diff mbox series

[v2,net] nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().

Message ID 20240424023549.21862-1-kuniyu@amazon.com (mailing list archive)
State Accepted
Commit 4b911a9690d72641879ea6d13cce1de31d346d79
Delegated to: Netdev Maintainers
Headers show
Series [v2,net] nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). | expand

Checks

Context Check Description
netdev/series_format success Single patches do not need cover letters
netdev/tree_selection success Clearly marked for net, async
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 926 this patch: 926
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers warning 1 maintainers not CCed: dongchenchen2@huawei.com
netdev/build_clang success Errors and warnings before: 937 this patch: 937
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 937 this patch: 937
netdev/checkpatch warning WARNING: Possible repeated word: 'Google'
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest success net-next-2024-04-24--15-00 (tests: 995)

Commit Message

Kuniyuki Iwashima April 24, 2024, 2:35 a.m. UTC 
syzbot triggered various splats (see [0] and links) by a crafted GSO
packet of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:

  ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP

NSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS.  As the inner
protocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls
skb_mac_gso_segment() to invoke inner protocol GSO handlers.

nsh_gso_segment() does the following for the original skb before
calling skb_mac_gso_segment()

  1. reset skb->network_header
  2. save the original skb->{mac_heaeder,mac_len} in a local variable
  3. pull the NSH header
  4. resets skb->mac_header
  5. set up skb->mac_len and skb->protocol for the inner protocol.

and does the following for the segmented skb

  6. set ntohs(ETH_P_NSH) to skb->protocol
  7. push the NSH header
  8. restore skb->mac_header
  9. set skb->mac_header + mac_len to skb->network_header
 10. restore skb->mac_len

There are two problems in 6-7 and 8-9.

  (a)
  After 6 & 7, skb->data points to the NSH header, so the outer header
  (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.

  Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),
  skb_pull() in the first nsh_gso_segment() will make skb->data point
  to the middle of the outer NSH or Ethernet header because the Ethernet
  header is not pulled by the second nsh_gso_segment().

  (b)
  While restoring skb->{mac_header,network_header} in 8 & 9,
  nsh_gso_segment() does not assume that the data in the linear
  buffer is shifted.

  However, udp6_ufo_fragment() could shift the data and change
  skb->mac_header accordingly as demonstrated by syzbot.

  If this happens, even the restored skb->mac_header points to
  the middle of the outer header.

It seems nsh_gso_segment() has never worked with outer headers so far.

At the end of nsh_gso_segment(), the outer header must be restored for
the segmented skb, instead of the NSH header.

To do that, let's calculate the outer header position relatively from
the inner header and set skb->{data,mac_header,protocol} properly.

[0]:
BUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
BUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
BUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
 ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
 ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
 ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
 ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222
 __netdev_start_xmit include/linux/netdevice.h:4989 [inline]
 netdev_start_xmit include/linux/netdevice.h:5003 [inline]
 xmit_one net/core/dev.c:3547 [inline]
 dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563
 __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351
 dev_queue_xmit include/linux/netdevice.h:3171 [inline]
 packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
 packet_snd net/packet/af_packet.c:3081 [inline]
 packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 __sys_sendto+0x735/0xa10 net/socket.c:2191
 __do_sys_sendto net/socket.c:2203 [inline]
 __se_sys_sendto net/socket.c:2199 [inline]
 __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
 slab_post_alloc_hook mm/slub.c:3819 [inline]
 slab_alloc_node mm/slub.c:3860 [inline]
 __do_kmalloc_node mm/slub.c:3980 [inline]
 __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001
 kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
 __alloc_skb+0x352/0x790 net/core/skbuff.c:651
 skb_segment+0x20aa/0x7080 net/core/skbuff.c:4647
 udp6_ufo_fragment+0xcab/0x1150 net/ipv6/udp_offload.c:109
 ipv6_gso_segment+0x14be/0x2ca0 net/ipv6/ip6_offload.c:152
 skb_mac_gso_segment+0x3e8/0x760 net/core/gso.c:53
 nsh_gso_segment+0x6f4/0xf70 net/nsh/nsh.c:108
 skb_mac_gso_segment+0x3e8/0x760 net/core/gso.c:53
 __skb_gso_segment+0x4b0/0x730 net/core/gso.c:124
 skb_gso_segment include/net/gso.h:83 [inline]
 validate_xmit_skb+0x107f/0x1930 net/core/dev.c:3628
 __dev_queue_xmit+0x1f28/0x51c0 net/core/dev.c:4343
 dev_queue_xmit include/linux/netdevice.h:3171 [inline]
 packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
 packet_snd net/packet/af_packet.c:3081 [inline]
 packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 __sys_sendto+0x735/0xa10 net/socket.c:2191
 __do_sys_sendto net/socket.c:2203 [inline]
 __se_sys_sendto net/socket.c:2199 [inline]
 __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

