Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp624165iog; Mon, 13 Jun 2022 09:21:26 -0700 (PDT) X-Google-Smtp-Source: AGRyM1ug+RFEwoiCSuUzqI+VhCGC1aY9XEwQaN46TNEKU0iDjcHiwkGfq3nkNmqUA4t7bnTdMRL5 X-Received: by 2002:a17:903:284:b0:168:4d1a:3ccc with SMTP id j4-20020a170903028400b001684d1a3cccmr439158plr.78.1655137286377; Mon, 13 Jun 2022 09:21:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1655137286; cv=none; d=google.com; s=arc-20160816; b=bzyEXSdIWFeMJoirdbt5q1T0YHERq9VDXWQmz4lrnFNvjVYMk/lgahw4DHM1gUh5KI pSlHS8P79OoT3A/OKE+5lSlMo7mxKlM1YUfsJp5vKi6N3KST5K8vLQkVp8pWMPF/Lqnk sV8BPb11nk1f4oVX2/KfpY4gOgITsuis6WCVjZP71tnScHWNVwWDWBWZDZ6QbLpiZiH/ M0VQFpCU714vtvYJ7rqhYwk4LdDA2wxz0NtXgt9HRxHFO1TZnBXaZwhYc8qIdg3gcQzY Mu40VjLCkf7TVISKt3T10qxMfTxCwa9M5If+EEU3dwEGl3gulY/myAJl8P2Wz9Fk6Bxl dsfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=pUw5sRnMjrV3wLfthmMT3adXpf/JLCPxjgep/hH0pfs=; b=a+rMko1iTlniwvVJDeXNfc7V3nX8BVmZCGTe8Hk4T33NMqu7HQ6SPTG52b9Ku8QNwZ NH27ZClbBN5OX0tghdoGXtq4V8uuN1qrI7d+mwzhy3vPCmz6M42PJXfI4C3FabfK3pWI Vs48xA2kOEK7RSpD4MKmiTR9TwVUXGDVajvh9Gf81y3DacrJEHCbhyNGwg88EX3KhvHJ USR9vKEu876+JiesJKgJ7AwSqh+SHKR5s+v3yDzzcw6nQQbw+RGnUOMZeOybV90uQgSN V3lMBhg5BExzmcCnUi0NSsr7tQmhB5Qqq4EfN7EXoAklJjXrwMRyN799K9ftVluJyq4S Hdfw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mBBOkoJJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id i3-20020a17090a64c300b001e26550d25esi12391311pjm.142.2022.06.13.09.21.13; Mon, 13 Jun 2022 09:21:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=mBBOkoJJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1377195AbiFMNUH (ORCPT + 99 others); Mon, 13 Jun 2022 09:20:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38318 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1359027AbiFMNJC (ORCPT ); Mon, 13 Jun 2022 09:09:02 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D46A828720; Mon, 13 Jun 2022 04:19:10 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 33D8660EAE; Mon, 13 Jun 2022 11:19:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4666FC34114; Mon, 13 Jun 2022 11:19:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1655119149; bh=D152uMmjUrD38CeiS2u5/G3PcPxeCPUmfJLv+unTGM8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mBBOkoJJW8gikEvjqemfBhVjltGX/LCOo9OL1de1kDq6/rXHQ8ni3F0sbPkahmHUY QBEIWJFqqqvV8SpevdtD7ucV14earcHMyRFZAPy8cxYYOMWbJjqdPSteECros6YDpV CkVlDIViPkeEUd6/kJkPaAs/6A24wYQONUQrY6cc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Willem de Bruijn , Eric Dumazet , Alexander Duyck , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.15 158/247] ip_gre: test csum_start instead of transport header Date: Mon, 13 Jun 2022 12:11:00 +0200 Message-Id: <20220613094927.748237738@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220613094922.843438024@linuxfoundation.org> References: <20220613094922.843438024@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Willem de Bruijn [ Upstream commit 8d21e9963bec1aad2280cdd034c8993033ef2948 ] GRE with TUNNEL_CSUM will apply local checksum offload on CHECKSUM_PARTIAL packets. ipgre_xmit must validate csum_start after an optional skb_pull, else lco_csum may trigger an overflow. The original check was if (csum && skb_checksum_start(skb) < skb->data) return -EINVAL; This had false positives when skb_checksum_start is undefined: when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement was straightforward if (csum && skb->ip_summed == CHECKSUM_PARTIAL && skb_checksum_start(skb) < skb->data) return -EINVAL; But was eventually revised more thoroughly: - restrict the check to the only branch where needed, in an uncommon GRE path that uses header_ops and calls skb_pull. - test skb_transport_header, which is set along with csum_start in skb_partial_csum_set in the normal header_ops datapath. Turns out skbs can arrive in this branch without the transport header set, e.g., through BPF redirection. Revise the check back to check csum_start directly, and only if CHECKSUM_PARTIAL. Do leave the check in the updated location. Check field regardless of whether TUNNEL_CSUM is configured. Link: https://lore.kernel.org/netdev/YS+h%2FtqCJJiQei+W@shredder/ Link: https://lore.kernel.org/all/20210902193447.94039-2-willemdebruijn.kernel@gmail.com/T/#u Fixes: 8a0ed250f911 ("ip_gre: validate csum_start only on pull") Reported-by: syzbot Signed-off-by: Willem de Bruijn Reviewed-by: Eric Dumazet Reviewed-by: Alexander Duyck Link: https://lore.kernel.org/r/20220606132107.3582565-1-willemdebruijn.kernel@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/ipv4/ip_gre.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 276a3b7b0e9c..f23528c77539 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -629,21 +629,20 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, } if (dev->header_ops) { - const int pull_len = tunnel->hlen + sizeof(struct iphdr); - if (skb_cow_head(skb, 0)) goto free_skb; tnl_params = (const struct iphdr *)skb->data; - if (pull_len > skb_transport_offset(skb)) - goto free_skb; - /* Pull skb since ip_tunnel_xmit() needs skb->data pointing * to gre header. */ - skb_pull(skb, pull_len); + skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); skb_reset_mac_header(skb); + + if (skb->ip_summed == CHECKSUM_PARTIAL && + skb_checksum_start(skb) < skb->data) + goto free_skb; } else { if (skb_cow_head(skb, dev->needed_headroom)) goto free_skb; -- 2.35.1