Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp577662iog; Mon, 13 Jun 2022 08:28:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJye0Je2vl8m0ybLwt5LGuWDKqxOVwS+FQs42DyPcw3pOdZxe7RUCjYoDw4jjxvv1YpApRqK X-Received: by 2002:a05:6402:2684:b0:431:497e:699e with SMTP id w4-20020a056402268400b00431497e699emr257081edd.343.1655134111619; Mon, 13 Jun 2022 08:28:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655134111; cv=none; d=google.com; s=arc-20160816; b=DWoY+qBSK5dfN9UiTpEFa4yDAFGhwyXR7vj6XTj6JLt60/rht5SSLKkofErzJkMYJC lJMKGzxARhU9mKMzAFgpD+FZuEEMNKw+cgg6WX6W7JXQUSSIlQhyANAYlC7AjUx8bzdp mZHHfN6gLjukfv6U+T/vD3V0+sZ7jlcfJx9m2nuMPVq1x2MnkbKTRDvLEe+o8+/jrEKh e7e+zgWqeYrNwn+2kWC/S4INeQbPjBgwRj5mbk1/tKhimLXh0mQY5uaUFYCU7D7Yhs+M VH0fzzS4dW2utXZCniGcpL+EvzuBhvBivujoY5r3KYXtSao1Ln2buQmeCFqIvkXtQgQL GCPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=CNWJplD2a8PwQvV0rCCAPRiC6L2JGlyqCifUYvtE1NE=; b=OZCOX/oTWf89LeVWIT6DpeLeF1wuPvVZMGDMaSMh7tupFnKPU1AK+UQP+yHH2qO1W5 qQBYoyVJVc91jeeWLDfZAtvEPAmwEICXaK4mqvgjf8qm6v7GXLlrwbgrg3U2DeMMUeaZ zYPFmdDcpUB78OgczzhSOgePdA6W3wbGFrMMFRi/zKOJfg8VY7fwVAhbWokzwbnpFwpM rc7ewHiukVYv3d/wcCt8I3DLImxhrzaf969NIQGKW8+w8jhasg270+kBatah3ufSqOrX YQ72DCysiQTaIwdQ00ifXNH/wvD6TEslkPcS47HZgkwxldAxFDK0VlemsfYml6SF1HQs 32pg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="1fy0/sCo"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e19-20020a17090658d300b00711d8503c7csi8733805ejs.688.2022.06.13.08.28.05; Mon, 13 Jun 2022 08:28:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="1fy0/sCo"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1356035AbiFMLrz (ORCPT + 99 others); Mon, 13 Jun 2022 07:47:55 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43240 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1356422AbiFMLoc (ORCPT ); Mon, 13 Jun 2022 07:44:32 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8CF0847390; Mon, 13 Jun 2022 03:50:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id C98EC612C3; Mon, 13 Jun 2022 10:50:41 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id D7252C34114; Mon, 13 Jun 2022 10:50:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1655117441; bh=LJmzHcixTLkjbrAgFRg2mswhGCvjL00914fgwHRRpSU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1fy0/sCo7ER+hCWcrKtjs1zZvUTkPg+kv389XkRnMdSnzQCpNukC4wjX76rpONbFN Y1JOQdnf7nF2NjhC2AiCsxItmnHwTtKsHKklpLN2HWL8nKNymOvLX1UrLdrA4XPNQ4 Zx1f2nA8veXD3wCVCudlsoQka/KTHYtYHYmnypNc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Willem de Bruijn , Eric Dumazet , Alexander Duyck , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.4 362/411] ip_gre: test csum_start instead of transport header Date: Mon, 13 Jun 2022 12:10:35 +0200 Message-Id: <20220613094939.546289711@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220613094928.482772422@linuxfoundation.org> References: <20220613094928.482772422@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Willem de Bruijn [ Upstream commit 8d21e9963bec1aad2280cdd034c8993033ef2948 ] GRE with TUNNEL_CSUM will apply local checksum offload on CHECKSUM_PARTIAL packets. ipgre_xmit must validate csum_start after an optional skb_pull, else lco_csum may trigger an overflow. The original check was if (csum && skb_checksum_start(skb) < skb->data) return -EINVAL; This had false positives when skb_checksum_start is undefined: when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement was straightforward if (csum && skb->ip_summed == CHECKSUM_PARTIAL && skb_checksum_start(skb) < skb->data) return -EINVAL; But was eventually revised more thoroughly: - restrict the check to the only branch where needed, in an uncommon GRE path that uses header_ops and calls skb_pull. - test skb_transport_header, which is set along with csum_start in skb_partial_csum_set in the normal header_ops datapath. Turns out skbs can arrive in this branch without the transport header set, e.g., through BPF redirection. Revise the check back to check csum_start directly, and only if CHECKSUM_PARTIAL. Do leave the check in the updated location. Check field regardless of whether TUNNEL_CSUM is configured. Link: https://lore.kernel.org/netdev/YS+h%2FtqCJJiQei+W@shredder/ Link: https://lore.kernel.org/all/20210902193447.94039-2-willemdebruijn.kernel@gmail.com/T/#u Fixes: 8a0ed250f911 ("ip_gre: validate csum_start only on pull") Reported-by: syzbot Signed-off-by: Willem de Bruijn Reviewed-by: Eric Dumazet Reviewed-by: Alexander Duyck Link: https://lore.kernel.org/r/20220606132107.3582565-1-willemdebruijn.kernel@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/ipv4/ip_gre.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 5b38d03f6d79..614410a6db44 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -602,21 +602,20 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, } if (dev->header_ops) { - const int pull_len = tunnel->hlen + sizeof(struct iphdr); - if (skb_cow_head(skb, 0)) goto free_skb; tnl_params = (const struct iphdr *)skb->data; - if (pull_len > skb_transport_offset(skb)) - goto free_skb; - /* Pull skb since ip_tunnel_xmit() needs skb->data pointing * to gre header. */ - skb_pull(skb, pull_len); + skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); skb_reset_mac_header(skb); + + if (skb->ip_summed == CHECKSUM_PARTIAL && + skb_checksum_start(skb) < skb->data) + goto free_skb; } else { if (skb_cow_head(skb, dev->needed_headroom)) goto free_skb; -- 2.35.1