From: Luis Henriques <luis.henriques@canonical.com>
To: Michal Kubecek <mkubecek@suse.cz>
Cc: Sabrina Dubroca <sd@queasysnail.net>,
"David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org, stable@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
Sasha Levin <sasha.levin@oracle.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.cz>, Zefan Li <lizefan@huawei.com>,
Ben Hutchings <ben@decadent.org.uk>
Subject: Re: [PATCH stable<3.19] net: handle null iovec pointer in skb_copy_and_csum_datagram_iovec()
Date: Mon, 26 Oct 2015 11:25:42 +0000 [thread overview]
Message-ID: <20151026112542.GB2953@ares> (raw)
In-Reply-To: <20151023093946.GA9789@unicorn.suse.cz>
On Fri, Oct 23, 2015 at 11:39:46AM +0200, Michal Kubecek wrote:
> On Fri, Oct 23, 2015 at 11:22:19AM +0200, Sabrina Dubroca wrote:
> > Hello Michal,
> >
> > 2015-10-23, 10:46:09 +0200, Michal Kubecek wrote:
> > > Mainline commit 89c22d8c3b27 ("net: Fix skb csum races when peeking")
> > > backport into pre-3.19 stable kernels introduces a regression causing
> > > null pointer dererefence in skb_copy_and_csum_datagram_iovec().
> > >
> > > This commit only sets CHECKSUM_UNNECESSARY for non-shared skb, allowing
> > > udp_recvmsg() to take the "else" branch of if (skb_csum_unnecessary(skb))
> > > when called with null iovec (and len=0, e.g. when peeking for datagram
> > > size first). The problem is that unlike skb_copy_and_csum_datagram_msg()
> > > called in this path since 3.19, skb_copy_and_csum_datagram_iovec() does
> > > not handle null iov parameter and always dereferences iov->iov_len. This
> > > is especially harmful when udp_recvmsg() is called in kernel context,
> > > e.g. from kernel nfsd.
> > >
> > > Band-aid skb_copy_and_csum_datagram_iovec() by testing iov for null and
> > > only checking the checksum in this case.
> > >
> > > Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
> > > ---
> >
> > I ran into this problem too and that was my initial solution to this
> > problem as well, but actually, we need a more complete fix, like the
> > one I submitted a few days ago:
> >
> > http://patchwork.ozlabs.org/patch/530642/
> >
> > With your solution, userspace can still receive bogus EFAULT, or the
> > kernel ends up writing data to an unwanted memory location.
>
> I must admit I wondered why skb_copy_and_csum_datagram_iovec() doesn't
> get (and check) read length and why it cannot overfill the buffer. But
> then I saw the comment "Caller _must_ check that skb will fit to this
> iovec", stopped thinking and assumed it's OK. I guess I should be less
> trusting... :-(
>
> Thank you for the warning.
>
> Michal Kubecek
I can confirm that we had this issue reported in our kernels too
(https://bugs.launchpad.net/bugs/1508510). I'll queue Sabrina's patch for
the next 3.16 stable kernel release. Thanks a lot!
Cheers,
--
Luís
WARNING: multiple messages have this Message-ID (diff)
From: Luis Henriques <luis.henriques@canonical.com>
To: Michal Kubecek <mkubecek@suse.cz>
Cc: Sabrina Dubroca <sd@queasysnail.net>,
"David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org, stable@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
Sasha Levin <sasha.levin@oracle.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Jiri Slaby <jslaby@suse.cz>, Zefan Li <lizefan@huawei.com>,
Ben Hutchings <ben@decadent.org.uk>
Subject: Re: [PATCH stable<3.19] net: handle null iovec pointer in skb_copy_and_csum_datagram_iovec()
Date: Mon, 26 Oct 2015 11:25:42 +0000 [thread overview]
Message-ID: <20151026112542.GB2953@ares> (raw)
In-Reply-To: <20151023093946.GA9789@unicorn.suse.cz>
On Fri, Oct 23, 2015 at 11:39:46AM +0200, Michal Kubecek wrote:
> On Fri, Oct 23, 2015 at 11:22:19AM +0200, Sabrina Dubroca wrote:
> > Hello Michal,
> >
> > 2015-10-23, 10:46:09 +0200, Michal Kubecek wrote:
> > > Mainline commit 89c22d8c3b27 ("net: Fix skb csum races when peeking")
> > > backport into pre-3.19 stable kernels introduces a regression causing
> > > null pointer dererefence in skb_copy_and_csum_datagram_iovec().
> > >
> > > This commit only sets CHECKSUM_UNNECESSARY for non-shared skb, allowing
> > > udp_recvmsg() to take the "else" branch of if (skb_csum_unnecessary(skb))
> > > when called with null iovec (and len=0, e.g. when peeking for datagram
> > > size first). The problem is that unlike skb_copy_and_csum_datagram_msg()
> > > called in this path since 3.19, skb_copy_and_csum_datagram_iovec() does
> > > not handle null iov parameter and always dereferences iov->iov_len. This
> > > is especially harmful when udp_recvmsg() is called in kernel context,
> > > e.g. from kernel nfsd.
> > >
> > > Band-aid skb_copy_and_csum_datagram_iovec() by testing iov for null and
> > > only checking the checksum in this case.
> > >
> > > Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
> > > ---
> >
> > I ran into this problem too and that was my initial solution to this
> > problem as well, but actually, we need a more complete fix, like the
> > one I submitted a few days ago:
> >
> > http://patchwork.ozlabs.org/patch/530642/
> >
> > With your solution, userspace can still receive bogus EFAULT, or the
> > kernel ends up writing data to an unwanted memory location.
>
> I must admit I wondered why skb_copy_and_csum_datagram_iovec() doesn't
> get (and check) read length and why it cannot overfill the buffer. But
> then I saw the comment "Caller _must_ check that skb will fit to this
> iovec", stopped thinking and assumed it's OK. I guess I should be less
> trusting... :-(
>
> Thank you for the warning.
>
> Michal Kubecek
I can confirm that we had this issue reported in our kernels too
(https://bugs.launchpad.net/bugs/1508510). I'll queue Sabrina's patch for
the next 3.16 stable kernel release. Thanks a lot!
Cheers,
--
Lu�s
next prev parent reply other threads:[~2015-10-26 11:25 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-23 8:46 [PATCH stable<3.19] net: handle null iovec pointer in skb_copy_and_csum_datagram_iovec() Michal Kubecek
2015-10-23 9:22 ` Sabrina Dubroca
2015-10-23 9:39 ` Michal Kubecek
2015-10-26 11:25 ` Luis Henriques [this message]
2015-10-26 11:25 ` Luis Henriques
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151026112542.GB2953@ares \
--to=luis.henriques@canonical.com \
--cc=ben@decadent.org.uk \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=jslaby@suse.cz \
--cc=lizefan@huawei.com \
--cc=mkubecek@suse.cz \
--cc=netdev@vger.kernel.org \
--cc=sasha.levin@oracle.com \
--cc=sd@queasysnail.net \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.