Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp877173pxb; Wed, 1 Sep 2021 11:54:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxHYw0xa3sjW+f1UAtJvBsuns0VCbnrmnZviVt7P6I4Wd1EHdGhZiX5GLJ92IFZWGBP7BAm X-Received: by 2002:a05:6402:34c8:: with SMTP id w8mr1111127edc.330.1630522487121; Wed, 01 Sep 2021 11:54:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630522487; cv=none; d=google.com; s=arc-20160816; b=kZhQoDG0OpaK803s00lpc2fMxKnaSanZeTuJ/D7h92NUuBx+1t8hc3/Hpgwrsln+/E eGBQjMDUIQpzHG+U3FA/kkjsK5sJgCTAyGe9NXjV8s3k/xW9e50IRv6Ztf8Rp9nU20oU x0YR15Tcun5aLi0ntQGPqgwDTiNDF2589IfWWd2iXSQ1GQ4JvE6OGJ62hu2WKZf4rozm tBZ1w5cyBQXN8D+tvgkCdL5xII/4oCh2a2lQMuL84PGkkH9Sf5t4aCWkpgoqVVxZHh9p sDODa6DfvJQ0niCVYiVSdNIjoLGrM23vAP5Vm7JlQRk29XG8D+evM5YK9pjk895ndJ+X 6lGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=BXA5U/b0DISANeUzLQodYoShafXpCnwz1p+RvlCFKT0=; b=Hd7FVdhGnqjUGE8lf6w0UueqOBpIcxM6e78XhDOngm7vpLcgwUHQeyzNQM0DJkIIvL MLghyvJjvEpczYHfckOY5/P+b3YQjbYdBzS1eOtn7+kRC9Ty7iEZRENYisN3OgjeiV6r 0dMF8Rw/ZDDq9cCe9UkfYraPtd3e3JMr7dovWh9hIeROqNnH/+evulQa+vtsaZ5Wnb6L xXarKh7obzItiOZGz33ASa3F7tKgasfEeH114Do5/tPRBJKI5thdSO2J6+IJQ6ZdfiRO vhpTqD8lbxBMRvgO+pBcPKefDdhefft50k0ibD72RO8WSS5bfFhs/j4iR8DmCYJnVqdK 80Nw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="xPDQNB/k"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w13si319637edu.535.2021.09.01.11.54.23; Wed, 01 Sep 2021 11:54:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="xPDQNB/k"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343579AbhIAMdz (ORCPT + 99 others); Wed, 1 Sep 2021 08:33:55 -0400 Received: from mail.kernel.org ([198.145.29.99]:33218 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245058AbhIAMcW (ORCPT ); Wed, 1 Sep 2021 08:32:22 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 787E6610A4; Wed, 1 Sep 2021 12:31:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1630499486; bh=zeEvUuszwiYqTY6ggz3znMNZIDpSJn+dcgcebvlWcy4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xPDQNB/kE6E5BReckhXOFfZ1PFRrJ4sm23L3sXmnME9ZpubabzXgkXNuoy7ngSVFe 8lmzxDRzb0vu13GAc9FK43wPNzAmzZv+ilSedbcL+ii0EWiRdLIIJo996WyTF/bSmh dn0kXWsf3gZijd9OtENxb10y+YZfGaM7NeOt8doY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+ff8e1b9f2f36481e2efc@syzkaller.appspotmail.com, Shreyansh Chouhan , Willem de Bruijn , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 18/48] ip_gre: add validation for csum_start Date: Wed, 1 Sep 2021 14:28:08 +0200 Message-Id: <20210901122254.001761921@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210901122253.388326997@linuxfoundation.org> References: <20210901122253.388326997@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Shreyansh Chouhan [ Upstream commit 1d011c4803c72f3907eccfc1ec63caefb852fcbf ] Validate csum_start in gre_handle_offloads before we call _gre_xmit so that we do not crash later when the csum_start value is used in the lco_csum function call. This patch deals with ipv4 code. Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") Reported-by: syzbot+ff8e1b9f2f36481e2efc@syzkaller.appspotmail.com Signed-off-by: Shreyansh Chouhan Reviewed-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv4/ip_gre.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index fedad3a3e61b..fd8298b8b1c5 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -446,6 +446,8 @@ static void __gre_xmit(struct sk_buff *skb, struct net_device *dev, static int gre_handle_offloads(struct sk_buff *skb, bool csum) { + if (csum && skb_checksum_start(skb) < skb->data) + return -EINVAL; return iptunnel_handle_offloads(skb, csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE); } -- 2.30.2