Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp2459502imd; Fri, 2 Nov 2018 11:46:36 -0700 (PDT) X-Google-Smtp-Source: AJdET5dszfieRMsV/e68v11uEQ0FrpkSF0c/DA1SHkHRGT7DPNm3cpP1spa9iv57PKrj6NriBz2h X-Received: by 2002:a62:6dc3:: with SMTP id i186-v6mr12979112pfc.218.1541184396203; Fri, 02 Nov 2018 11:46:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541184396; cv=none; d=google.com; s=arc-20160816; b=wCBkXXz1v19tXvQ6MB+8qhxbfQFo83/bExMyGdTFedYOibPTfKgh/Rg2CkYxKYrbtt TFTH3qCSrCJleIF9K9PRZSwOusBqrzxNuGRukOjEgyahc0CcGsRf8ahWJZfcPg26KeUO lsiTuOMvvIHIDaS7xoHRCyV5XqazoV2BK9M6TDDSeTYAzJFbU2+pB+O9beo5mUtgjrwF bJwUOaR7tcqTZ+VLgbtIzZkkn6Wk31agdlL+ir6k5Li4Ttgf9EylExHaHacrXqai5AHU 9WTp4T09NKCIsxIu544Ffhj7ySqWmpV9zOBI+JZ3XLt5cJtOhirQlaxWuiq/SzAm0h0d xJ+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MGtCUywovTPLxnuGXBvVQZixTsuvNC13iDaourwZ4Ng=; b=kpTnip2Wg7mtW67yZNIkHsyFPXmIJzlfGemsWkhj+Dn8NnHKaxbTkxpWDntxG/VbWK 7thSYQ1a96mPX/8eCm0TQHk4xjV4tkApfuy7waJp926zK4BDdF1gcCTqzIhTe9Kwr3Sr JmBYc+dWmgl912/R8ifVE6338LQOGT6hfH0RdaEF5G7mRBhEHW/qRVZKKyQU+h1OtaN1 lPfuD213FWcw83oAMQ/IKSYoh5CUnYvv1x6VRFb4vv9Q+FF09sIacTJiubJKhLnMyCNc 8/Vp7cMv07EY6WGLMge3LVEFwHzGv2EuMRopWfLCtfkUPJGhogSwICTX2NPodZKjRjMB if/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zVZuc242; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h71-v6si23880805pgc.122.2018.11.02.11.46.20; Fri, 02 Nov 2018 11:46:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zVZuc242; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730016AbeKCDwS (ORCPT + 99 others); Fri, 2 Nov 2018 23:52:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:47624 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726849AbeKCDwR (ORCPT ); Fri, 2 Nov 2018 23:52:17 -0400 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BDCBD20880; Fri, 2 Nov 2018 18:44:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541184244; bh=mSmejivJ1Ocy/d06LEnJolz2EXIJA7h8nxXuFFvh19M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zVZuc2425AK4C/e7iixUgyfjX+vmF6XGEK4iHb2VIgj+OgnvbeQHayMB0fqvzT27W 4l5DOQF70dhryS0fl4CjSgGk3mRsbu4wDRyEhwfnlKElHBbz7Lu5JVhqSH4ChUZvwj JNl9ZvTLsrKfaY6UZMD9gjaP3y6h3MpmhJdgRPkM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sam Kumar , Eric Dumazet , Sean Tranchetti , "David S. Miller" Subject: [PATCH 4.18 114/150] net: udp: fix handling of CHECKSUM_COMPLETE packets Date: Fri, 2 Nov 2018 19:34:36 +0100 Message-Id: <20181102182911.085267155@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181102182902.250560510@linuxfoundation.org> References: <20181102182902.250560510@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Sean Tranchetti [ Upstream commit db4f1be3ca9b0ef7330763d07bf4ace83ad6f913 ] Current handling of CHECKSUM_COMPLETE packets by the UDP stack is incorrect for any packet that has an incorrect checksum value. udp4/6_csum_init() will both make a call to __skb_checksum_validate_complete() to initialize/validate the csum field when receiving a CHECKSUM_COMPLETE packet. When this packet fails validation, skb->csum will be overwritten with the pseudoheader checksum so the packet can be fully validated by software, but the skb->ip_summed value will be left as CHECKSUM_COMPLETE so that way the stack can later warn the user about their hardware spewing bad checksums. Unfortunately, leaving the SKB in this state can cause problems later on in the checksum calculation. Since the the packet is still marked as CHECKSUM_COMPLETE, udp_csum_pull_header() will SUBTRACT the checksum of the UDP header from skb->csum instead of adding it, leaving us with a garbage value in that field. Once we try to copy the packet to userspace in the udp4/6_recvmsg(), we'll make a call to skb_copy_and_csum_datagram_msg() to checksum the packet data and add it in the garbage skb->csum value to perform our final validation check. Since the value we're validating is not the proper checksum, it's possible