CPU: 1 PID: 5101 Comm: syz-executor421 Not tainted 6.8.0-rc5-syzkaller-00297-gf2e367d6ad3b #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024

Fixes: c411ed854584 ("nsh: add GSO support")
Reported-and-tested-by: syzbot+42a0dc856239de4de60e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=42a0dc856239de4de60e
Reported-and-tested-by: syzbot+c298c9f0e46a3c86332b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c298c9f0e46a3c86332b
Link: https://lore.kernel.org/netdev/20240415222041.18537-1-kuniyu@amazon.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
v2: Fix issue in the NSH side
v1: https://lore.kernel.org/netdev/20240415222041.18537-1-kuniyu@amazon.com/
---
 net/nsh/nsh.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

Comments

Eric Dumazet April 24, 2024, 1:12 p.m. UTC | #1 
On Wed, Apr 24, 2024 at 4:36 AM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
>
> syzbot triggered various splats (see [0] and links) by a crafted GSO
> packet of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:
>
>   ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP
>
> NSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS.  As the inner
> protocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls
> skb_mac_gso_segment() to invoke inner protocol GSO handlers.
>
> nsh_gso_segment() does the following for the original skb before
> calling skb_mac_gso_segment()
>
>   1. reset skb->network_header
>   2. save the original skb->{mac_heaeder,mac_len} in a local variable
>   3. pull the NSH header
>   4. resets skb->mac_header
>   5. set up skb->mac_len and skb->protocol for the inner protocol.
>
> and does the following for the segmented skb
>
>   6. set ntohs(ETH_P_NSH) to skb->protocol
>   7. push the NSH header
>   8. restore skb->mac_header
>   9. set skb->mac_header + mac_len to skb->network_header
>  10. restore skb->mac_len
>
> There are two problems in 6-7 and 8-9.
>
>   (a)
>   After 6 & 7, skb->data points to the NSH header, so the outer header
>   (ETH_P_8021AD in this case) is stripped when skb is sent out of netdev.
>
>   Also, if NSH is encapsulated by NSH + Ethernet (so NSH-Ethernet-NSH),
>   skb_pull() in the first nsh_gso_segment() will make skb->data point
>   to the middle of the outer NSH or Ethernet header because the Ethernet
>   header is not pulled by the second nsh_gso_segment().
>
>   (b)
>   While restoring skb->{mac_header,network_header} in 8 & 9,
>   nsh_gso_segment() does not assume that the data in the linear
>   buffer is shifted.
>
>   However, udp6_ufo_fragment() could shift the data and change
>   skb->mac_header accordingly as demonstrated by syzbot.
>
>   If this happens, even the restored skb->mac_header points to
>   the middle of the outer header.
>
> It seems nsh_gso_segment() has never worked with outer headers so far.
>
> At the end of nsh_gso_segment(), the outer header must be restored for
> the segmented skb, instead of the NSH header.
>
> To do that, let's calculate the outer header position relatively from
> the inner header and set skb->{data,mac_header,protocol} properly.
>
> [0]:
> BUG: KMSAN: uninit-value in ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
> BUG: KMSAN: uninit-value in ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
> BUG: KMSAN: uninit-value in ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
>  ipvlan_process_outbound drivers/net/ipvlan/ipvlan_core.c:524 [inline]
>  ipvlan_xmit_mode_l3 drivers/net/ipvlan/ipvlan_core.c:602 [inline]
>  ipvlan_queue_xmit+0xf44/0x16b0 drivers/net/ipvlan/ipvlan_core.c:668
>  ipvlan_start_xmit+0x5c/0x1a0 drivers/net/ipvlan/ipvlan_main.c:222
>  __netdev_start_xmit include/linux/netdevice.h:4989 [inline]
>  netdev_start_xmit include/linux/netdevice.h:5003 [inline]
>  xmit_one net/core/dev.c:3547 [inline]
>  dev_hard_start_xmit+0x244/0xa10 net/core/dev.c:3563
>  __dev_queue_xmit+0x33ed/0x51c0 net/core/dev.c:4351
>  dev_queue_xmit include/linux/netdevice.h:3171 [inline]
>  packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
