From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x227D2nJwnmbjhghgQE0W+iWZjLaHH6GO4wUdE23ZVActep0BHvNBoBk+0vnFdqwZholFunHE ARC-Seal: i=1; a=rsa-sha256; t=1517256763; cv=none; d=google.com; s=arc-20160816; b=IPZmnDE6zNa/aWbBfkzFY1DbvAs8rGnsmT1ecufyNJY1agUB4Uk64z2GWSxny3uL0X 3klGaUaGK3/abXOQ6NW1ZgEChkQEKwvyaIFGyA6npY0ix0uImGc1bfn/79ZwBq/+dTeU B+XIWxenL9AWNIGajHgUXqalgNn978O5xuSlF0y+A2pNrDxjQSH2DauOhhKpL+QgvP3L aHdKcUKhpyfXjlxblZ8oaYpEdimMreq1GHLtRAJ+R/NlxfOUhqkYWy2EF4Wc1HDHiKuN SFQxfaRnn+PKKeRNa0LJHUArBt08VEe0TJ4npI85FBB8g+Zw60eZAHZhCFEHoOk+YtMm 1AIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=VuF6N5YJNnxPXTQTuz7QGtF5+rIRh+XmnDViMughAp4=; b=PxLk7/xIIAl381fnwRxrrXHYpMtnY135HOo2JaU8R5izosdPz8VaznsNaANSvwgB1L rUhlME4ehJT4Y1a0j96B2YElBVTjQZvLZF0PrDmEA6UB0F0NZkZ0r+BXVTOWFZSkYydT 1DJIjhuW9lTGfe5ivv+IOYFNt1ATL4InB6m902VcXZdnIF4iyCy2PiKnTwjXT+Iox1F0 L+HYw+bnrqao7zO5+HfRbdl1HAZtssNzekE1xcHYwAYJ13KBNhoSE6fFHtpTyHcK60bl UuiotShookDqSko8710aoTSBIPEyebSHRMqM2G9Jbb1Eo3MbkP4CxXD0RFO9L7QCsOnq 7TeQ== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , Willem de Bruijn , syzbot , Jason Wang , "David S. Miller" Subject: [PATCH 4.4 73/74] flow_dissector: properly cap thoff field Date: Mon, 29 Jan 2018 13:57:18 +0100 Message-Id: <20180129123850.827330374@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123847.507563674@linuxfoundation.org> References: <20180129123847.507563674@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590958519570698840?= X-GMAIL-MSGID: =?utf-8?q?1590959028228664269?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Dumazet [ Upstream commit d0c081b49137cd3200f2023c0875723be66e7ce5 ] syzbot reported yet another crash [1] that is caused by insufficient validation of DODGY packets. Two bugs are happening here to trigger the crash. 1) Flow dissection leaves with incorrect thoff field. 2) skb_probe_transport_header() sets transport header to this invalid thoff, even if pointing after skb valid data. 3) qdisc_pkt_len_init() reads out-of-bound data because it trusts tcp_hdrlen(skb) Possible fixes : - Full flow dissector validation before injecting bad DODGY packets in the stack. This approach was attempted here : https://patchwork.ozlabs.org/patch/ 861874/ - Have more robust functions in the core. This might be needed anyway for stable versions. This patch fixes the flow dissection issue. [1] CPU: 1 PID: 3144 Comm: syzkaller271204 Not tainted 4.15.0-rc4-mm1+ #49 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:355 [inline] kasan_report+0x23b/0x360 mm/kasan/report.c:413 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:432 __tcp_hdrlen include/linux/tcp.h:35 [inline] tcp_hdrlen include/linux/tcp.h:40 [inline] qdisc_pkt_len_init net/core/dev.c:3160 [inline] __dev_queue_xmit+0x20d3/0x2200 net/core/dev.c:3465 dev_queue_xmit+0x17/0x20 net/core/dev.c:3554 packet_snd net/packet/af_packet.c:2943 [inline] packet_sendmsg+0x3ad5/0x60a0 net/packet/af_packet.c:2968 sock_sendmsg_nosec net/socket.c:628 [inline] sock_sendmsg+0xca/0x110 net/socket.c:638 sock_write_iter+0x31a/0x5d0 net/socket.c:907 call_write_iter include/linux/fs.h:1776 [inline] new_sync_write fs/read_write.c:469 [inline] __vfs_write+0x684/0x970 fs/read_write.c:482 vfs_write+0x189/0x510 fs/read_write.c:544 SYSC_write fs/read_write.c:589 [inline] SyS_write+0xef/0x220 fs/read_write.c:581 entry_SYSCALL_64_fastpath+0x1f/0x96 Fixes: 34fad54c2537 ("net: __skb_flow_dissect() must cap its return value") Fixes: a6e544b0a88b ("flow_dissector: Jump to exit code in __skb_flow_dissect") Signed-off-by: Eric Dumazet Cc: Willem de Bruijn Reported-by: syzbot Acked-by: Jason Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/core/flow_dissector.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/net/core/flow_dissector.c +++ b/net/core/flow_dissector.c @@ -492,8 +492,8 @@ ip_proto_again: out_good: ret = true; - key_control->thoff = (u16)nhoff; out: + key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen); key_basic->n_proto = proto; key_basic->ip_proto = ip_proto; @@ -501,7 +501,6 @@ out: out_bad: ret = false; - key_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen); goto out; } EXPORT_SYMBOL(__skb_flow_dissect);