Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp3319297pxf; Mon, 15 Mar 2021 07:04:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwzoxkTYBmy5Jy78qImqywOAvL7j1kvv/QGBMlg+OqSaD3NpwFA1yXNFED9vMT4Rg7eAb4+ X-Received: by 2002:a17:906:5689:: with SMTP id am9mr22955999ejc.298.1615817061864; Mon, 15 Mar 2021 07:04:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1615817061; cv=none; d=google.com; s=arc-20160816; b=GhjKKjOO7v/ZxcF7acbhtTMMocEbcuke6kTbmffDWYAWrqr5+AUlft0yxV2ID9D7va KgIc//WwnGtztN9CROHmpVdIa1ccIi4GirQifHETLuiSUBzANqbodt8EcmbCVfs+4Rmx XWKAC/cjyUjElEgTFyUpAhI1jkR3eNvbodREK8MLF9kDHSZZpuzANi/Ni+njvcscWnWA SlJBMdsq4v6RyS7DN7NjhQkg6oilk+ZL1F8MpcN7WI0ZpH/QBxsbxkLe8bK0rR+o8hre T8UbkH7/NN+r2igGAnUv26V2TZ7iaWmQerjQOs0cBPTUTDkApiwYkaszK0SRVXwEgxi8 9UHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=j/VuWRiDSQizyzQZMVVmllWDew/g84C+2jZu1/PrVhM=; b=YKPjfBRoRExF61VU42MUqR/hVB5W/bPqXDCsrFESVkqQZQdlzueNgt/Fn7f2+9/+qx 6jM3bMwqrRF/cGy+xMMKUHkXutw54UYdZKQJ3ccIdwbahJWV+T9Ygcu1TXfUPYQ+O/Ai eEryPojShzRbmCTWAQv91tFeRYgSPpwVxBLNhkfwWBH/IZ/cgYYcShNuRmNye0TXGLxZ j0CJiaVuQjyrgWNsgpJDBl7IxG2W2y4BSLzrJTRZNBRk1krtiK7PSy8QzpaKjlly0x5r HNFkmCpVJ2tIedrU/LiRXrdGKdpI+U3tR3TNBby0wMfFPB/euEwtAEPqD+ZyURtxuBIG fSQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1wYXRZ2I; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c15si1655291ejr.633.2021.03.15.07.03.58; Mon, 15 Mar 2021 07:04:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1wYXRZ2I; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233383AbhCOOBh (ORCPT + 99 others); Mon, 15 Mar 2021 10:01:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:33546 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230180AbhCON4p (ORCPT ); Mon, 15 Mar 2021 09:56:45 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D0F0664EED; Mon, 15 Mar 2021 13:56:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1615816594; bh=mvbavpRwyDZocyv8ldOUoDiqHwnZizG1ECvHExjijLg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1wYXRZ2IftmUlfngGlZPSXHYJjj15snW15jrxMPogZutHMmp0yD09VhTbh+I2raP6 KV5xNKB6FlC6Bi72Gg9bCdUNaa5ylA7WuLWJ/3LZA+VFBeDJvdR0NRN+QyYsVoCM48 IkItGjUFQEVmBM14O+llPfECZNbhAbWKVTXzQPds= From: gregkh@linuxfoundation.org To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Balazs Nemeth , Willem de Bruijn , "David S. Miller" Subject: [PATCH 5.11 010/306] net: check if protocol extracted by virtio_net_hdr_set_proto is correct Date: Mon, 15 Mar 2021 14:51:13 +0100 Message-Id: <20210315135507.968640892@linuxfoundation.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210315135507.611436477@linuxfoundation.org> References: <20210315135507.611436477@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Greg Kroah-Hartman From: Balazs Nemeth commit 924a9bc362a5223cd448ca08c3dde21235adc310 upstream. For gso packets, virtio_net_hdr_set_proto sets the protocol (if it isn't set) based on the type in the virtio net hdr, but the skb could contain anything since it could come from packet_snd through a raw socket. If there is a mismatch between what virtio_net_hdr_set_proto sets and the actual protocol, then the skb could be handled incorrectly later on. An example where this poses an issue is with the subsequent call to skb_flow_dissect_flow_keys_basic which relies on skb->protocol being set correctly. A specially crafted packet could fool skb_flow_dissect_flow_keys_basic preventing EINVAL to be returned. Avoid blindly trusting the information provided by the virtio net header by checking that the protocol in the packet actually matches the protocol set by virtio_net_hdr_set_proto. Note that since the protocol is only checked if skb->dev implements header_ops->parse_protocol, packets from devices without the implementation are not checked at this stage. Fixes: 9274124f023b ("net: stricter validation of untrusted gso packets") Signed-off-by: Balazs Nemeth Acked-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- include/linux/virtio_net.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -79,8 +79,13 @@ static inline int virtio_net_hdr_to_skb( if (gso_type && skb->network_header) { struct flow_keys_basic keys; - if (!skb->protocol) + if (!skb->protocol) { + __be16 protocol = dev_parse_header_protocol(skb); + virtio_net_hdr_set_proto(skb, hdr); + if (protocol && protocol != skb->protocol) + return -EINVAL; + } retry: if (!skb_flow_dissect_flow_keys_basic(NULL, skb, &keys, NULL, 0, 0, 0,