| Message ID | 20231202161441.221135-1-syoshida@redhat.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:bcd1:0:b0:403:3b70:6f57 with SMTP id r17csp1842949vqy;
Sat, 2 Dec 2023 08:15:10 -0800 (PST)
X-Google-Smtp-Source:
AGHT+IFt7gld5UK7P9hyjSLCEXkLofbk/Mv85vRoM+h1YrFcEYvxP4J6TnJzGdKLosF4lk9nlgZc
X-Received: by 2002:a17:90b:1b01:b0:286:65a2:a03d with SMTP id
nu1-20020a17090b1b0100b0028665a2a03dmr538711pjb.5.1701533709439;
Sat, 02 Dec 2023 08:15:09 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701533709; cv=none;
d=google.com; s=arc-20160816;
b=WmfMSx1z5Do4ntMRX+wJFNcpz393ySQiJOnzf3kVWFZIoeJ15LC+danm9MvN7h2Qu6
IA002VxKQ3xY3ma2T2UObt1I5wpkSOHF1KFoWJwjIuQXoWApyVtIbOHQFMDGH4prcXJe
8lrDke8gEV3P4DmwcUnSwerKELtEd67XvBS4DUX55NdQe40FBPxrpx/OoWVWpKJ/C7QP
o099uBTfm8ON3S4fGY8XOGQ5qN4qnAuk6xG5rcWgEhoNLWyVA9XoCRkv/6o4w/TS2ys1
0LDvSiCJhVhK6Xg1Bgp6LOQIcbM2xnAL3DWIjxY8/Svta+ZaVgJuEj7C85wpxSGfB0I9
EApw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=d20ZhiqnGqdkMktjpUNLxnQJIPIANFRSnbo7tB7yeNg=;
fh=J/bNmTXfPjKUKo64j2xQR++KqvFAj2d3s/6EsxFhJfY=;
b=ik+1KpMXi/p5HfNp70pbZGxYE5htWwu6lpVgFMjhjw38W0kVK0ASR2pflyCjOD5BYb
FcodVzfCCmzmSo8vodz+4edu0S1N3JYc5IcM2EUEw1P+7Wefb/1spscWvmrdJ8USSrYq
VN3zkn8ODV/aikGbpY6wO62AcZd3XemhFQXzDPd4E+XLt4FOXO87dyMBMD6CUji3jk2b
VnWc9Ic1Kv62Lmdr3ymk1otvT/pCjPU2oIR+jqEGWWwhLKyM72xBoLeR0S35uh3/zIDK
NDUOoi9Tl19t5uIUd9n1JErAyMx5tPCngnaEHvPFeitZ5x1JBzBHjSdfGATq/FXB2JGB
KYgw==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=CyQXXHDj;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:6 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from pete.vger.email (pete.vger.email. [2620:137:e000::3:6])
by mx.google.com with ESMTPS id
gd22-20020a17090b0fd600b002858f6b5e89si7162442pjb.185.2023.12.02.08.15.08
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sat, 02 Dec 2023 08:15:09 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:6 as permitted sender)
client-ip=2620:137:e000::3:6;
Authentication-Results: mx.google.com;
dkim=pass header.i=@redhat.com header.s=mimecast20190719
header.b=CyQXXHDj;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:6 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by pete.vger.email (Postfix) with ESMTP id C693D8022EAB;
Sat, 2 Dec 2023 08:15:02 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at pete.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233291AbjLBQOy (ORCPT <rfc822;pwkd43@gmail.com> + 99 others);
Sat, 2 Dec 2023 11:14:54 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57212 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229451AbjLBQOx (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Sat, 2 Dec 2023 11:14:53 -0500
Received: from us-smtp-delivery-124.mimecast.com
(us-smtp-delivery-124.mimecast.com [170.10.129.124])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8136FA2
for <linux-kernel@vger.kernel.org>;
Sat, 2 Dec 2023 08:14:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1701533696;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding;
bh=d20ZhiqnGqdkMktjpUNLxnQJIPIANFRSnbo7tB7yeNg=;