>  packet_snd net/packet/af_packet.c:3081 [inline]
>  packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
>  sock_sendmsg_nosec net/socket.c:730 [inline]
>  __sock_sendmsg net/socket.c:745 [inline]
>  __sys_sendto+0x735/0xa10 net/socket.c:2191
>  __do_sys_sendto net/socket.c:2203 [inline]
>  __se_sys_sendto net/socket.c:2199 [inline]
>  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> Uninit was created at:
>  slab_post_alloc_hook mm/slub.c:3819 [inline]
>  slab_alloc_node mm/slub.c:3860 [inline]
>  __do_kmalloc_node mm/slub.c:3980 [inline]
>  __kmalloc_node_track_caller+0x705/0x1000 mm/slub.c:4001
>  kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
>  __alloc_skb+0x352/0x790 net/core/skbuff.c:651
>  skb_segment+0x20aa/0x7080 net/core/skbuff.c:4647
>  udp6_ufo_fragment+0xcab/0x1150 net/ipv6/udp_offload.c:109
>  ipv6_gso_segment+0x14be/0x2ca0 net/ipv6/ip6_offload.c:152
>  skb_mac_gso_segment+0x3e8/0x760 net/core/gso.c:53
>  nsh_gso_segment+0x6f4/0xf70 net/nsh/nsh.c:108
>  skb_mac_gso_segment+0x3e8/0x760 net/core/gso.c:53
>  __skb_gso_segment+0x4b0/0x730 net/core/gso.c:124
>  skb_gso_segment include/net/gso.h:83 [inline]
>  validate_xmit_skb+0x107f/0x1930 net/core/dev.c:3628
>  __dev_queue_xmit+0x1f28/0x51c0 net/core/dev.c:4343
>  dev_queue_xmit include/linux/netdevice.h:3171 [inline]
>  packet_xmit+0x9c/0x6b0 net/packet/af_packet.c:276
>  packet_snd net/packet/af_packet.c:3081 [inline]
>  packet_sendmsg+0x8aef/0x9f10 net/packet/af_packet.c:3113
>  sock_sendmsg_nosec net/socket.c:730 [inline]
>  __sock_sendmsg net/socket.c:745 [inline]
>  __sys_sendto+0x735/0xa10 net/socket.c:2191
>  __do_sys_sendto net/socket.c:2203 [inline]
>  __se_sys_sendto net/socket.c:2199 [inline]
>  __x64_sys_sendto+0x125/0x1c0 net/socket.c:2199
>  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> CPU: 1 PID: 5101 Comm: syz-executor421 Not tainted 6.8.0-rc5-syzkaller-00297-gf2e367d6ad3b #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024
>
> Fixes: c411ed854584 ("nsh: add GSO support")
> Reported-and-tested-by: syzbot+42a0dc856239de4de60e@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=42a0dc856239de4de60e
> Reported-and-tested-by: syzbot+c298c9f0e46a3c86332b@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=c298c9f0e46a3c86332b
> Link: https://lore.kernel.org/netdev/20240415222041.18537-1-kuniyu@amazon.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
> ---
> v2: Fix issue in the NSH side
> v1: https://lore.kernel.org/netdev/20240415222041.18537-1-kuniyu@amazon.com/
> ---
>  net/nsh/nsh.c | 14 ++++++++------
>  1 file changed, 8 insertions(+), 6 deletions(-)
>
> diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
> index f4a38bd6a7e0..bfb7758063f3 100644
> --- a/net/nsh/nsh.c
> +++ b/net/nsh/nsh.c
> @@ -77,13 +77,15 @@ EXPORT_SYMBOL_GPL(nsh_pop);
>  static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
>                                        netdev_features_t features)
>  {
> +       unsigned int outer_hlen, mac_len, nsh_len;
>         struct sk_buff *segs = ERR_PTR(-EINVAL);
>         u16 mac_offset = skb->mac_header;
> -       unsigned int nsh_len, mac_len;
> -       __be16 proto;
> +       __be16 outer_proto, proto;
>
>         skb_reset_network_header(skb);
>
> +       outer_proto = skb->protocol;
> +       outer_hlen = skb_mac_header_len(skb);
>         mac_len = skb->mac_len;
>
>         if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN)))
> @@ -113,10 +115,10 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
>         }
>
>         for (skb = segs; skb; skb = skb->next) {
> -               skb->protocol = htons(ETH_P_NSH);
> -               __skb_push(skb, nsh_len);
> -               skb->mac_header = mac_offset;
> -               skb->network_header = skb->mac_header + mac_len;
> +               skb->protocol = outer_proto;
> +               __skb_push(skb, nsh_len + outer_hlen);
> +               skb_reset_mac_header(skb);
> +               skb_set_network_header(skb, outer_hlen);
>                 skb->mac_len = mac_len;
>         }
>


