From mboxrd@z Thu Jan  1 00:00:00 1970
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751335AbeABRYL (ORCPT <rfc822;ralf@linux-mips.org> + 1 other);
        Tue, 2 Jan 2018 12:24:11 -0500
Received: from mail-oi0-f42.google.com ([209.85.218.42]:46025 "EHLO
        mail-oi0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751047AbeABRYJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 2 Jan 2018 12:24:09 -0500
X-Google-Smtp-Source: ACJfBouLu/ejwBzeiUM6Uuc5PGnteM1SLDOtqemQUmRmtLXpC/7lVyuxwH6Xu3rhincFERPEVi3/L0IMj/u1my4KH8g=
MIME-Version: 1.0
In-Reply-To: <CAF=yD-K9M1yps+SogVLSVgoi+ngKzKrwWH+xMr4-m+v-pqyXXQ@mail.gmail.com>
References: <001a1137452496ffc305617e5fe0@google.com> <CAF=yD-+Ynn+t0dPJXUrXKQ2XMdtiKz8t6PKJUMNqeydYv=yG9A@mail.gmail.com>
 <20171231005220.GD22042@localhost.localdomain> <CAF=yD-+KwmB+fX+4A1RiCV6ZCDQbkGGSVu8YVMrAGxfVtG7ndQ@mail.gmail.com>
 <CAF=yD-K9M1yps+SogVLSVgoi+ngKzKrwWH+xMr4-m+v-pqyXXQ@mail.gmail.com>
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Date: Tue, 2 Jan 2018 18:23:27 +0100
Message-ID: <CAF=yD-JLXo9T4XwnJZ6MqeQas5QM4qNTOic9jb3ZNHdeJPTfmA@mail.gmail.com>
Subject: Re: general protection fault in skb_segment
To: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Cc: syzbot <syzbot+fee64147a25aecd48055@syzkaller.appspotmail.com>,
        David Miller <davem@davemloft.net>,
        LKML <linux-kernel@vger.kernel.org>, linux-sctp@vger.kernel.org,
        Network Development <netdev@vger.kernel.org>,
        Neil Horman <nhorman@tuxdriver.com>,
        syzkaller-bugs@googlegroups.com,
        Vladislav Yasevich <vyasevich@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>

> Actually, changes just to inet_gso_segment and ipv6_gso_segment
> will suffice:
>
>        bool udpfrag = false, fixedid = false, gso_partial, encap;
>         struct sk_buff *segs = ERR_PTR(-EINVAL);
> +       unsigned int offset = 0, gso_type;
>         const struct net_offload *ops;
> -       unsigned int offset = 0;
>         struct iphdr *iph;
>         int proto, tot_len;
>         int nhoff;
> @@ -1258,6 +1258,22 @@ struct sk_buff *inet_gso_segment(struct sk_buff *skb,
>
>         skb_reset_transport_header(skb);
>
> +       gso_type = skb_shinfo(skb)->gso_type;
> +       if (gso_type & SKB_GSO_DODGY) {
> +               switch (gso_type & (SKB_GSO_TCPV4 | SKB_GSO_UDP)) {
> +               case SKB_GSO_TCPV4:
> +                       if (proto != IPPROTO_TCP)
> +                               goto out;
> +                       break;
> +               case SKB_GSO_UDP:
> +                       if (proto != IPPROTO_UDP)
> +                               goto out;
> +                       break;
> +               default:
> +                       goto out;
> +               }
> +       }
>
> and analogous for IPv6. For a real patch I would deduplicate this
> logic between them and move it to a separate helper function
> (in a header file, then).

This approach would also need an skb->protocol check either in
virtio_net_hdr_to_skb or skb_mac_gso_segment.

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Date: Tue, 02 Jan 2018 17:23:27 +0000
Subject: Re: general protection fault in skb_segment
Message-Id: <CAF=yD-JLXo9T4XwnJZ6MqeQas5QM4qNTOic9jb3ZNHdeJPTfmA@mail.gmail.com>
List-Id: <linux-sctp.vger.kernel.org>
References: <001a1137452496ffc305617e5fe0@google.com> <CAF=yD-+Ynn+t0dPJXUrXKQ2XMdtiKz8t6PKJUMNqeydYv=yG9A@mail.gmail.com>
 <20171231005220.GD22042@localhost.localdomain> <CAF=yD-+KwmB+fX+4A1RiCV6ZCDQbkGGSVu8YVMrAGxfVtG7ndQ@mail.gmail.com>
 <CAF=yD-K9M1yps+SogVLSVgoi+ngKzKrwWH+xMr4-m+v-pqyXXQ@mail.gmail.com>
In-Reply-To: <CAF=yD-K9M1yps+SogVLSVgoi+ngKzKrwWH+xMr4-m+v-pqyXXQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Cc: syzbot <syzbot+fee64147a25aecd48055@syzkaller.appspotmail.com>, David Miller <davem@davemloft.net>, LKML <linux-kernel@vger.kernel.org>, linux-sctp@vger.kernel.org, Network Development <netdev@vger.kernel.org>, Neil Horman <nhorman@tuxdriver.com>, syzkaller-bugs@googlegroups.com, Vladislav Yasevich <vyasevich@gmail.com>

> Actually, changes just to inet_gso_segment and ipv6_gso_segment
> will suffice:
>
>        bool udpfrag = false, fixedid = false, gso_partial, encap;
>         struct sk_buff *segs = ERR_PTR(-EINVAL);
> +       unsigned int offset = 0, gso_type;
>         const struct net_offload *ops;
> -       unsigned int offset = 0;
>         struct iphdr *iph;
>         int proto, tot_len;
>         int nhoff;
> @@ -1258,6 +1258,22 @@ struct sk_buff *inet_gso_segment(struct sk_buff *skb,
>
>         skb_reset_transport_header(skb);
>
> +       gso_type = skb_shinfo(skb)->gso_type;
> +       if (gso_type & SKB_GSO_DODGY) {
> +               switch (gso_type & (SKB_GSO_TCPV4 | SKB_GSO_UDP)) {
> +               case SKB_GSO_TCPV4:
> +                       if (proto != IPPROTO_TCP)
> +                               goto out;
> +                       break;
> +               case SKB_GSO_UDP:
> +                       if (proto != IPPROTO_UDP)
> +                               goto out;
> +                       break;
> +               default:
> +                       goto out;
> +               }
> +       }
>
> and analogous for IPv6. For a real patch I would deduplicate this
> logic between them and move it to a separate helper function
> (in a header file, then).

This approach would also need an skb->protocol check either in
virtio_net_hdr_to_skb or skb_mac_gso_segment.