Received: by 2002:a05:6500:2018:b0:1fb:9675:f89d with SMTP id t24csp139807lqh; Thu, 30 May 2024 17:26:42 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVpHQXjT9GWGwuYrLTtVT4VRuBgDmrJ5l12a39Ztsu+OGnqSMQFAAkyBlEXrEIf4scHpJcoH9IzBwgvPdep9OAki5r5eJZJu1fSdPbKwQ== X-Google-Smtp-Source: AGHT+IHeaxowEb9EBRQqkk+B8v0/FaimitP+iTMfrj8RGEvZleTb5WIErgYQDuogUMoq1fM4F52R X-Received: by 2002:a05:6214:4a90:b0:6ad:7a51:f966 with SMTP id 6a1803df08f44-6aecd69c605mr6327906d6.33.1717115202259; Thu, 30 May 2024 17:26:42 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1717115202; cv=pass; d=google.com; s=arc-20160816; b=h0ERXMTGQa6qa7Kq5l/EFCWLplVAggJCE9HQbix8oIYRVkJ3a8lmiAdlX/LcRIFvBR OC2+i6H2fYl83SKCbs/tKe8M/Vi/VM9TOsQ41DmejW6MXk3ynZyioViGHyuqTkBEgMvb fVuCQg0fQggH9KqfuI2010iabt8xFBwGVEUl2nJKa2BTpPc+4H/1l+GtVmkjGH5TYPlO a2FdxScxa+QktBLNdg8FQllSB+ONH9arMegSHNc5xHJlbVHqnBo6xqqk+w/Oq1aM8fxi +V4OiihdsCH4F7D0Z6HVS5CeCCsnDxT7ueznTd8NrO7khcojFBBmQd5gEknkg2/uGcvS bXHA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=aipVkvfwSPi3x65R9DjuBZzar5P1bHnBi9T0bdxSFnE=; fh=TNSEVscPEpnQ4NivaWYYXNWHJuogSI33JsqrOcLzpRQ=; b=yl/c33nODSfbUrxwg34LB3L/aEGg3eiz0A7K0b59VIY/XYzndiVBkNTxyHW2kEQ1O9 ZU7bu1e92xeL7ir4rl4/i4hr0OGAzyxd50T5dWRulP5IbRkGKo/VHmUFGAxMzRDT/2Bf h01g/ph10HvJW8mj0nmSVjiiSJBM+v5Cyp+Qn0ZljBX63/q9zS/aHYvNXQbhDcudZmHm LT+WcEsFAEn12bWCxLTn7Kw6Tdzk8Y7xmVjx0dvM962EitJc3E6w0Qyrg98CDDQuwb6e uRi4NKF6t0Otr+rn2hEUTC+ButdA62pTtPJMZh8+U0eakx3TiKA3KyEGTkN+zRLILcr8 /iKA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=XyzF3D0W; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-196076-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-196076-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id 6a1803df08f44-6ae4b417c2fsi8420286d6.403.2024.05.30.17.26.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 May 2024 17:26:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-196076-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=XyzF3D0W; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-196076-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-196076-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id E928D1C23BDA for ; Fri, 31 May 2024 00:26:41 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 359F84C8F; Fri, 31 May 2024 00:26:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="XyzF3D0W" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A76EE17E9 for ; Fri, 31 May 2024 00:26:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717115194; cv=none; b=eTmc0eYvF6YjADtHRbyEMYNg6abc1FCH/3zdUYeFB6OURv8jSwPlVhnDEtKztTy8h4nqNHSyw0/djB+E0aav4suKoWk6pf/fgR/QW5A9kvn895fv/3ZiJMj25ElYb94fOeBA87/vaStUng4yKmoqemaTJY/QBTEzFfB77ny3LAs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1717115194; c=relaxed/simple; bh=yF+ay1y7SPCrJDKzpmXB3jKBVDA5cGjvnwHThdq9z8Q=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=Gs0thwNqZ5/38YhtlahQ4nTF9oqK9bJxWIHyvbuhNWOpwE1BWXsz2V57A1nQ34NCW20cB6Kcc9bmfjNFDWV36FsV4M+vnYWd0KeRdN9mdeRk2jGP1gT8cFgKhgAmNfLNYK8CE1XWPZ5vZAOjtZLxrBm3ArDxaHtDHKJ//iiq3zo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=XyzF3D0W; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1717115191; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=aipVkvfwSPi3x65R9DjuBZzar5P1bHnBi9T0bdxSFnE=; b=XyzF3D0WAifnUGfONUgCKrpWuKKRe4XZURVDySyNIFlFxfCKiSznH2OM5BDU/jWSDNb8O8 q5lbseymdRvYgyoqC4IGUMc3fYflZyreONZSNr4n7qNrDEj0u6A1NWJFQvFCR9Nd7whFWQ vDUWR1vsQP5JtdAGXl40JoTXtcD4pJU= Received: from mail-pj1-f71.google.com (mail-pj1-f71.google.com [209.85.216.