b=CyQXXHDjMRle7eh02tO4/Tdo+UVXgGzySfvCDTDEJSCeN4LHtts65xvgI+7JaagGK70iOo
vyn+XDIfYbfoe/aXVsRtyaPNhXcdkDH/T/vY+TSnGrXn6ycsFeN2J4KPfE/rJBiUkdYBnl
DtDbQHrfQOdFC+Mr+N96ECaaY/Xp8cM=
Received: from mail-pf1-f200.google.com (mail-pf1-f200.google.com
[209.85.210.200]) by relay.mimecast.com with ESMTP with STARTTLS
(version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
us-mta-149-iUP55ek1MZ-Wq4EvSMfO1Q-1; Sat, 02 Dec 2023 11:14:54 -0500
X-MC-Unique: iUP55ek1MZ-Wq4EvSMfO1Q-1
Received: by mail-pf1-f200.google.com with SMTP id
d2e1a72fcca58-6c7c69e4367so3702110b3a.0
for <linux-kernel@vger.kernel.org>;
Sat, 02 Dec 2023 08:14:53 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1701533693; x=1702138493;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=d20ZhiqnGqdkMktjpUNLxnQJIPIANFRSnbo7tB7yeNg=;
b=C0fe/wMVWs9htC4cj+hwAp2m4nCteaA1BF7fGMMw2cjQ9SOvNPlGhKgGO03R2cPMAu
owWWj0oTK2Q/6wA7YnEu/y7pokprmgx3DxVoLmSozu2hdV2qIxjNiYjJetB5xjQQHQ9s
D3rBQUjdlcXiwPU/2qpkQDh/GiH5fq3kH7gJ9ekX3eC3g+DJtEj6baSpzlrnNygW2rvg
bZm7z3o2K3kK4yilCy119qTe5ACLgvdPXlOP5zpjyFFbxd36B9Vcp+jmjyk2rQAOFSB0
zJiYLeys3EaZ6/CqPZCqUCNYLZVGRjHofuqjEeubDmuH/IxahjNKxHv4PNvp6f7iVkzf
9f1Q==
X-Gm-Message-State: AOJu0YzAs8SGnhRFaRAFFRYwIWJ/JvOerlNRj919QVYLzg9YxXZ21m4O
nFTLYiXTLzjsx9ZDD7SJSRu8K7ZEQu6IdU767m3wL71PZW0V/X0PfmfRgKb0C/f6q1SZ1Tm5l7r
1rnjRZw4nmuGhjZmltf9ySXqL
X-Received: by 2002:a05:6a20:9191:b0:18f:97c:823e with SMTP id
v17-20020a056a20919100b0018f097c823emr624397pzd.72.1701533693139;
Sat, 02 Dec 2023 08:14:53 -0800 (PST)
X-Received: by 2002:a05:6a20:9191:b0:18f:97c:823e with SMTP id
v17-20020a056a20919100b0018f097c823emr624383pzd.72.1701533692823;
Sat, 02 Dec 2023 08:14:52 -0800 (PST)
Received: from kernel-devel.local ([240d:1a:c0d:9f00:245e:16ff:fe87:c960])
by smtp.gmail.com with ESMTPSA id
g34-20020a635662000000b005c19c586cb7sm4871533pgm.33.2023.12.02.08.14.50
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Sat, 02 Dec 2023 08:14:52 -0800 (PST)
From: Shigeru Yoshida <syoshida@redhat.com>
To: davem@davemloft.net, dsahern@kernel.org, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
Shigeru Yoshida <syoshida@redhat.com>
Subject: [PATCH net v2] ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
Date: Sun, 3 Dec 2023 01:14:41 +0900
Message-ID: <20231202161441.221135-1-syoshida@redhat.com>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]);
Sat, 02 Dec 2023 08:15:02 -0800 (PST)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1784187411097646326
X-GMAIL-MSGID: 1784187411097646326
|
| Series |
[net,v2] ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
|
|
Commit Message
Shigeru Yoshida
Dec. 2, 2023, 4:14 p.m. UTC
In ipgre_xmit(), skb_pull() may fail even if pskb_inet_may_pull() returns
true. For example, applications can use PF_PACKET to create a malformed
packet with no IP header. This type of packet causes a problem such as
uninit-value access.
This patch ensures that skb_pull() can pull the required size by checking
the skb with pskb_network_may_pull() before skb_pull().
Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
---
v1 -> v2:
- Change the title
- Update the code with Eric's suggestion
https://lore.kernel.org/all/20231126151652.372783-1-syoshida@redhat.com/
---
net/ipv4/ip_gre.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
Comments
Hi Shigeru, >diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index >22a26d1d29a0..5169c3c72cff 100644 >--- a/net/ipv4/ip_gre.c >+++ b/net/ipv4/ip_gre.c >@@ -635,15 +635,18 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, > } > > if (dev->header_ops) { >+ int pull_len = tunnel->hlen + sizeof(struct iphdr); >+ > if (skb_cow_head(skb, 0)) > goto free_skb; > > tnl_params = (const struct iphdr *)skb->data; > >- /* Pull skb since ip_tunnel_xmit() needs skb->data pointing >- * to gre header. >- */ >- skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); >+ if (!pskb_network_may_pull(skb, pull_len)) [Suman] Since this is transmit path, should we add unlikely() here? >+ goto free_skb; >+ >+ /* ip_tunnel_xmit() needs skb->data pointing to gre header. */ >+ skb_pull(skb, pull_len); > skb_reset_mac_header(skb); > > if (skb->ip_summed == CHECKSUM_PARTIAL && >-- >2.41.0 >
On Sun, Dec 3, 2023 at 7:58 AM Suman Ghosh <sumang@marvell.com> wrote: > > Hi Shigeru, > > >diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index > >22a26d1d29a0..5169c3c72cff 100644 > >--- a/net/ipv4/ip_gre.c > >+++ b/net/ipv4/ip_gre.c > >@@ -635,15 +635,18 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, > > } > > > > if (dev->header_ops) { > >+ int pull_len = tunnel->hlen + sizeof(struct iphdr); > >+ > > if (skb_cow_head(skb, 0)) > > goto free_skb; > > > > tnl_params = (const struct iphdr *)skb->data; > > > >- /* Pull skb since ip_tunnel_xmit() needs skb->data pointing > >- * to gre header. > >- */ > >- skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); > >+ if (!pskb_network_may_pull(skb, pull_len)) > [Suman] Since this is transmit path, should we add unlikely() here? Adding unlikely() is not needed, it is already done generically from the inline helpers. Reviewed-by: Eric Dumazet <edumazet@google.com>
Hi Suman, On Sun, 3 Dec 2023 06:58:19 +0000, Suman Ghosh wrote: > Hi Shigeru, > >>diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index >>22a26d1d29a0..5169c3c72cff 100644 >>--- a/net/ipv4/ip_gre.c >>+++ b/net/ipv4/ip_gre.c >>@@ -635,15 +635,18 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, >> } >> >> if (dev->header_ops) { >>+ int pull_len = tunnel->hlen + sizeof(struct iphdr); >>+ >> if (skb_cow_head(skb, 0)) >> goto free_skb; >> >> tnl_params = (const struct iphdr *)skb->data; >> >>- /* Pull skb since ip_tunnel_xmit() needs skb->data pointing >>- * to gre header. >>- */ >>- skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); >>+ if (!pskb_network_may_pull(skb, pull_len)) > [Suman] Since this is transmit path, should we add unlikely() here? Thanks for your comment. I traced this function and found that pskb_may_pull_reason() seems to have appropriate likely() and unlikely() as Eric says. I'm new to Linux networking. Could you kindly explain the background of your suggestion? I understand that a transmit path must be as fast as possible, so we should use unlikely() for rare cases such like this error path. Am I correct? Thanks, Shigeru >>+ goto free_skb; >>+ >>+ /* ip_tunnel_xmit() needs skb->data pointing to gre header. */ >>+ skb_pull(skb, pull_len); >> skb_reset_mac_header(skb); >> >> if (skb->ip_summed == CHECKSUM_PARTIAL && >>-- >>2.41.0 >> >
>>> } >>> >>> if (dev->header_ops) { >>>+ int pull_len = tunnel->hlen + sizeof(struct iphdr); >>>+ >>> if (skb_cow_head(skb, 0)) >>> goto free_skb; >>> >>> tnl_params = (const struct iphdr *)skb->data; >>> >>>- /* Pull skb since ip_tunnel_xmit() needs skb->data pointing >>>- * to gre header. >>>- */ >>>- skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); >>>+ if (!pskb_network_may_pull(skb, pull_len)) >> [Suman] Since this is transmit path, should we add unlikely() here? > >Thanks for your comment. > >I traced this function and found that pskb_may_pull_reason() seems to >have appropriate likely() and unlikely() as Eric says. > >I'm new to Linux networking. Could you kindly explain the background of >your suggestion? > >I understand that a transmit path must be as fast as possible, so we >should use unlikely() for rare cases such like this error path. Am I >correct? > >Thanks, >Shigeru [Suman] Yes. Likely()/unlikely() helps the compiler for branch prediction and we use it mostly on the data path. But I cross checked that this is static inline and the function pskb_may_pull() already have likely()/unlikely() in place. So, you can ignore my comment here. > >>>+ goto free_skb; >>>+ >>>+ /* ip_tunnel_xmit() needs skb->data pointing to gre header. */ >>>+ skb_pull(skb, pull_len); >>> skb_reset_mac_header(skb); >>> >>> if (skb->ip_summed == CHECKSUM_PARTIAL && >>>-- >>>2.41.0 >>> >>
