* [PATCH net 0/3] Fix out of bounds when parsing TCP options @ 2021-06-09 14:22 Maxim Mikityanskiy 2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy ` (2 more replies) 0 siblings, 3 replies; 11+ messages in thread From: Maxim Mikityanskiy @ 2021-06-09 14:22 UTC (permalink / raw) To: Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller, Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal, Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang, Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni, Christoph Paasch, Peter Krystad Cc: Young Xiao, netdev, Maxim Mikityanskiy This series fixes out-of-bounds access in various places in the kernel where parsing of TCP options takes place. Fortunately, many more occurrences don't have this bug. Maxim Mikityanskiy (3): netfilter: synproxy: Fix out of bounds when parsing TCP options mptcp: Fix out of bounds when parsing TCP options sch_cake: Fix out of bounds when parsing TCP options net/mptcp/options.c | 2 ++ net/netfilter/nf_synproxy_core.c | 2 ++ net/sched/sch_cake.c | 4 ++++ 3 files changed, 8 insertions(+) -- 2.25.1 ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH net 1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options 2021-06-09 14:22 [PATCH net 0/3] Fix out of bounds when parsing TCP options Maxim Mikityanskiy @ 2021-06-09 14:22 ` Maxim Mikityanskiy 2021-06-09 14:51 ` Florian Westphal 2021-06-09 14:22 ` [PATCH net 2/3] mptcp: " Maxim Mikityanskiy 2021-06-09 14:22 ` [PATCH net 3/3] sch_cake: " Maxim Mikityanskiy 2 siblings, 1 reply; 11+ messages in thread From: Maxim Mikityanskiy @ 2021-06-09 14:22 UTC (permalink / raw) To: Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller, Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal, Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang, Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni, Christoph Paasch, Peter Krystad Cc: Young Xiao, netdev, Maxim Mikityanskiy The TCP option parser in synproxy (synproxy_parse_options) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the length of 1. This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack out of bounds when parsing TCP options."). Cc: Young Xiao <92siuyang@gmail.com> Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target") Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> --- net/netfilter/nf_synproxy_core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c index b100c04a0e43..621eb5ef9727 100644 --- a/net/netfilter/nf_synproxy_core.c +++ b/net/netfilter/nf_synproxy_core.c @@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, length--; continue; default: + if (length < 2) + return true; opsize = *ptr++; if (opsize < 2) return true; -- 2.25.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH net 1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options 2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy @ 2021-06-09 14:51 ` Florian Westphal 2021-06-10 7:05 ` Maxim Mikityanskiy 0 siblings, 1 reply; 11+ messages in thread From: Florian Westphal @ 2021-06-09 14:51 UTC (permalink / raw) To: Maxim Mikityanskiy Cc: Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller, Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal, Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang, Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni, Christoph Paasch, Peter Krystad, Young Xiao, netdev Maxim Mikityanskiy <maximmi@nvidia.com> wrote: > The TCP option parser in synproxy (synproxy_parse_options) could read > one byte out of bounds. When the length is 1, the execution flow gets > into the loop, reads one byte of the opcode, and if the opcode is > neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds > the length of 1. > > This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack > out of bounds when parsing TCP options."). > > Cc: Young Xiao <92siuyang@gmail.com> > Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target") > Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> > --- > net/netfilter/nf_synproxy_core.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c > index b100c04a0e43..621eb5ef9727 100644 > --- a/net/netfilter/nf_synproxy_core.c > +++ b/net/netfilter/nf_synproxy_core.c > @@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, > length--; > continue; > default: > + if (length < 2) > + return true; Would you mind a v2 that also rejects bogus th->doff value when computing the length? Thanks. