lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 27 May 2024 13:21:13 +0200
From: Eric Dumazet <edumazet@...gle.com>
To: Willem de Bruijn <willemdebruijn.kernel@...il.com>
Cc: netdev@...r.kernel.org, davem@...emloft.net, kuba@...nel.org, 
	pabeni@...hat.com, richardbgobert@...il.com, 
	Willem de Bruijn <willemb@...gle.com>, syzkaller <syzkaller@...glegroups.com>
Subject: Re: [PATCH net] net: gro: initialize network_offset in network layer

On Thu, May 23, 2024 at 4:14 PM Willem de Bruijn
<willemdebruijn.kernel@...il.com> wrote:
>
> From: Willem de Bruijn <willemb@...gle.com>
>
> Syzkaller was able to trigger
>
>     kernel BUG at net/core/gro.c:424 !
>     RIP: 0010:gro_pull_from_frag0 net/core/gro.c:424 [inline]
>     RIP: 0010:gro_try_pull_from_frag0 net/core/gro.c:446 [inline]
>     RIP: 0010:dev_gro_receive+0x242f/0x24b0 net/core/gro.c:571
>
> Due to using an incorrect NAPI_GRO_CB(skb)->network_offset.
>
> The referenced commit sets this offset to 0 in skb_gro_reset_offset.
> That matches the expected case in dev_gro_receive:
>
>         pp = INDIRECT_CALL_INET(ptype->callbacks.gro_receive,
>                                 ipv6_gro_receive, inet_gro_receive,
>                                 &gro_list->list, skb);
>
> But syzkaller injected an skb with protocol ETH_P_TEB into an ip6gre
> device (by writing the IP6GRE encapsulated version to a TAP device).
> The result was a first call to eth_gro_receive, and thus an extra
> ETH_HLEN in network_offset that should not be there. First issue hit
> is when computing offset from network header in ipv6_gro_pull_exthdrs.
>
> Initialize both offsets in the network layer gro_receive.
>
> This pairs with all reads in gro_receive, which use
> skb_gro_receive_network_offset().
>
> Fixes: 186b1ea73ad8 ("net: gro: use cb instead of skb->network_header")
> Reported-by: syzkaller <syzkaller@...glegroups.com>
> Signed-off-by: Willem de Bruijn <willemb@...gle.com>
> CC: Richard Gobert <richardbgobert@...il.com>

Reviewed-by: Eric Dumazet <edumazet@...gle.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