>In ipgre_xmit(), skb_pull() may fail even if pskb_inet_may_pull() >returns true. For example, applications can use PF_PACKET to create a >malformed packet with no IP header. This type of packet causes a problem >such as uninit-value access. > >This patch ensures that skb_pull() can pull the required size by >checking the skb with pskb_network_may_pull() before skb_pull(). > >Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") >Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> >--- Reviewed-by: Suman Ghosh <sumang@marvell.com> >v1 -> v2: >- Change the title >- Update the code with Eric's suggestion >
On Sun, 3 Dec 2023 15:17:09 +0000, Suman Ghosh wrote: >>>> } >>>> >>>> if (dev->header_ops) { >>>>+ int pull_len = tunnel->hlen + sizeof(struct iphdr); >>>>+ >>>> if (skb_cow_head(skb, 0)) >>>> goto free_skb; >>>> >>>> tnl_params = (const struct iphdr *)skb->data; >>>> >>>>- /* Pull skb since ip_tunnel_xmit() needs skb->data pointing >>>>- * to gre header. >>>>- */ >>>>- skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); >>>>+ if (!pskb_network_may_pull(skb, pull_len)) >>> [Suman] Since this is transmit path, should we add unlikely() here? >> >>Thanks for your comment. >> >>I traced this function and found that pskb_may_pull_reason() seems to >>have appropriate likely() and unlikely() as Eric says. >> >>I'm new to Linux networking. Could you kindly explain the background of >>your suggestion? >> >>I understand that a transmit path must be as fast as possible, so we >>should use unlikely() for rare cases such like this error path. Am I >>correct? >> >>Thanks, >>Shigeru > [Suman] Yes. Likely()/unlikely() helps the compiler for branch prediction and we use it mostly on the data path. > But I cross checked that this is static inline and the function pskb_may_pull() already have likely()/unlikely() in place. > So, you can ignore my comment here. Thank you for your explanation. It is very informative. And thanks for the review as well. Shigeru >> >>>>+ goto free_skb; >>>>+ >>>>+ /* ip_tunnel_xmit() needs skb->data pointing to gre header. */ >>>>+ skb_pull(skb, pull_len); >>>> skb_reset_mac_header(skb); >>>> >>>> if (skb->ip_summed == CHECKSUM_PARTIAL && >>>>-- >>>>2.41.0 >>>> >>> >
Hello: This patch was applied to netdev/net.git (main) by Paolo Abeni <pabeni@redhat.com>: On Sun, 3 Dec 2023 01:14:41 +0900 you wrote: > In ipgre_xmit(), skb_pull() may fail even if pskb_inet_may_pull() returns > true. For example, applications can use PF_PACKET to create a malformed > packet with no IP header. This type of packet causes a problem such as > uninit-value access. > > This patch ensures that skb_pull() can pull the required size by checking > the skb with pskb_network_may_pull() before skb_pull(). > > [...] Here is the summary with links: - [net,v2] ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() https://git.kernel.org/netdev/net/c/80d875cfc9d3 You are awesome, thank you!
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 22a26d1d29a0..5169c3c72cff 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -635,15 +635,18 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb, } if (dev->header_ops) { + int pull_len = tunnel->hlen + sizeof(struct iphdr); + if (skb_cow_head(skb, 0)) goto free_skb; tnl_params = (const struct iphdr *)skb->data; - /* Pull skb since ip_tunnel_xmit() needs skb->data pointing - * to gre header. - */ - skb_pull(skb, tunnel->hlen + sizeof(struct iphdr)); + if (!pskb_network_may_pull(skb, pull_len)) + goto free_skb; + + /* ip_tunnel_xmit() needs skb->data pointing to gre header. */ + skb_pull(skb, pull_len); skb_reset_mac_header(skb); if (skb->ip_summed == CHECKSUM_PARTIAL &&