linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, caixf <ooppublic@163.com>,
	Jakub Kicinski <kuba@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 082/100] ipv4: fix ip option filtering for locally generated fragments
Date: Mon, 31 Jan 2022 11:56:43 +0100	[thread overview]
Message-ID: <20220131105223.204395895@linuxfoundation.org> (raw)
In-Reply-To: <20220131105220.424085452@linuxfoundation.org>

From: Jakub Kicinski <kuba@kernel.org>

[ Upstream commit 27a8caa59babb96c5890569e131bc0eb6d45daee ]

During IP fragmentation we sanitize IP options. This means overwriting
options which should not be copied with NOPs. Only the first fragment
has the original, full options.

ip_fraglist_prepare() copies the IP header and options from previous
fragment to the next one. Commit 19c3401a917b ("net: ipv4: place control
buffer handling away from fragmentation iterators") moved sanitizing
options before ip_fraglist_prepare() which means options are sanitized
and then overwritten again with the old values.

Fixing this is not enough, however, nor did the sanitization work
prior to aforementioned commit.

ip_options_fragment() (which does the sanitization) uses ipcb->opt.optlen
for the length of the options. ipcb->opt of fragments is not populated
(it's 0), only the head skb has the state properly built. So even when
called at the right time ip_options_fragment() does nothing. This seems
to date back all the way to v2.5.44 when the fast path for pre-fragmented
skbs had been introduced. Prior to that ip_options_build() would have been
called for every fragment (in fact ever since v2.5.44 the fragmentation
handing in ip_options_build() has been dead code, I'll clean it up in
-next).

In the original patch (see Link) caixf mentions fixing the handling
for fragments other than the second one, but I'm not sure how _any_
fragment could have had their options sanitized with the code
as it stood.

Tested with python (MTU on lo lowered to 1000 to force fragmentation):

  import socket
  s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  s.setsockopt(socket.IPPROTO_IP, socket.IP_OPTIONS,
               bytearray([7,4,5,192, 20|0x80,4,1,0]))
  s.sendto(b'1'*2000, ('127.0.0.1', 1234))

Before:

IP (tos 0x0, ttl 64, id 1053, offset 0, flags [+], proto UDP (17), length 996, options (RR [bad length 4] [bad ptr 5] 192.148.4.1,,RA value 256))
    localhost.36500 > localhost.search-agent: UDP, length 2000
IP (tos 0x0, ttl 64, id 1053, offset 968, flags [+], proto UDP (17), length 996, options (RR [bad length 4] [bad ptr 5] 192.148.4.1,,RA value 256))
    localhost > localhost: udp
IP (tos 0x0, ttl 64, id 1053, offset 1936, flags [none], proto UDP (17), length 100, options (RR [bad length 4] [bad ptr 5] 192.148.4.1,,RA value 256))
    localhost > localhost: udp

After:

IP (tos 0x0, ttl 96, id 42549, offset 0, flags [+], proto UDP (17), length 996, options (RR [bad length 4] [bad ptr 5] 192.148.4.1,,RA value 256))
    localhost.51607 > localhost.search-agent: UDP, bad length 2000 > 960
IP (tos 0x0, ttl 96, id 42549, offset 968, flags [+], proto UDP (17), length 996, options (NOP,NOP,NOP,NOP,RA value 256))
    localhost > localhost: udp
IP (tos 0x0, ttl 96, id 42549, offset 1936, flags [none], proto UDP (17), length 100, options (NOP,NOP,NOP,NOP,RA value 256))
    localhost > localhost: udp

RA (20 | 0x80) is now copied as expected, RR (7) is "NOPed out".

Link: https://lore.kernel.org/netdev/20220107080559.122713-1-ooppublic@163.com/
Fixes: 19c3401a917b ("net: ipv4: place control buffer handling away from fragmentation iterators")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: caixf <ooppublic@163.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/ip_output.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index e77afaecc9818..4f76e8183f403 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -834,15 +834,24 @@ int ip_do_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
 		/* Everything is OK. Generate! */
 		ip_fraglist_init(skb, iph, hlen, &iter);
 
