Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp826870ybg; Tue, 9 Jun 2020 13:59:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyzLFPbfQsKDQCIZ3hCWtRym4yQHl8nb26vEvp/QFSEhWY2WCibPBPrMkW3CB1ahALSicJy X-Received: by 2002:aa7:da46:: with SMTP id w6mr28226371eds.31.1591736390473; Tue, 09 Jun 2020 13:59:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591736390; cv=none; d=google.com; s=arc-20160816; b=RzbBXfvURdJ9NRC772JqII6QeBosVs0rxpsOz2Q09/xPECKfMTnt8eAl6FLDKVpESU B37garjKpcBp2uDNnQu74g4X+IEnWzbXGjGzuvC2LFv4ld2kb7r0GUgF3KUZXmCOgRuI FPD9T8m9D742cXMWkdh97N+JdlMOLmvnzgmvFdzPZvg3r11qhcoqW3lKexQj5dJkWsT6 Zp5PjTAUvJUHkTBXcS8mH23Ts8a7D38R7wQbER6YqlEVuwjjJ4R5UdCf+9sHrij6nReg 3CQ4xamfAOQhaHd/K9EmPQH6dfuUltoYP3E6VV3V9wpw11h1QoHnlmMfM2aWWcLNNLf3 FxYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=eR35+PrpQVH2Kyxk/c4O2flZCT/jdFuyAfCzH3a4eMI=; b=gAxpiMsuOk5/4R203v6g+lGmFPbQH4Dte9XsVCiXSTZ2KStHTlEvV6UV0CR1Njh7ZU y4/IPMUzsskH9sj3rHvVB+dgDTrZJknKsLQbLOEV7UDY8gaqqyDGfDq+3CjyFBZmr6bY xje+e9Xgif1guZHGzXT5tR6eOl6j9Ik0oaPA6Ls80hFhdQuugGLXHRGgga4VEyQ+Dz+t xvS3yBTk7M5xexIKSNB3rk7IC26K9wstd8E7OvUuO6B2mzuI6LMW8fRfKfPXXigIYLIq cAzsUospJlvnW9j+OT6lqk71ns6Hv7ZtOdOjTkOd2OMXLxBSn17HXSqIRRCSBrlSylgJ K12Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="vdK05X/w"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g2si9914452ejd.657.2020.06.09.13.59.27; Tue, 09 Jun 2020 13:59:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="vdK05X/w"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733217AbgFIRzQ (ORCPT + 99 others); Tue, 9 Jun 2020 13:55:16 -0400 Received: from mail.kernel.org ([198.145.29.99]:44476 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730044AbgFIRx2 (ORCPT ); Tue, 9 Jun 2020 13:53:28 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7A9172074B; Tue, 9 Jun 2020 17:53:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591725207; bh=2wq8q15ub0uB0vMe8hgGxS46CrFW/myQrAZmv2wOkoE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vdK05X/wjwaeOItAE6xBBgHBreDcR0Sx5Ti0h9gBylSB5EY1mg+BkRu/OAV3VhK26 yL3vEP1si+B/JQ0AZh/ThE0RNOyHcD6AgwoQbz4r3GoTHulRJlCZLuUiR2ctDihOWn Uk61LOEKivyeyX5ak1URUyDF1pvrIoFz7hdL8RxQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Willem de Bruijn , "David S. Miller" Subject: [PATCH 5.6 04/41] net: check untrusted gso_size at kernel entry Date: Tue, 9 Jun 2020 19:45:06 +0200 Message-Id: <20200609174112.535027419@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200609174112.129412236@linuxfoundation.org> References: <20200609174112.129412236@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Willem de Bruijn [ Upstream commit 6dd912f82680761d8fb6b1bb274a69d4c7010988 ] Syzkaller again found a path to a kernel crash through bad gso input: a packet with gso size exceeding len. These packets are dropped in tcp_gso_segment and udp[46]_ufo_fragment. But they may affect gso size calculations earlier in the path. Now that we have thlen as of commit 9274124f023b ("net: stricter validation of untrusted gso packets"), check gso_size at entry too. Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") Reported-by: syzbot Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- include/linux/virtio_net.h | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -31,6 +31,7 @@ static inline int virtio_net_hdr_to_skb( { unsigned int gso_type = 0; unsigned int thlen = 0; + unsigned int p_off = 0; unsigned int ip_proto; if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { @@ -68,7 +69,8 @@ static inline int virtio_net_hdr_to_skb( if (!skb_partial_csum_set(skb, start, off)) return -EINVAL; - if (skb_transport_offset(skb) + thlen > skb_headlen(skb)) + p_off = skb_transport_offset(skb) + thlen; + if (p_off > skb_headlen(skb)) return -EINVAL; } else { /* gso packets without NEEDS_CSUM do not set transport_offset. @@ -92,17 +94,25 @@ retry: return -EINVAL; } - if (keys.control.thoff + thlen > skb_headlen(skb) || + p_off = keys.control.thoff + thlen; + if (p_off > skb_headlen(skb) || keys.basic.ip_proto != ip_proto) return -EINVAL; skb_set_transport_header(skb, keys.control.thoff); + } else if (gso_type) { + p_off = thlen; + if (p_off > skb_headlen(skb)) + return -EINVAL; } } if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) { u16 gso_size = __virtio16_to_cpu(little_endian, hdr->gso_size); + if (skb->len - p_off <= gso_size) + return -EINVAL; + skb_shinfo(skb)->gso_size = gso_size; skb_shinfo(skb)->gso_type = gso_type;