Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp2351865pxb; Mon, 20 Sep 2021 19:48:23 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxPiQ4Zjfj7ERQmVMoM77TP9XVoD/iEuht9nylbjMzHpOb++2EdOxuqO2fxc+iWKwnBLCnu X-Received: by 2002:a17:906:e85:: with SMTP id p5mr31431106ejf.159.1632192503222; Mon, 20 Sep 2021 19:48:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1632192503; cv=none; d=google.com; s=arc-20160816; b=TJ4Swor7wvQDdr4MXK+y031FJ5vDy+mWBLOj8bNL03WXRHpyww7g3DLt8dnB2HpBTG vrBeVEFtkKIQ0O81Rvw8qXJ5ajMloThl7xSPkKDNxeoRJHkert05qeoLiuMMNrpit5Yf ecT8J521lPI/unkvtpR5KdXrUqlRxUNceHgkng3NasDZvCGl4ipnQyytr4BDow/RSap2 bjzJah2ku2dH65ev0/zimlrpuhy4iDYH63ndGvZaWRNdRXfkxgUzZa3Os+ZU9GvLNs/A iihCsflYhV4iIKofBiKHkJz8XH2vVDnKsGafFb3xnGv6k0qTYoiRgQxUt744F+rD8wzG AcsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=s2BYJCOKQp/LFBp52feRYN9fEGX16EE2HZyAzNoNsZY=; b=k0kwtLEEoSdXxcXFkI14AdXYxX0Xn9o+yMNG2mJu+EAvwpbSbHbc1KmoXHlqXS5pO1 M1Uo3EW/wv75FidrC09NslWIkU2zruXGbdlI9Er7XgLy0dV2dPtCcTV5Uv3ScQdy5rZC x1/O3fj7YBtK40Y68PkdLgD1uX5bCTw/e06TJDGv7PfLFRXYJ0nwo2VxXPm6orrb3+1W Yww4DTK3Q19OK16ssenJb9NoYZe6WYuSSf511m60s/9j1xJYW4s/3ACNDQDCdM31I9oT BZCmjOGDjCfEDtg5IOHi35MsX9o3pYL1jyGamxJNNo0u2yleQF67f0rV8Oqki7IjYdZl DZqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jPG4470g; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n1si20729666ejl.229.2021.09.20.19.48.00; Mon, 20 Sep 2021 19:48:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jPG4470g; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1379395AbhITS3N (ORCPT + 99 others); Mon, 20 Sep 2021 14:29:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:45092 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347699AbhITSW7 (ORCPT ); Mon, 20 Sep 2021 14:22:59 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 92DC9632BD; Mon, 20 Sep 2021 17:24:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1632158678; bh=jimwPGKDJIs+U4A1ZXtA5K/rN5J/j8KvjjUvd1/x4Zc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jPG4470gCgcBOb3q3uzSHX4aUHyr3I3CijRb327oyH7vzgIoFItTLw2bQaKkk/Mv7 yAmmtniOkhxCQFXx75ehxKJPCdHnK6LkywqzEL4f7/bl8Qkb4E7GEod4hKyk+3KG4Z Q/uQpWGXAKa1g7HGMXtkUJEpCJAuxnEKDSdzMb1I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ido Schimmel , Alexander Duyck , Willem de Bruijn , Alexander Duyck , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 259/260] ip_gre: validate csum_start only on pull Date: Mon, 20 Sep 2021 18:44:37 +0200 Message-Id: <20210920163939.908174353@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210920163931.123590023@linuxfoundation.org> References: <20210920163931.123590023@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Willem de Bruijn [ Upstream commit 8a0ed250f911da31a2aef52101bc707846a800ff ] The GRE tunnel device can pull existing outer headers in ipge_xmit. This is a rare path, apparently unique to this device. The below commit ensured that pulling does not move skb->data beyond csum_start. But it has a false positive if ip_summed is not CHECKSUM_PARTIAL and thus csum_start is irrelevant. Refine to exclude this. At the same time simplify and strengthen the test. Simplify, by moving the check next to the offending pull, making it more self documenting and removing an unnecessary branch from other code paths. Strengthen, by also ensuring that the transport header is correct and therefore the inner headers will be after skb_reset_inner_headers. The transport header is set to csum_start in skb_partial_csum_set. Link: https://lore.kernel.org/netdev/YS+h%2FtqCJJiQei+W@shredder/ Fixes: 1d011c4803c7 ("ip_gre: add validation for csum_start") Reported-by: Ido Schimmel Suggested-by: Alexander Duyck Signed-off-by: Willem de Bruijn Reviewed-by: Alexander Duyck Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/ipv4/ip_gre.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index fd8298b8b1c5..c4989e5903e4 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -446,8 +446,6 @@ static void __gre_xmit(struct sk_buff *skb, struct net_device *dev, static int gre_handle_offloads(struct sk_buff *skb, bool csum) { - if (csum && skb_checksum_start(skb) < skb->data) - return -EINVAL; return iptunnel_handle_offloads(skb, csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE); } @@ -605,15 +603,20 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, } if (dev->header_ops) { + const int pull_len = tunnel->hlen + sizeof(struct iphdr); + if (skb_cow_head(skb, 0)) goto free_skb; tnl_params = (const struct iphdr *)skb->data; + if (pull_len > skb_transport_offset(skb)) + goto free_skb; + /* Pull skb since ip_tunnel_xmit() needs skb->data pointing * to gre header. */ - skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); + skb_pull(skb, pull_len); skb_reset_mac_header(skb); } else { if (skb_cow_head(skb, dev->needed_headroom)) -- 2.30.2