Lets Cc Dong Chenchen <dongchenchen2@huawei.com>

Prior work here was :

commit c83b49383b595be50647f0c764a48c78b5f3c4f8
Author: Dong Chenchen <dongchenchen2@huawei.com>
Date:   Thu May 11 20:54:40 2023 +0800

    net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
patchwork-bot+netdevbpf@kernel.org April 26, 2024, 10:50 a.m. UTC | #2 
Hello:

This patch was applied to netdev/net.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Tue, 23 Apr 2024 19:35:49 -0700 you wrote:
> syzbot triggered various splats (see [0] and links) by a crafted GSO
> packet of VIRTIO_NET_HDR_GSO_UDP layering the following protocols:
> 
>   ETH_P_8021AD + ETH_P_NSH + ETH_P_IPV6 + IPPROTO_UDP
> 
> NSH can encapsulate IPv4, IPv6, Ethernet, NSH, and MPLS.  As the inner
> protocol can be Ethernet, NSH GSO handler, nsh_gso_segment(), calls
> skb_mac_gso_segment() to invoke inner protocol GSO handlers.
> 
> [...]

Here is the summary with links:
  - [v2,net] nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
    https://git.kernel.org/netdev/net/c/4b911a9690d7

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
index f4a38bd6a7e0..bfb7758063f3 100644
--- a/net/nsh/nsh.c
+++ b/net/nsh/nsh.c
@@ -77,13 +77,15 @@  EXPORT_SYMBOL_GPL(nsh_pop);
 static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
 				       netdev_features_t features)
 {
+	unsigned int outer_hlen, mac_len, nsh_len;
 	struct sk_buff *segs = ERR_PTR(-EINVAL);
 	u16 mac_offset = skb->mac_header;
-	unsigned int nsh_len, mac_len;
-	__be16 proto;
+	__be16 outer_proto, proto;
 
 	skb_reset_network_header(skb);
 
+	outer_proto = skb->protocol;
+	outer_hlen = skb_mac_header_len(skb);
 	mac_len = skb->mac_len;
 
 	if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN)))
@@ -113,10 +115,10 @@  static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
 	}
 
 	for (skb = segs; skb; skb = skb->next) {
-		skb->protocol = htons(ETH_P_NSH);
-		__skb_push(skb, nsh_len);
-		skb->mac_header = mac_offset;
-		skb->network_header = skb->mac_header + mac_len;
+		skb->protocol = outer_proto;
+		__skb_push(skb, nsh_len + outer_hlen);
+		skb_reset_mac_header(skb);
+		skb_set_network_header(skb, outer_hlen);
 		skb->mac_len = mac_len;
 	}