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH net 1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options 2021-06-09 14:51 ` Florian Westphal @ 2021-06-10 7:05 ` Maxim Mikityanskiy 2021-06-10 8:56 ` Florian Westphal 0 siblings, 1 reply; 11+ messages in thread From: Maxim Mikityanskiy @ 2021-06-10 7:05 UTC (permalink / raw) To: Florian Westphal Cc: Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller, Pablo Neira Ayuso, Jozsef Kadlecsik, Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang, Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni, Christoph Paasch, Peter Krystad, Young Xiao, netdev On 2021-06-09 17:51, Florian Westphal wrote: > Maxim Mikityanskiy <maximmi@nvidia.com> wrote: >> The TCP option parser in synproxy (synproxy_parse_options) could read >> one byte out of bounds. When the length is 1, the execution flow gets >> into the loop, reads one byte of the opcode, and if the opcode is >> neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds >> the length of 1. >> >> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack >> out of bounds when parsing TCP options."). >> >> Cc: Young Xiao <92siuyang@gmail.com> >> Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target") >> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> >> --- >> net/netfilter/nf_synproxy_core.c | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c >> index b100c04a0e43..621eb5ef9727 100644 >> --- a/net/netfilter/nf_synproxy_core.c >> +++ b/net/netfilter/nf_synproxy_core.c >> @@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, >> length--; >> continue; >> default: >> + if (length < 2) >> + return true; > > Would you mind a v2 that also rejects bogus th->doff value when > computing the length? Could you elaborate? The length is a signed int calculated as `(th->doff * 4) - sizeof(*th)`. Invalid doff values (0..4) lead to negative length, so we never enter the loop. Or are you concerned of passing a negative length to skb_header_pointer? > > Thanks. > ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH net 1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options 2021-06-10 7:05 ` Maxim Mikityanskiy @ 2021-06-10 8:56 ` Florian Westphal 0 siblings, 0 replies; 11+ messages in thread From: Florian Westphal @ 2021-06-10 8:56 UTC (permalink / raw) To: Maxim Mikityanskiy Cc: Florian Westphal, Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller, Pablo Neira Ayuso, Jozsef Kadlecsik, Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang, Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni, Christoph Paasch, Peter Krystad, Young Xiao, netdev Maxim Mikityanskiy <maximmi@nvidia.com> wrote: > On 2021-06-09 17:51, Florian Westphal wrote: > > Maxim Mikityanskiy <maximmi@nvidia.com> wrote: > > > The TCP option parser in synproxy (synproxy_parse_options) could read > > > one byte out of bounds. When the length is 1, the execution flow gets > > > into the loop, reads one byte of the opcode, and if the opcode is > > > neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds > > > the length of 1. > > > > > > This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack > > > out of bounds when parsing TCP options."). > > > > > > Cc: Young Xiao <92siuyang@gmail.com> > > > Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target") > > > Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> > > > --- > > > net/netfilter/nf_synproxy_core.c | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c > > > index b100c04a0e43..621eb5ef9727 100644 > > > --- a/net/netfilter/nf_synproxy_core.c > > > +++ b/net/netfilter/nf_synproxy_core.c > > > @@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff, > > > length--; > > > continue; > > > default: > > > + if (length < 2) > > > + return true; > > > > Would you mind a v2 that also rejects bogus th->doff value when > > computing the length? > > Could you elaborate? The length is a signed int calculated as `(th->doff * > 4) - sizeof(*th)`. Invalid doff values (0..4) lead to negative length, so we > never enter the loop. Or are you concerned of passing a negative length to > skb_header_pointer? Yes, negative length to skb_header_pointer. For other usage (mptcp for example) tcp stack validated th->doff already, but thats not the case for synproxy. ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH net 2/3] mptcp: Fix out of bounds when parsing TCP options 2021-06-09 14:22 [PATCH net 0/3] Fix out of bounds when parsing TCP options Maxim Mikityanskiy 2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy @ 2021-06-09 14:22 ` Maxim Mikityanskiy 2021-06-10 0:07 ` Mat Martineau 2021-06-09 14:22 ` [PATCH net 3/3] sch_cake: " Maxim Mikityanskiy 2 siblings, 1 reply; 11+ messages in thread From: Maxim Mikityanskiy @ 2021-06-09 14:22 UTC (permalink / raw) To: Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller, Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal, Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang, Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni, Christoph Paasch, Peter Krystad Cc: Young Xiao, netdev, Maxim Mikityanskiy The TCP option parser in mptcp (mptcp_get_options) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the length of 1. This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack out of bounds when parsing TCP options."). Cc: Young Xiao <92siuyang@gmail.com> Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> --- net/mptcp/options.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/mptcp/options.c b/net/mptcp/options.c index 6b825fb3fa83..9b263f27ce9b 100644 --- a/net/mptcp/options.c +++ b/net/mptcp/options.c @@ -356,6 +356,8 @@ void mptcp_get_options(const struct sk_buff *skb, length--; continue; default: + if (length < 2) + return; opsize = *ptr++; if (opsize < 2) /* "silly options" */ return; -- 2.25.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH net 2/3] mptcp: Fix out of bounds when parsing TCP options 2021-06-09 14:22 ` [PATCH net 2/3] mptcp: " Maxim Mikityanskiy @ 2021-06-10 0:07 ` Mat Martineau 0 siblings, 0 replies; 11+ messages in thread From: Mat Martineau @ 2021-06-10 0:07 UTC (permalink / raw) To: Maxim Mikityanskiy Cc: Matthieu Baerts, Jakub Kicinski, David S. Miller, Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal, Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang, Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni, Christoph Paasch, Peter Krystad, Young Xiao, netdev On Wed, 9 Jun 2021, Maxim Mikityanskiy wrote: > The TCP option parser in mptcp (mptcp_get_options) could read one byte > out of bounds. When the length is 1, the execution flow gets into the > loop, reads one byte of the opcode, and if the opcode is neither > TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the > length of 1. > > This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack > out of bounds when parsing TCP options."). > > Cc: Young Xiao <92siuyang@gmail.com> > Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") > Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> > --- > net/mptcp/options.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/mptcp/options.c b/net/mptcp/options.c > index 6b825fb3fa83..9b263f27ce9b 100644 > --- a/net/mptcp/options.c > +++ b/net/mptcp/options.c > @@ -356,6 +356,8 @@ void mptcp_get_options(const struct sk_buff *skb, > length--; > continue; > default: > + if (length < 2) > + return; > opsize = *ptr++; > if (opsize < 2) /* "silly options" */ > return; > -- > 2.25.1 Florian's comment on patch 1 prompted me to double-check th->doff validation, and for MPTCP we're covered by the check in tcp_v4_rcv(). So this patch looks good: Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com> If you send a v2 series, please also cc: mptcp@lists.linux.dev Thanks! -- Mat Martineau Intel ^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH net 3/3] sch_cake: Fix out of bounds when parsing TCP options 2021-06-09 14:22 [PATCH net 0/3] Fix out of bounds when parsing TCP options Maxim Mikityanskiy 2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy 2021-06-09 14:22 ` [PATCH net 2/3] mptcp: " Maxim Mikityanskiy @ 2021-06-09 14:22 ` Maxim Mikityanskiy 2021-06-09 21:51 ` Toke Høiland-Jørgensen 2 siblings, 1 reply; 11+ messages in thread From: Maxim Mikityanskiy @ 2021-06-09 14:22 UTC (permalink / raw) To: Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller, Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal, Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang, Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni, Christoph Paasch, Peter Krystad Cc: Young Xiao, netdev, Maxim Mikityanskiy The TCP option parser in cake qdisc (cake_get_tcpopt and cake_tcph_may_drop) could read one byte out of bounds. When the length is 1, the execution flow gets into the loop, reads one byte of the opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the length of 1. This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack out of bounds when parsing TCP options."). Cc: Young Xiao <92siuyang@gmail.com> Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter") Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> --- net/sched/sch_cake.