From patchwork Fri Dec 11 15:00:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vasily Averin X-Patchwork-Id: 11968429 X-Patchwork-Delegate: kuba@kernel.org Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-17.2 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7F60C433FE for ; Fri, 11 Dec 2020 15:32:19 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5B91C22D73 for ; Fri, 11 Dec 2020 15:32:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2437539AbgLKPCH (ORCPT ); Fri, 11 Dec 2020 10:02:07 -0500 Received: from mail-db8eur05on2091.outbound.protection.outlook.com ([40.107.20.91]:23726 "EHLO EUR05-DB8-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S2437549AbgLKPBp (ORCPT ); Fri, 11 Dec 2020 10:01:45 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PoCplM7qLAC92n06MA1VKXuimTQctUQQklLTayTWhxSbInaHvwYboZYJ60Ya3tthd2vKzWOtqg7iI+rgE8JTM4mQRHtj5Uu8MZ+2OJPK5/tZEgTHBo23lvGu//6PEOkNS3WoBdLZoKizj7QTsR9vQqITvLNY3P8p+3CS1lNQJFxHPu0C3o0wCdxfUKeFki1ngPrwJQvh5f9UuWi3jvmj5+QG7fzsYZ23VPjA1TdYVFuyKztnbn22Cy3mfMVy6eX5hKEWAUlIf1m7hEGoNRUhpsd8nQ2pXu3I7blR1FkpXDchvOtmssxvN6qAF7A9InXVqLNjTrqvdeY2k8Yis/GLOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PTDVBDz6v8ED8cOVuP+sd1oUSykT5tY1ItyCHf3CcGc=; b=W1BTm7X0oPT8eoZzdH2VX8ndkBBMrLglrR0uOd/YMMiY+t4sRVSvKdV+2Ntab6Pa+QTICgSzamEBl8+R1FLSeGmlqr1yT+h9vFKZkY0WxBb1LL76jSY4uIyS2jvROsLvE4iaTPleO8wM0/Xy+MFp3EaH/7AdPj2Hde2xhAf5Z5TEHradEy4XF1y8J1psZtUSLfv5qmbqZN8rm8low8KKvvJjyOC+52/1vQki9EYzoiWHPVLvue1vrK/k0pr3trjM05oYpB3z43NxwuFXQYB6xt9b/Wg6IPlT2QqN8jmMtIvofvOsuuGs9CRg7At5RvwOFCuLQ46yUQy35MNmVp7GkQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=virtuozzo.com; dmarc=pass action=none header.from=virtuozzo.com; dkim=pass header.d=virtuozzo.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtuozzo.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PTDVBDz6v8ED8cOVuP+sd1oUSykT5tY1ItyCHf3CcGc=; b=kWsQI2EWoXbwKq5Mcaaii3cfCXznS0tQuzug1yZZ6fxuzuitdY1Gwqk0N7BsrU2jkNikZqhVLmMoasvvyS4QRcq77GbKbxalBW7YViB8bIix9OCUnoDHnJ18lDoDPfGdpigHf9KbSpc+kwluzuBX5W+55K3H5UOITtXIG9nlORk= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=virtuozzo.com; Received: from VI1PR0801MB1678.eurprd08.prod.outlook.com (2603:10a6:800:51::23) by VE1PR08MB5678.eurprd08.prod.outlook.com (2603:10a6:800:1a0::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.13; Fri, 11 Dec 2020 15:00:58 +0000 Received: from VI1PR0801MB1678.eurprd08.prod.outlook.com ([fe80::b18d:c047:56c0:e0d3]) by VI1PR0801MB1678.eurprd08.prod.outlook.com ([fe80::b18d:c047:56c0:e0d3%9]) with mapi id 15.20.3654.013; Fri, 11 Dec 2020 15:00:57 +0000 From: Vasily Averin Subject: [PATCH] net: check skb partial checksum offset after trim To: "David S. Miller" , Jakub Kicinski Cc: netdev@vger.kernel.org Message-ID: <7080e8a3-6eaa-e9e1-afd8-b1eef38d1e89@virtuozzo.com> Date: Fri, 11 Dec 2020 18:00:55 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 Content-Language: en-US X-Originating-IP: [185.231.240.5] X-ClientProxiedBy: AM0PR04CA0105.eurprd04.prod.outlook.com (2603:10a6:208:be::46) To VI1PR0801MB1678.eurprd08.prod.outlook.com (2603:10a6:800:51::23) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [172.16.24.21] (185.231.240.5) by AM0PR04CA0105.eurprd04.prod.outlook.com (2603:10a6:208:be::46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.12 via Frontend Transport; Fri, 11 Dec 2020 15:00:57 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f63e3a64-6119-46e0-2da0-08d89de59113 X-MS-TrafficTypeDiagnostic: VE1PR08MB5678: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1169; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: Uq68TLzYkCgVM7Vda4Fz8jqI9ZERnE89Erjo8Tt8sO+k77dVLBtL5T/BO3rzjz3dLjf69LBkeL9Sc2gmpAnjD3BM+Y5jSd7kHkkvqgPu5Kq/AKoz1MTz1gh+FPVCggIMtfbISteoErSPvsOKLCl9XRL0AYuQGq+hTOzbXBUTeVpicOQkWQMtMh4N4zZ/kIDPtt1Od9oWUskiW/cyzTQLD0X3WtCDmfWCprloyvreR9PCmXZqPY1Ly1FBr015LrQ+QYq+537ZQU3OH58E3EDPLmaio8KZVy5QnRBveVm+tDydjrVg7lCk5PAV7yAeKd5KjGEjLT9waatlcWn6NOvBsb1lH5c45SO8SmiJXNN/6w8jGXPhMq8Ew+8xKcQRELP4Fs8+PKLxYTca5/CCMhBBeVXGJzYxxvg0js17RmuoHNzLB9jLnKona9ARmmP5ii+GOIVNaYIhgwEWmY9aixdGYa5K8q1WFdbrjeTvg73ONsyM7O1ZGIa66Tjjvc1j85Qcfy9krk/kMy0Xp3Zgyfcl+g== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:VI1PR0801MB1678.eurprd08.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(366004)(39840400004)(136003)(376002)(346002)(956004)(83380400001)(86362001)(16576012)(186003)(5660300002)(66476007)(110136005)(66556008)(4326008)(66946007)(26005)(2616005)(966005)(6486002)(31696002)(31686004)(8936002)(52116002)(36756003)(316002)(478600001)(2906002)(16526019)(8676002)(99710200001)(43740500002)(45980500001);DIR:OUT;SFP:1102; X-MS-Exchange-AntiSpam-MessageData: =?utf-8?q?vipgZazFVrRyWqh+/+mNdAMYi38ez+?= =?utf-8?q?NcSYxCzKj/CFgiPGs/am6drLQ+VirJMix8VIWEoB4rxa53y3sdWS24LAlR0+7kFeO?= =?utf-8?q?ibGqbdz8eHNM5vy2BsTX0Ai90spK/d9ZGvIeOM87wmhMvqx/D4bCJPqZL1cVn/9+c?= =?utf-8?q?0dgtBM8QqowM9AJrJURX5k+YHB96Lx46fPhXhWjoZljOeUBMODJcDDxJ9456dvCrY?= =?utf-8?q?wW0wl12NRKqW3xPWhgLW/S3ed4QEtpX7UPzzgXzOkeJm59mVEeyOmo9for83+n1L2?= =?utf-8?q?xzKR+KJlD0v46fpCBepdgS9zQPUFhyomDMvSpxckQcF1G3MsD1iPACk4cB6TiZp5i?= =?utf-8?q?s8/8m6lPw3iNe8fdL5/565vSiS8kZZWVyrDcAoGLr6M4UCnLATkgO4qO1p3ML+cTw?= =?utf-8?q?FtaT4VoQMCBjD5o83vYce0s+pV+mJTx3rqTM6oXGp+qjzR6ncbinzHkuFOxN1RqAS?