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-44-SCqrJ5bkMRCm3z5FhLq8CA-1; Thu, 30 May 2024 20:26:30 -0400 X-MC-Unique: SCqrJ5bkMRCm3z5FhLq8CA-1 Received: by mail-pj1-f71.google.com with SMTP id 98e67ed59e1d1-2bf7dd49cbaso1224232a91.1 for ; Thu, 30 May 2024 17:26:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717115189; x=1717719989; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=aipVkvfwSPi3x65R9DjuBZzar5P1bHnBi9T0bdxSFnE=; b=qwJcyKxUchC7nkQMtl/0Ez3lPGQGAwJl1XUkKkzW53vK1e46pStPXuODY855Xi3IzH RTqDXJwtgiHLIDFVf7KldsdR1Ip21Q32ClSpkW2zkz+ONkeWFbx1ssLigrA6QX3vGwvu CLx7EhAGQGva8CexVNvzTYE4m0rVhde9bJ+Ws99qYmq6n2FKkW7gB5j3zzOY6FBXhFI8 AEnssEdYknQTVZ7maQqHeIRZB+seHfFp90PFf9HiGOpnqv/7/VK9wSoF0Y1Vp7hyYoa5 FYI5l8AoxjMofBpXubSxMCDHGUaaChA/pobeELUEkl8RYZoaw53EN+88XK39MGMK+7wa VJrQ== X-Forwarded-Encrypted: i=1; AJvYcCWXOdeIcXNElUFSiL63AKllCrzwH23Hk5MRpUp38RnM2Id1fJvI/eWRI9XtyycLcANULI/y1Nnn0NrF49nuxc/qCB9BGF9TWZy+j4sN X-Gm-Message-State: AOJu0YzSxoSw4HqNciBnBOJuvP3L6TRSSNizGluud/6nxSF64cdm8/qZ NP/6zchY/1idGOsiwxEf/3mkgFeHcvpBRx/Jk4fJYcpi/Rez+aIr4Shv2YEKMSH14GPQW2QPmoQ NcPpsGa/GkuuCE2X4mOyQ4LevdIuCiMgDoXKFooHMXuN5XoaH0sA4+ycIp9eebNkhTqIdoxE5/w HOLOKwhG/4M4DcQj6WXUaRViYGDVv84cU5EGVI X-Received: by 2002:a17:90a:ee8d:b0:2c1:903a:70c0 with SMTP id 98e67ed59e1d1-2c1dc56da0cmr314180a91.7.1717115188981; Thu, 30 May 2024 17:26:28 -0700 (PDT) X-Received: by 2002:a17:90a:ee8d:b0:2c1:903a:70c0 with SMTP id 98e67ed59e1d1-2c1dc56da0cmr314157a91.7.1717115188478; Thu, 30 May 2024 17:26:28 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <1717026141-25716-1-git-send-email-si-wei.liu@oracle.com> <490d42c8-5361-4db4-a5d1-3f992f4b8003@oracle.com> In-Reply-To: <490d42c8-5361-4db4-a5d1-3f992f4b8003@oracle.com> From: Jason Wang Date: Fri, 31 May 2024 08:26:17 +0800 Message-ID: Subject: Re: [PATCH] net: tap: validate metadata and length for XDP buff before building up skb To: Si-Wei Liu Cc: willemdebruijn.kernel@gmail.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org, mst@redhat.com, boris.ostrovsky@oracle.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, May 31, 2024 at 5:05=E2=80=AFAM Si-Wei Liu = wrote: > > > > On 5/29/2024 7:26 PM, Jason Wang wrote: > > On Thu, May 30, 2024 at 8:54=E2=80=AFAM Si-Wei Liu wrote: > >> The cited commit missed to check against the validity of the length > >> and various pointers on the XDP buff metadata in the tap_get_user_xdp(= ) > >> path, which could cause a corrupted skb to be sent downstack. For > >> instance, tap_get_user() prohibits short frame which has the length > >> less than Ethernet header size from being transmitted, while