Received: by 10.223.176.5 with SMTP id f5csp3436598wra;
        Mon, 29 Jan 2018 13:09:28 -0800 (PST)
X-Google-Smtp-Source: AH8x227k4j38Ssdg11saWzvhUbPOzWiEo7chkSeMO/0WPkfrjB/87o3vt4UehTbHA4BEOTx9rPub
X-Received: by 2002:a17:902:3083:: with SMTP id v3-v6mr23416311plb.426.1517260167939;
        Mon, 29 Jan 2018 13:09:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517260167; cv=none;
        d=google.com; s=arc-20160816;
        b=xnmi4okWjobrzYvJcnXsErFnybXUzF1jKqTPL+dvqsW9boreARzF4lmbYy9S9luu24
         h74cOgZ97d8BNedm4BHbcQ1yy3IafuIuuvoUoMC4XXO0sKITsZhJGmU6JFpa7+xQkX2w
         Mnx9tl5Uj+4VpeD1yygxh6hkI7NPgw6liHb6nqciJtG0S4Lj5f9ykQCvzOO+q5XN1ZI0
         Fvazo7PtvbnE9BDF0okuYPH/po8plfzK9/gObUQmAmxFVjpV5t0vTCfQr5RHVhrX0TI0
         HTA833shCBMxoAGV0tZ7pWWLWjG9QX8+GQyfrAruAd1so19q46JY1lT5SXTdUk0jkz1i
         6zZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=MonJsSWPqGx+Cn8ncvZlFJ1SW9ohKM5vmM9LbBnu5Lg=;
        b=MVbclxQv3Me4Z4Xpez6ZmoWtehp/vGlJbHembPqkuKBwcqzRrO93C5cVGlq9Q2rxlQ
         8C20y6hGAP4GKsO5OGr1c+Or8g+2SnuzFM404EUOzAhje3fZWWaXfFiVYNO6a1yAeG5+
         HQUMnmB8mdBV+6GBR5b/D9YTT780mIOxCISfaOEOmANdiuF1pCsEjIgBVuSPNe2kN8vY
         9ZThRKxTTmuo11vNFKEhVbdFoEhSziE3qt5hCExVOlcjdqeP8d/lorzDkhdP2Jw8dLoy
         WqPjO+s22tjYicx516fqsL2XTaodt9mtsMDa+xXO5Fq1qGMc2e/DXkFPta9eBYMd60jY
         gsZQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 11-v6si689082plb.362.2018.01.29.13.09.13;
        Mon, 29 Jan 2018 13:09:27 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752699AbeA2UG0 (ORCPT <rfc822;vladislav.valtchev@gmail.com>
        + 99 others); Mon, 29 Jan 2018 15:06:26 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:48090 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752066AbeA2UGY (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 29 Jan 2018 15:06:24 -0500
Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id B15F93010;
        Mon, 29 Jan 2018 13:09:32 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        syzbot+fee64147a25aecd48055@syzkaller.appspotmail.com,
        Willem de Bruijn <willemb@google.com>,
        Jason Wang <jasowang@redhat.com>,
        Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 45/71] gso: validate gso_type in GSO handlers
Date:   Mon, 29 Jan 2018 13:57:13 +0100
Message-Id: <20180129123830.239484331@linuxfoundation.org>
X-Mailer: git-send-email 2.16.1
In-Reply-To: <20180129123827.271171825@linuxfoundation.org>
References: <20180129123827.271171825@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Willem de Bruijn <willemb@google.com>


[ Upstream commit 121d57af308d0cf943f08f4738d24d3966c38cd9 ]

Validate gso_type during segmentation as SKB_GSO_DODGY sources
may pass packets where the gso_type does not match the contents.

Syzkaller was able to enter the SCTP gso handler with a packet of
gso_type SKB_GSO_TCPV4.

On entry of transport layer gso handlers, verify that the gso_type
matches the transport protocol.

Fixes: 90017accff61 ("sctp: Add GSO support")
Link: http://lkml.kernel.org/r/<001a1137452496ffc305617e5fe0@google.com>
Reported-by: syzbot+fee64147a25aecd48055@syzkaller.appspotmail.com
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/esp4_offload.c  |    3 +++
 net/ipv4/tcp_offload.c   |    3 +++
 net/ipv4/udp_offload.c   |    3 +++
 net/ipv6/esp6_offload.c  |    3 +++
 net/ipv6/tcpv6_offload.c |    3 +++
 net/ipv6/udp_offload.c   |    3 +++
 net/sctp/offload.c       |    3 +++
 7 files changed, 21 insertions(+)

--- a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@@ -121,6 +121,9 @@ static struct sk_buff *esp4_gso_segment(
 	if (!xo)
 		goto out;
 
+	if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
+		goto out;
+
 	seq = xo->seq.low;
 
 	x = skb->sp->xvec[skb->sp->len - 1];
--- a/net/ipv4/tcp_offload.c
+++ b/net/ipv4/tcp_offload.c
@@ -32,6 +32,9 @@ static void tcp_gso_tstamp(struct sk_buf
 static struct sk_buff *tcp4_gso_segment(struct sk_buff *skb,
 					netdev_features_t features)
 {
+	if (!(skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4))
+		return ERR_PTR(-EINVAL);
+
 	if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
 		return ERR_PTR(-EINVAL);
 
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -203,6 +203,9 @@ static struct sk_buff *udp4_ufo_fragment
 		goto out;
 	}
 
+	if (!(skb_shinfo(skb)->gso_type & SKB_GSO_UDP))
+		goto out;
+
 	if (!pskb_may_pull(skb, sizeof(struct udphdr)))
 		goto out;
 
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -148,6 +148,9 @@ static struct sk_buff *esp6_gso_segment(
 	if (!xo)
 		goto out;
 
+	if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
+		goto out;
+
 	seq = xo->seq.low;
 
 	x = skb->sp->xvec[skb->sp->len - 1];
--- a/net/ipv6/tcpv6_offload.c
+++ b/net/ipv6/tcpv6_offload.c
@@ -46,6 +46,9 @@ static struct sk_buff *tcp6_gso_segment(
 {
 	struct tcphdr *th;
 
+	if (!(skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6))
+		return ERR_PTR(-EINVAL);
+
 	if (!pskb_may_pull(skb, sizeof(*th)))
 		return ERR_PTR(-EINVAL);
 
--- a/net/ipv6/udp_offload.c
+++ b/net/ipv6/udp_offload.c
@@ -42,6 +42,9 @@ static struct sk_buff *udp6_ufo_fragment
 		const struct ipv6hdr *ipv6h;
 		struct udphdr *uh;
 
+		if (!(skb_shinfo(skb)->gso_type & SKB_GSO_UDP))
+			goto out;
+
 		if (!pskb_may_pull(skb, sizeof(struct udphdr)))
 			goto out;
 
--- a/net/sctp/offload.c
+++ b/net/sctp/offload.c
@@ -45,6 +45,9 @@ static struct sk_buff *sctp_gso_segment(
 	struct sk_buff *segs = ERR_PTR(-EINVAL);
 	struct sctphdr *sh;
 
+	if (!(skb_shinfo(skb)->gso_type & SKB_GSO_SCTP))
+		goto out;
+
 	sh = sctp_hdr(skb);
 	if (!pskb_may_pull(skb, sizeof(*sh)))
 		goto out;