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c index 7d37638ee1c7..6b03eebf0a78 100644 --- a/net/sched/sch_cake.c +++ b/net/sched/sch_cake.c @@ -967,6 +967,8 @@ static const void *cake_get_tcpopt(const struct tcphdr *tcph, length--; continue; } + if (length < 2) + break; opsize = *ptr++; if (opsize < 2 || opsize > length) break; @@ -1104,6 +1106,8 @@ static bool cake_tcph_may_drop(const struct tcphdr *tcph, length--; continue; } + if (length < 2) + break; opsize = *ptr++; if (opsize < 2 || opsize > length) break; -- 2.25.1 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH net 3/3] sch_cake: Fix out of bounds when parsing TCP options 2021-06-09 14:22 ` [PATCH net 3/3] sch_cake: " Maxim Mikityanskiy @ 2021-06-09 21:51 ` Toke Høiland-Jørgensen 2021-06-10 11:19 ` Maxim Mikityanskiy 0 siblings, 1 reply; 11+ messages in thread From: Toke Høiland-Jørgensen @ 2021-06-09 21:51 UTC (permalink / raw) To: Maxim Mikityanskiy, Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller, Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal, Jamal Hadi Salim, Cong Wang, Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni, Christoph Paasch, Peter Krystad Cc: Young Xiao, netdev, Maxim Mikityanskiy Maxim Mikityanskiy <maximmi@nvidia.com> writes: > The TCP option parser in cake qdisc (cake_get_tcpopt and > cake_tcph_may_drop) could read one byte out of bounds. When the length > is 1, the execution flow gets into the loop, reads one byte of the > opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads > one more byte, which exceeds the length of 1. > > This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack > out of bounds when parsing TCP options."). > > Cc: Young Xiao <92siuyang@gmail.com> > Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter") > Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> Thanks for fixing this! Acked-by: Toke Høiland-Jørgensen <toke@toke.dk> ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH net 3/3] sch_cake: Fix out of bounds when parsing TCP options 2021-06-09 21:51 ` Toke Høiland-Jørgensen @ 2021-06-10 11:19 ` Maxim Mikityanskiy 2021-06-10 14:33 ` Toke Høiland-Jørgensen 0 siblings, 1 reply; 11+ messages in thread From: Maxim Mikityanskiy @ 2021-06-10 11:19 UTC (permalink / raw) To: Toke Høiland-Jørgensen, Florian Westphal Cc: Young Xiao, netdev, Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller, Pablo Neira Ayuso, Jozsef Kadlecsik, Jamal Hadi Salim, Cong Wang, Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni, Christoph Paasch, Peter Krystad On 2021-06-10 00:51, Toke Høiland-Jørgensen wrote: > Maxim Mikityanskiy <maximmi@nvidia.com> writes: > >> The TCP option parser in cake qdisc (cake_get_tcpopt and >> cake_tcph_may_drop) could read one byte out of bounds. When the length >> is 1, the execution flow gets into the loop, reads one byte of the >> opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads >> one more byte, which exceeds the length of 1. >> >> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack >> out of bounds when parsing TCP options."). >> >> Cc: Young Xiao <92siuyang@gmail.com> >> Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter") >> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> > > Thanks for fixing this! > > Acked-by: Toke Høiland-Jørgensen <toke@toke.dk> > Could you also review whether Florian's comment on patch 1 is relevant to this patch too? I have concerns about cake_get_tcphdr, which returns `skb_header_pointer(skb, offset, min(__tcp_hdrlen(tcph), bufsize), buf)`. Although I don't see a way for it to get out of bounds (it will read garbage instead of TCP header in the worst case), such code doesn't look robust. It's not possible for it to get out of bounds, because there is a call to skb_header_pointer above with sizeof(_tcph), which ensures that the SKB has at least 20 bytes after the beginning of the TCP header, which means that the second skb_header_pointer will either point to SKB (where we have at least 20 bytes) or to buf (which is allocated by the caller, so the caller shouldn't overflow its own buffer). On the other hand, parsing garbage doesn't look like a valid behavior compared to dropping/ignoring/whatever-cake-does-with-bad-packets, so we may want to handle it, for example: return skb_header_pointer(skb, offset, - min(__tcp_hdrlen(tcph), bufsize), buf); + min(max(sizeof(struct tcphdr), __tcp_hdrlen(tcph)), bufsize), buf); What do you think? Or did I just miss some early check for doff? (I realize it's egress path and the packets produced by the system itself are unlikely to have bad doff, but it's not impossible, for example, with AF_PACKET, BPF hooks in tc, etc.) ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH net 3/3] sch_cake: Fix out of bounds when parsing TCP options 2021-06-10 11:19 ` Maxim Mikityanskiy @ 2021-06-10 14:33 ` Toke Høiland-Jørgensen 0 siblings, 0 replies; 11+ messages in thread From: Toke Høiland-Jørgensen @ 2021-06-10 14:33 UTC (permalink / raw) To: Maxim Mikityanskiy, Florian Westphal Cc: Young Xiao, netdev, Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller, Pablo Neira Ayuso, Jozsef Kadlecsik, Jamal Hadi Salim, Cong Wang, Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni, Christoph Paasch, Peter Krystad Maxim Mikityanskiy <maximmi@nvidia.com> writes: > On 2021-06-10 00:51, Toke Høiland-Jørgensen wrote: >> Maxim Mikityanskiy <maximmi@nvidia.com> writes: >> >>> The TCP option parser in cake qdisc (cake_get_tcpopt and >>> cake_tcph_may_drop) could read one byte out of bounds. When the length >>> is 1, the execution flow gets into the loop, reads one byte of the >>> opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads >>> one more byte, which exceeds the length of 1. >>> >>> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack >>> out of bounds when parsing TCP options."). >>> >>> Cc: Young Xiao <92siuyang@gmail.com> >>> Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter") >>> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> >> >> Thanks for fixing this! >> >> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk> >> > > Could you also review whether Florian's comment on patch 1 is relevant > to this patch too? I have concerns about cake_get_tcphdr, which returns > `skb_header_pointer(skb, offset, min(__tcp_hdrlen(tcph), bufsize), > buf)`. Although I don't see a way for it to get out of bounds (it will > read garbage instead of TCP header in the worst case), such code doesn't > look robust. > > It's not possible for it to get out of bounds, because there is a call > to skb_header_pointer above with sizeof(_tcph), which ensures that the > SKB has at least 20 bytes after the beginning of the TCP header, which > means that the second skb_header_pointer will either point to SKB (where > we have at least 20 bytes) or to buf (which is allocated by the caller, > so the caller shouldn't overflow its own buffer). > > On the other hand, parsing garbage doesn't look like a valid behavior > compared to dropping/ignoring/whatever-cake-does-with-bad-packets, so we > may want to handle it, for example: > > return skb_header_pointer(skb, offset, > - min(__tcp_hdrlen(tcph), bufsize), buf); > + min(max(sizeof(struct tcphdr), > __tcp_hdrlen(tcph)), bufsize), buf); > > What do you think? Or did I just miss some early check for doff? No, I think your analysis is correct: It won't lead to any out-of-bounds reads, but I suppose we could end up trying to parse garbage. However, if we do get a packet that sets doff to an invalid value, and we try to parse it, we're essentially parsing garbage anyway. So I think the fix should rather be something like: diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c index 7d37638ee1c7..d312d75ab698 100644 --- a/net/sched/sch_cake.c +++ b/net/sched/sch_cake.c @@ -943,7 +943,7 @@ static struct tcphdr *cake_get_tcphdr(const struct sk_buff *skb, } tcph = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); - if (!tcph) + if (!tcph || tcph->doff < 5) return NULL; return skb_header_pointer(skb, offset, > (I realize it's egress path and the packets produced by the system > itself are unlikely to have bad doff, but it's not impossible, for > example, with AF_PACKET, BPF hooks in tc, etc.) Most CAKE deployments primarily handles forwarded packets, and I suppose malformed TCP packets could make it through the forwarding path as well... -Toke ^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-06-10 14:33 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-06-09 14:22 [PATCH net 0/3] Fix out of bounds when parsing TCP options Maxim Mikityanskiy 2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy 2021-06-09 14:51 ` Florian Westphal 2021-06-10 7:05 ` Maxim Mikityanskiy 2021-06-10 8:56 ` Florian Westphal 2021-06-09 14:22 ` [PATCH net 2/3] mptcp: " Maxim Mikityanskiy 2021-06-10 0:07 ` Mat Martineau 2021-06-09 14:22 ` [PATCH net 3/3] sch_cake: " Maxim Mikityanskiy 2021-06-09 21:51 ` Toke Høiland-Jørgensen 2021-06-10 11:19 ` Maxim Mikityanskiy 2021-06-10 14:33 ` Toke Høiland-Jørgensen
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.