the > >> skb_set_network_header() in tap_get_user_xdp() would set skb's > >> network_header regardless of the actual XDP buff data size. This > >> could either cause out-of-bound access beyond the actual length, or > >> confuse the underlayer with incorrect or inconsistent header length > >> in the skb metadata. > >> > >> Propose to drop any frame shorter than the Ethernet header size just > >> like how tap_get_user() does. While at it, validate the pointers in > >> XDP buff to avoid potential size overrun. > >> > >> Fixes: 0efac27791ee ("tap: accept an array of XDP buffs through sendms= g()") > >> Cc: jasowang@redhat.com > >> Signed-off-by: Si-Wei Liu > >> --- > >> drivers/net/tap.c | 7 +++++++ > >> 1 file changed, 7 insertions(+) > >> > >> diff --git a/drivers/net/tap.c b/drivers/net/tap.c > >> index bfdd3875fe86..69596479536f 100644 > >> --- a/drivers/net/tap.c > >> +++ b/drivers/net/tap.c > >> @@ -1177,6 +1177,13 @@ static int tap_get_user_xdp(struct tap_queue *q= , struct xdp_buff *xdp) > >> struct sk_buff *skb; > >> int err, depth; > >> > >> + if (unlikely(xdp->data < xdp->data_hard_start || > >> + xdp->data_end < xdp->data || > >> + xdp->data_end - xdp->data < ETH_HLEN)) { > >> + err =3D -EINVAL; > >> + goto err; > >> + } > > For ETH_HLEN check, is it better to do it in vhost-net? > Not sure. Initially I thought about this as well, but changed mind. > Although the TUN_MSG_PTR interface was specifically customized for > vhost-net in the kernel, could there be any userspace app do sendmsg() > also with customized TUN_MSG_PTR control message over tap's fd? If > that's possible in reality, I guess limiting the fix to only vhost-net > in the kernel is narrow scoped. I think not, sendmsg() can't be used for tuntap. > > Additionally, it seems just the skb delivery path in the tap driver (or > tuntap) that populates the relevant skb field needs the ETH_HLEN check, > the XDP fast path can just transmit or forward xdp buff as-is without > having to check the (header) length of payload data. That said, it may > break some guest applications that intentionally send out short frames > (for test purpose?) I don't think so, various hypervisors will just drop short ethernet frames. > if unconditionally drop all of them from the vhost-net. > > > It seems tuntap suffers from this as well. > True, theoretically I can fix tuntap as well, but I don't have a setup > to test out the code change thoroughly. Any volunteer here to do so > (test it or fix it)? It should be easier than the tap. If you can't find one, I can test. > > > > > And for the check for other xdp fields, it deserves a BUG_ON() or at > > least WARN_ON() as they are set by vhost-net. > Hmmm, WARN_ON may be fine (I don't see userspace is prevented from > fabricating such invalid addresses through the TUN_MSG_PTR uAPI). Tap doesn't export socket objects to userspace, so it's not an uAPI. Thanks > > -Siwei > > > > Thanks > > > >> + > >> if (q->flags & IFF_VNET_HDR) > >> vnet_hdr_len =3D READ_ONCE(q->vnet_hdr_sz); > >> > >> -- > >> 2.39.3 > >> >