff --git a/include/net/ip_tunnels.h b/include/net/ip_tunnels.h
> > index 5cd64bb2104df389250fb3c518ba00a3826c53f7..41537d5dce52412e15d7871ec604546582b10098 100644
> > --- a/include/net/ip_tunnels.h
> > +++ b/include/net/ip_tunnels.h
> > @@ -361,6 +361,37 @@ static inline bool pskb_inet_may_pull(struct sk_buff *skb)
> >       return pskb_network_may_pull(skb, nhlen);
> >  }
> >
> > +/* Strict version of pskb_inet_may_pull().
> > + * Once vlan headers are skipped, only accept
> > + * ETH_P_IPV6 and ETH_P_IP.
> > + */
> > +static inline __be16 skb_vlan_inet_prepare(struct sk_buff *skb)
> > +{
> > +     int nhlen, maclen;
> > +     __be16 type;
>
> Should that be:
>
>     type = skb->protocol
>
> ?
>
> Otherwise it's used uninitialized here:
>
> > +
> > +     type = __vlan_get_protocol(skb, type, &maclen);

Arg, a last minute change did not make it.

>
> --
> Sabrina
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