Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp2129438rwi; Fri, 28 Oct 2022 03:29:30 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5hfi5nVVc9yfzN542QkTksW/jwFi3XsX9nElMgCRG+R0OJA/P3bw6dQL4gBhpkJWvrOHNs X-Received: by 2002:a17:902:d70a:b0:178:5d52:9e41 with SMTP id w10-20020a170902d70a00b001785d529e41mr53037973ply.0.1666952959932; Fri, 28 Oct 2022 03:29:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666952959; cv=none; d=google.com; s=arc-20160816; b=ysfwiuOneQwvGsg8UZEVVs4h0aJUlyH+iQkrGxqOLSxWDFrQJpeIQHqBlprHp0gqFt SKs9+p1lSCL2QzfEuuKIbRY0OYcWwIYoJqkzmvsLTQBAfFxkREV62RCiRbhPFFblQ4wy n89mu+PR0Dsmr0YH6NyWGU9DmRyuhP9ZMuDPF6Zts/03wxOD+oaMx0WGL2JjJqlfwb1B YL8u7TGRDjtfcJCtA61XPhHfEN51S7lS6EYbHcb8YnAEWVcd6XJXXViXXeOnKlGj6oFR oG1JkjrTlOgBEOkYAKcoAawbCE0ulSucpWdqOul9jwrPcNsfD6UMP/MexnS68sz0FcDm q0Nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=BA4J5g3MFlra08GxHd+nJvIoE83TRVg1xa/ikV6/Mm8=; b=0RVt4V8HxLaDZJqUDHkyKNj4tIs7PJY/IvAmh0Is9pWSx1FfmAX6KlP8O2kq4XL3e6 kmxqUPrSML3FumjmSq6y/Ez+xb2zFGxLdp9CMtMFPjOazTVfW73sUV38yYn3JscXQcuo NW5ouqeBMvSd0+4hyv4ePhj0ibDKqECyw7ld8ivW+KC/ZyXtfiy379DDbx4i6ZTaC3L3 CfPh9rJOt70q7/FTxHcJtvNF8nh3nk6/PZh9PAd2TVO2+zociej1wQNMXCE+8HpfEwSO XLkkNWIl4YOuD0I4tK31Hti4JZNT4SgHdVCpcZXMs8xZhvtm1oTI8n+nQDjgQmTBD/Ey Ps8Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g5-20020a1709026b4500b001780ba6c694si4434703plt.35.2022.10.28.03.29.08; Fri, 28 Oct 2022 03:29:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230131AbiJ1KL5 (ORCPT + 99 others); Fri, 28 Oct 2022 06:11:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58182 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229551AbiJ1KLz (ORCPT ); Fri, 28 Oct 2022 06:11:55 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 72E1F15A8C8; Fri, 28 Oct 2022 03:11:54 -0700 (PDT) Received: from canpemm500006.china.huawei.com (unknown [172.30.72.55]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4MzJHG0c5KzHvV6; Fri, 28 Oct 2022 18:11:38 +0800 (CST) Received: from [10.174.179.200] (10.174.179.200) by canpemm500006.china.huawei.com (7.192.105.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 28 Oct 2022 18:11:52 +0800 Subject: Re: [PATCH net] ipv6/gro: fix an out of bounds memory bug in ipv6_gro_receive() To: Eric Dumazet CC: , , , , , , , References: <20221027102449.926410-1-william.xuanziyang@huawei.com> <8523b754-992d-0d72-ecd1-4f076e57ebde@huawei.com> From: "Ziyang Xuan (William)" Message-ID: <4ce1a942-db88-3d20-b377-ade9b4fc997d@huawei.com> Date: Fri, 28 Oct 2022 18:11:51 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.179.200] X-ClientProxiedBy: dggems706-chm.china.huawei.com (10.3.19.183) To canpemm500006.china.huawei.com (7.192.105.130) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > On Thu, Oct 27, 2022 at 6:01 AM Ziyang Xuan (William) > wrote: >> >>> On Thu, Oct 27, 2022 at 3:25 AM Ziyang Xuan >>> wrote: >>>> >>>> IPv6 packets without NEXTHDR_NONE extension header can make continuous >>>> __skb_pull() until pskb_may_pull() failed in ipv6_gso_pull_exthdrs(). >>>> That