Received: by 10.223.176.5 with SMTP id f5csp3396522wra; Mon, 29 Jan 2018 12:34:54 -0800 (PST) X-Google-Smtp-Source: AH8x2271NwyQJZeb2VqkWnJwMzdmkRPM/qnQ+VcDrn9CTk5uGegEXfy8z1TXVEv5lBF8BlL89612 X-Received: by 10.99.123.8 with SMTP id w8mr22129114pgc.201.1517258094171; Mon, 29 Jan 2018 12:34:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517258094; cv=none; d=google.com; s=arc-20160816; b=imAzww4Gxoa8HZP4ikBqaPMFgM+kUrf7hJ3SOw3Adc6gFK2RV0hXe4sDus0Kd7M0QX A/EyXyrX91ZoadOS1i18JPEVs9en2oGgXG8LMLjs/LYRHUNDuPdDfEXdF/hlXCLktQxu KtJV6rYdufenNnzFhqfufFh5BEmz5vfr5brPteKWOMatJH4A09g3tU5hFkK8eLBiVasH ZdsdOys/BD504kd9OkR8WiR+ecnvK9du8Oo6iKx/3siW2VUhnuHF6xKkcPOVrpR7TTM2 nwSrGWEGxRKWM++aQVHUTzW4kor2J4NSlHvGZe/apC2DjJhWPnuEf/GUIZYRkuRm3F/f Yxxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ge+/qqPBLDyQm8cyypCzJ7ZUbXy1Fqu+zeWLmoueOKU=; b=sKxzrL9zVJTyzvoclyX5616ZCVgangwXAs3coW1+rVgDGBUcW+qxFez7P0n4bqvluv 3SDFzmzfS2iTMl2ZFyFNL805rlTkCIPOiT09aaWcb6Lz/ypmvDG+bPwBzzdfiPEQ3awX sKOZX/7mnt/7JKD+JGrxuUxzLXAOkIETJKF9da4B0F2ERf0wxaeN+iSY7GxIOXoZNP60 /stHf/wg43E2Su4T9oKyKDXmH+voc0rBXVSVAxH1hjPOSpH3xh5C1b+N0QrvT4JXP+QO 1VNdekO1SGKofNlxhXj8fMBpVLkqociwLXlM5b2A3zyMxtAkWIzrq71xMmzCdrK3AEru AdIQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a80si12607928pfg.372.2018.01.29.12.34.39; Mon, 29 Jan 2018 12:34:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932274AbeA2UOg (ORCPT + 99 others); Mon, 29 Jan 2018 15:14:36 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:40488 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752125AbeA2UOe (ORCPT ); Mon, 29 Jan 2018 15:14:34 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 19FFD2FA5; Mon, 29 Jan 2018 13:06:25 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+fee64147a25aecd48055@syzkaller.appspotmail.com, Willem de Bruijn , Jason Wang , Marcelo Ricardo Leitner , "David S. Miller" Subject: [PATCH 4.9 52/66] gso: validate gso_type in GSO handlers Date: Mon, 29 Jan 2018 13:57:16 +0100 Message-Id: <20180129123842.630859423@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123839.842860149@linuxfoundation.org> References: <20180129123839.842860149@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Willem de Bruijn [ Upstream commit 121d57af308d0cf943f08f4738d24d3966c38cd9 ] Validate gso_type during segmentation as SKB_GSO_DODGY sources may pass packets where the gso_type does not match the contents. Syzkaller was able to enter the SCTP gso handler with a packet of gso_type SKB_GSO_TCPV4. On entry of transport layer gso handlers, verify that the gso_type matches the transport protocol. Fixes: 90017accff61 ("sctp: Add GSO support") Link: http://lkml.kernel.org/r/<001a1137452496ffc305617e5fe0@google.com> Reported-by: syzbot+fee64147a25aecd48055@syzkaller.appspotmail.com Signed-off-by: Willem de Bruijn Acked-by: Jason Wang Reviewed-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv4/tcp_offload.c | 3 +++ net/ipv4/udp_offload.c | 3 +++ net/ipv6/tcpv6_offload.c | 3 +++ net/ipv6/udp_offload.c | 3 +++ net/sctp/offload.c | 3 +++ 5 files changed, 15 insertions(+) --- a/net/ipv4/tcp_offload.c +++ b/net/ipv4/tcp_offload.c @@ -32,6 +32,9 @@ static void tcp_gso_tstamp(struct sk_buf static struct sk_buff *tcp4_gso_segment(struct sk_buff *skb, netdev_features_t features) { + if (!(skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4)) + return ERR_PTR(-EINVAL); + if (!pskb_may_pull(skb, sizeof(struct tcphdr))) return ERR_PTR(-EINVAL); --- a/net/ipv4/udp_offload.c +++ b/net/ipv4/udp_offload.c @@ -205,6 +205,9 @@ static struct sk_buff *udp4_ufo_fragment goto out; } + if (!(skb_shinfo(skb)->gso_type & SKB_GSO_UDP)) + goto out; + if (!pskb_may_pull(skb, sizeof(struct udphdr))) goto out; --- a/net/ipv6/tcpv6_offload.c +++ b/net/ipv6/tcpv6_offload.c @@ -46,6 +46,9 @@ static struct sk_buff *tcp6_gso_segment( { struct tcphdr *th; + if (!(skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6)) + return ERR_PTR(-EINVAL); + if (!pskb_may_pull(skb, sizeof(*th))) return ERR_PTR(-EINVAL); --- a/net/ipv6/udp_offload.c +++ b/net/ipv6/udp_offload.c @@ -55,6 +55,9 @@ static struct sk_buff *udp6_ufo_fragment const struct ipv6hdr *ipv6h; struct udphdr *uh; + if (!(skb_shinfo(skb)->gso_type & SKB_GSO_UDP)) + goto out; + if (!pskb_may_pull(skb, sizeof(struct udphdr))) goto out; --- a/net/sctp/offload.c +++ b/net/sctp/offload.c @@ -44,6 +44,9 @@ static struct sk_buff *sctp_gso_segment( struct sk_buff *segs = ERR_PTR(-EINVAL); struct sctphdr *sh; + if (!(skb_shinfo(skb)->gso_type & SKB_GSO_SCTP)) + goto out; + sh = sctp_hdr(skb); if (!pskb_may_pull(skb, sizeof(*sh))) goto out;