= =?utf-8?q?apiaa2D6tfGV/t976OdPzzkftPSk/pYE3KFGK23bMOlzZNo+BMpvFd7vQ3DRPGIdt?= =?utf-8?q?qVA0aYLYwyFlgWbn32qLDvjWyc8FcXEsi18m9Rn7ruNINHDo5Ks3x57LNQHy+i32i?= =?utf-8?q?Siib8r0QTjLQ/QdJH1QrfpV+OTFTMCVLbCUJGuMlFMKoM9sw7BaB4AhkgvfScz30q?= =?utf-8?q?znAkWIs3lB6KELVIz4/t/bgTZ8Y0KZPmm61wApdGSiA9Qsa1rsIZ2PkOlq6MTAYWU?= =?utf-8?q?3qtWtechgtrjQSGI+Qq+NDPpe6pWS9AM5Lz8CucPKgxUkLSWST3tYNyQNHKIHFtoD?= =?utf-8?q?OW+5WEqhWymrwRg8feGcJk1z8nj93GMcE9fCPZShCEpBZWwh0BBbvlMv18UFWnplF?= =?utf-8?q?dJDYo7vdEZM3SMRqWnlpUpmE+9RTemAIGYiXEZgUfSLnEm7T9/NuYpo9THNFldIFK?= =?utf-8?q?GP2vLE0weAkyzYgoj3l7xxj0fzX8XEOdEIrW1TBopKBwdUQBOfcPqfGoJ76CNpIv2?= =?utf-8?q?8DzSH4AOkRlV+QiaYfT?= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-AuthSource: VI1PR0801MB1678.eurprd08.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Dec 2020 15:00:57.7621 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 0bc7f26d-0264-416e-a6fc-8352af79c58f X-MS-Exchange-CrossTenant-Network-Message-Id: f63e3a64-6119-46e0-2da0-08d89de59113 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: xfx5i9qx0YLnT89MBOzV6FAgpakYzHBMf5QfqDKZyYmgBadtaLu1mVlJiGnjSGFT7k0d66NAB6mlnQ8/pnyqqQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB5678 Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org syzkaller reproduces BUG_ON in skb_checksum_help(): tun creates skb with big partial checksum area and small ip packet inside, then ip_rcv() decreases skb size of below length of checksummed area, then checksum_tg() called via netfilter hook detects incorrect skb: offset = skb_checksum_start_offset(skb); BUG_ON(offset >= skb_headlen(skb)); This patch drops CHEKSUM_PARTIAL mark when skb is trimmed below size of checksummed area. Link: https://syzkaller.appspot.com/bug?id=b419a5ca95062664fe1a60b764621eb4526e2cd0 Reported-by: syzbot+7010af67ced6105e5ab6@syzkaller.appspotmail.com Signed-off-by: Vasily Averin --- include/linux/skbuff.h | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index a828cf9..0a9545d 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -3419,9 +3419,18 @@ static inline void *skb_push_rcsum(struct sk_buff *skb, unsigned int len) static inline int pskb_trim_rcsum(struct sk_buff *skb, unsigned int len) { + int ret; + if (likely(len >= skb->len)) return 0; - return pskb_trim_rcsum_slow(skb, len); + ret = pskb_trim_rcsum_slow(skb, len); + if (!ret && (skb->ip_summed == CHECKSUM_PARTIAL)) { + int offset = skb_checksum_start_offset(skb) + skb->csum_offset; + + if (offset + sizeof(__sum16) > skb_headlen(skb)) + skb->ip_summed = CHECKSUM_NONE; + } + return ret; } static inline int __skb_trim_rcsum(struct sk_buff *skb, unsigned int len)