results in a big value of skb_gro_offset(), and after __skb_push() >>>> in ipv6_gro_receive(), skb->data will less than skb->head, an out of >>>> bounds memory bug occurs. That will trigger the problem as following: >>>> >>>> ================================================================== >>>> BUG: KASAN: use-after-free in eth_type_trans+0x100/0x260 >>>> ... >>>> Call trace: >>>> dump_backtrace+0xd8/0x130 >>>> show_stack+0x1c/0x50 >>>> dump_stack_lvl+0x64/0x7c >>>> print_address_description.constprop.0+0xbc/0x2e8 >>>> print_report+0x100/0x1e4 >>>> kasan_report+0x80/0x120 >>>> __asan_load8+0x78/0xa0 >>>> eth_type_trans+0x100/0x260 >>> >>> Crash happens from eth_type_trans() , this should happen before >>> ipv6_gro_receive() ? >>> >>> It seems your patch is unrelated. >>> >>> Please provide a repro. >> >> C repro put in attachment. > > This seems to be a bug in tun device. > > Please take more time to root cause this issue, instead of adding work > arounds all over the place. Hi Eric, Thank you for your suggestion. I have analyzed the problem more deeply. The odd IPv6 packet and big packet length value(IPv6 payload length more than 65535) together cause the problem. skb->network_header and skb->transport_header are all u16 type. They would occuer overflow errors during ipv6_gro_receive() processing. That cause the value error for __skb_push(skb, value). So the problem is a bug in tun device. I will combine my previous problem "net: tun: limit first seg size to avoid oversized linearization" together to give the fix patch later. Thanks. > > Thanks. > >> >>> >>> >>>> napi_gro_frags+0x164/0x550 >>>> tun_get_user+0xda4/0x1270 >>>> tun_chr_write_iter+0x74/0x130 >>>> do_iter_readv_writev+0x130/0x1ec >>>> do_iter_write+0xbc/0x1e0 >>>> vfs_writev+0x13c/0x26c >>>> >>>> Add comparison between skb->data - skb_gro_offset() and skb->head >>>> and exception handler before __skb_push() to fix the bug. >>>> >>>> Fixes: 86911732d399 ("gro: Avoid copying headers of unmerged packets") >>>> Signed-off-by: Ziyang Xuan >>>> --- >>>> net/ipv6/ip6_offload.c | 4 ++++ >>>> 1 file changed, 4 insertions(+) >>>> >>>> diff --git a/net/ipv6/ip6_offload.c b/net/ipv6/ip6_offload.c >>>> index 3ee345672849..6659ccf25387 100644 >>>> --- a/net/ipv6/ip6_offload.c >>>> +++ b/net/ipv6/ip6_offload.c >>>> @@ -237,6 +237,10 @@ INDIRECT_CALLABLE_SCOPE struct sk_buff *ipv6_gro_receive(struct list_head *head, >>>> proto = ipv6_gso_pull_exthdrs(skb, proto); >>>> skb_gro_pull(skb, -skb_transport_offset(skb)); >>>> skb_reset_transport_header(skb); >>>> + if (unlikely(skb_headroom(skb) < skb_gro_offset(skb))) { >>> >>> This makes no sense to me. >>> >>> If there is a bug, it should be fixed earlier. >> >> Maybe it is good to validate IPv6 packet earlier in ipv6_gro_receive() or more earlier? >> >>> >>>> + kfree_skb(skb); >>>> + return ERR_PTR(-EINPROGRESS); >>>> + } >>>> __skb_push(skb, skb_gro_offset(skb)); >>>> >>>> ops = rcu_dereference(inet6_offloads[proto]); >>>> -- >>>> 2.25.1 >>>> >>> . >>> > . >