-		if (iter.frag)
-			ip_options_fragment(iter.frag);
-
 		for (;;) {
 			/* Prepare header of the next frame,
 			 * before previous one went down. */
 			if (iter.frag) {
+				bool first_frag = (iter.offset == 0);
+
 				IPCB(iter.frag)->flags = IPCB(skb)->flags;
 				ip_fraglist_prepare(skb, &iter);
+				if (first_frag && IPCB(skb)->opt.optlen) {
+					/* ipcb->opt is not populated for frags
+					 * coming from __ip_make_skb(),
+					 * ip_options_fragment() needs optlen
+					 */
+					IPCB(iter.frag)->opt.optlen =
+						IPCB(skb)->opt.optlen;
+					ip_options_fragment(iter.frag);
+					ip_send_check(iter.iph);
+				}
 			}
 
 			skb->tstamp = tstamp;
-- 
2.34.1




  parent reply	other threads:[~2022-01-31 11:10 UTC|newest]

Thread overview: 113+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-31 10:55 [PATCH 5.10 000/100] 5.10.96-rc1 review Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 001/100] Bluetooth: refactor malicious adv data check Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 002/100] media: venus: core: Drop second v4l2 device unregister Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 003/100] net: sfp: ignore disabled SFP node Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 004/100] net: stmmac: skip only stmmac_ptp_register when resume from suspend Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 005/100] s390/module: fix loading modules with a lot of relocations Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 006/100] s390/hypfs: include z/VM guests with access control group set Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 007/100] bpf: Guard against accessing NULL pt_regs in bpf_get_task_stack() Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 008/100] scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 009/100] udf: Restore i_lenAlloc when inode expansion fails Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 010/100] udf: Fix NULL ptr deref when converting from inline format Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 011/100] efi: runtime: avoid EFIv2 runtime services on Apple x86 machines Greg Kroah-Hartman
2022-02-03 20:52   ` Pavel Machek
2022-02-03 20:59     ` Matthew Garrett
2022-01-31 10:55 ` [PATCH 5.10 012/100] PM: wakeup: simplify the output logic of pm_show_wakelocks() Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 013/100] tracing/histogram: Fix a potential memory leak for kstrdup() Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 014/100] tracing: Dont inc err_log entry count if entry allocation fails Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 015/100] ceph: properly put ceph_string reference after async create attempt Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 016/100] ceph: set pool_ns in new inode layout for async creates Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 017/100] fsnotify: fix fsnotify hooks in pseudo filesystems Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 018/100] Revert "KVM: SVM: avoid infinite loop on NPF from bad address" Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 019/100] perf/x86/intel/uncore: Fix CAS_COUNT_WRITE issue for ICX Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 020/100] drm/etnaviv: relax submit size limits Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 021/100] KVM: x86: Update vCPUs runtime CPUID on write to MSR_IA32_XSS Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 022/100] arm64: errata: Fix exec handling in erratum 1418040 workaround Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 023/100] netfilter: nft_payload: do not update layer 4 checksum when mangling fragments Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 024/100] serial: 8250: of: Fix mapped region size when using reg-offset property Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 025/100] serial: stm32: fix software flow control transfer Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 026/100] tty: n_gsm: fix SW flow control encoding/handling Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 027/100] tty: Add support for Brainboxes UC cards Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 028/100] usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 029/100] usb: xhci-plat: fix crash when suspend if remote wake enable Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 030/100] usb: common: ulpi: Fix crash in ulpi_match() Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 031/100] usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 032/100] USB: core: Fix hang in usb_kill_urb by adding memory barriers Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 033/100] usb: typec: tcpm: Do not disconnect while receiving VBUS off Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 034/100] ucsi_ccg: Check DEV_INT bit only when starting CCG4 Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 035/100] jbd2: export jbd2_journal_[grab|put]_journal_head Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 036/100] ocfs2: fix a deadlock when commit trans Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 037/100] sched/membarrier: Fix membarrier-rseq fence command missing from query bitmask Greg Kroah-Hartman
2022-01-31 10:55 ` [PATCH 5.10 038/100] x86/MCE/AMD: Allow thresholding interface updates after init Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 039/100] powerpc/32s: Allocate one 256k IBAT instead of two consecutives 128k IBATs Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 040/100] powerpc/32s: Fix kasan_init_region() for KASAN Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 041/100] powerpc/32: Fix boot failure with GCC latent entropy plugin Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 042/100] i40e: Increase delay to 1 s after global EMP reset Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 043/100] i40e: Fix issue when maximum queues is exceeded Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 044/100] i40e: Fix queues reservation for XDP Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 045/100] i40e: Fix for failed to init adminq while VF reset Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 046/100] i40e: fix unsigned stat widths Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 047/100] usb: roles: fix include/linux/usb/role.h