that the folded value could come out to 0, causing us not to drop the packet. Instead, we believe that the packet was checksummed incorrectly by hardware since skb->ip_summed is still CHECKSUM_COMPLETE, and we attempt to warn the user with netdev_rx_csum_fault(skb->dev); Unfortunately, since this is the UDP path, skb->dev has been overwritten by skb->dev_scratch and is no longer a valid pointer, so we end up reading invalid memory. This patch addresses this problem in two ways: 1) Do not use the dev pointer when calling netdev_rx_csum_fault() from skb_copy_and_csum_datagram_msg(). Since this gets called from the UDP path where skb->dev has been overwritten, we have no way of knowing if the pointer is still valid. Also for the sake of consistency with the other uses of netdev_rx_csum_fault(), don't attempt to call it if the packet was checksummed by software. 2) Add better CHECKSUM_COMPLETE handling to udp4/6_csum_init(). If we receive a packet that's CHECKSUM_COMPLETE that fails verification (i.e. skb->csum_valid == 0), check who performed the calculation. It's possible that the checksum was done in software by the network stack earlier (such as Netfilter's CONNTRACK module), and if that says the checksum is bad, we can drop the packet immediately instead of waiting until we try and copy it to userspace. Otherwise, we need to mark the SKB as CHECKSUM_NONE, since the skb->csum field no longer contains the full packet checksum after the call to __skb_checksum_validate_complete(). Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") Fixes: c84d949057ca ("udp: copy skb->truesize in the first cache line") Cc: Sam Kumar Cc: Eric Dumazet Signed-off-by: Sean Tranchetti Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/core/datagram.c | 5 +++-- net/ipv4/udp.c | 20 ++++++++++++++++++-- net/ipv6/ip6_checksum.c | 20 ++++++++++++++++++-- 3 files changed, 39 insertions(+), 6 deletions(-) --- a/net/core/datagram.c +++ b/net/core/datagram.c @@ -808,8 +808,9 @@ int skb_copy_and_csum_datagram_msg(struc return -EINVAL; } - if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE)) - netdev_rx_csum_fault(skb->dev); + if (unlikely(skb->ip_summed == CHECKSUM_COMPLETE) && + !skb->csum_complete_sw) + netdev_rx_csum_fault(NULL); } return 0; fault: --- a/net/ipv4/udp.c +++ b/net/ipv4/udp.c @@ -2124,8 +2124,24 @@ static inline int udp4_csum_init(struct /* Note, we are only interested in != 0 or == 0, thus the * force to int. */ - return (__force int)skb_checksum_init_zero_check(skb, proto, uh->check, - inet_compute_pseudo); + err = (__force int)skb_checksum_init_zero_check(skb, proto, uh->check, + inet_compute_pseudo); + if (err) + return err; + + if (skb->ip_summed == CHECKSUM_COMPLETE && !skb->csum_valid) { + /* If SW calculated the value, we know it's bad */ + if (skb->csum_complete_sw) + return 1; + + /* HW says the value is bad. Let's validate that. + * skb->csum is no longer the full packet checksum, + * so don't treat it as such. + */ + skb_checksum_complete_unset(skb); + } + + return 0; } /* wrapper for udp_queue_rcv_skb tacking care of csum conversion and --- a/net/ipv6/ip6_checksum.c +++ b/net/ipv6/ip6_checksum.c @@ -88,8 +88,24 @@ int udp6_csum_init(struct sk_buff *skb, * Note, we are only interested in != 0 or == 0, thus the * force to int. */ - return (__force int)skb_checksum_init_zero_check(skb, proto, uh->check, - ip6_compute_pseudo); + err = (__force int)skb_checksum_init_zero_check(skb, proto, uh->check, + ip6_compute_pseudo); + if (err) + return err; + + if (skb->ip_summed == CHECKSUM_COMPLETE && !skb->csum_valid) { + /* If SW calculated the value, we know it's bad */ + if (skb->csum_complete_sw) + return 1; + + /* HW says the value is bad. Let's validate that. + * skb->csum is no longer the full packet checksum, + * so don't treat is as such. + */ + skb_checksum_complete_unset(skb); + } + + return 0; } EXPORT_SYMBOL(udp6_csum_init);