compile issue Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 048/100] rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 049/100] rpmsg: char: Fix race between the release of rpmsg_eptdev " Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 050/100] scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 051/100] ipv6_tunnel: Rate limit warning messages Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 052/100] ARM: 9170/1: fix panic when kasan and kprobe are enabled Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 053/100] net: fix information leakage in /proc/net/ptype Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 054/100] hwmon: (lm90) Mark alert as broken for MAX6646/6647/6649 Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 055/100] hwmon: (lm90) Mark alert as broken for MAX6680 Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 056/100] ping: fix the sk_bound_dev_if match in ping_lookup Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 057/100] ipv4: avoid using shared IP generator for connected sockets Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 058/100] hwmon: (lm90) Reduce maximum conversion rate for G781 Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 059/100] NFSv4: Handle case where the lookup of a directory fails Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 060/100] NFSv4: nfs_atomic_open() can race when looking up a non-regular file Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 061/100] net-procfs: show net devices bound packet types Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 062/100] drm/msm: Fix wrong size calculation Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 063/100] drm/msm/dsi: Fix missing put_device() call in dsi_get_phy Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 064/100] drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 065/100] ipv6: annotate accesses to fn->fn_sernum Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 066/100] NFS: Ensure the server has an up to date ctime before hardlinking Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 067/100] NFS: Ensure the server has an up to date ctime before renaming Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 068/100] powerpc64/bpf: Limit ldbrx to processors compliant with ISA v2.06 Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 069/100] netfilter: conntrack: dont increment invalid counter on NF_REPEAT Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 070/100] kernel: delete repeated words in comments Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 071/100] perf: Fix perf_event_read_local() time Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 072/100] sched/pelt: Relax the sync of util_sum with util_avg Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 073/100] net: phy: broadcom: hook up soft_reset for BCM54616S Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 074/100] phylib: fix potential use-after-free Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 075/100] octeontx2-pf: Forward error codes to VF Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 076/100] rxrpc: Adjust retransmission backoff Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 077/100] efi/libstub: arm64: Fix image check alignment at entry Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 078/100] hwmon: (lm90) Mark alert as broken for MAX6654 Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 079/100] powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 080/100] net: ipv4: Move ip_options_fragment() out of loop Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 081/100] net: ipv4: Fix the warning for dereference Greg Kroah-Hartman
2022-01-31 10:56 ` Greg Kroah-Hartman [this message]
2022-01-31 10:56 ` [PATCH 5.10 083/100] ibmvnic: init ->running_cap_crqs early Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 084/100] ibmvnic: dont spin in tasklet Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 085/100] video: hyperv_fb: Fix validation of screen resolution Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 086/100] drm/msm/hdmi: Fix missing put_device() call in msm_hdmi_get_phy Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 087/100] drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 088/100] yam: fix a memory leak in yam_siocdevprivate() Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 089/100] net: cpsw: Properly initialise struct page_pool_params Greg Kroah-Hartman
2022-01-31 20:19   ` Colin Foster
2022-02-01 10:37     ` Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 090/100] net: hns3: handle empty unknown interrupt for VF Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 091/100] Revert "ipv6: Honor all IPv6 PIO Valid Lifetime values" Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 092/100] net: bridge: vlan: fix single net device option dumping Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 093/100] ipv4: raw: lock the socket in raw_bind() Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 094/100] ipv4: tcp: send zero IPID in SYNACK messages Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 095/100] ipv4: remove sparse error in ip_neigh_gw4() Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 096/100] net: bridge: vlan: fix memory leak in __allowed_ingress Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 097/100] dt-bindings: can: tcan4x5x: fix mram-cfg RX FIFO config Greg Kroah-Hartman
2022-01-31 10:56 ` [PATCH 5.10 098/100] usr/include/Makefile: add linux/nfc.h to the compile-test coverage Greg Kroah-Hartman
2022-01-31 10:57 ` [PATCH 5.10 099/100] fsnotify: invalidate dcache before IN_DELETE event Greg Kroah-Hartman
2022-01-31 10:57 ` [PATCH 5.10 100/100] block: Fix wrong offset in bio_truncate() Greg Kroah-Hartman
2022-01-31 20:04 ` [PATCH 5.10 000/100] 5.10.96-rc1 review Florian Fainelli
2022-01-31 22:17 ` Shuah Khan
2022-02-01  4:24 ` Guenter Roeck
2022-02-01  7:49 ` Naresh Kamboju
2022-02-01 12:05 ` Pavel Machek
2022-02-01 12:45   ` Pavel Machek
2022-02-01 15:41 ` Sudip Mukherjee
2022-02-02  2:34 ` Fox Chen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220131105223.204395895@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ooppublic@163.com \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).