From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Maxim Mikityanskiy <maximmi@nvidia.com>, Florian Westphal <fw@strlen.de>
Cc: Young Xiao <92siuyang@gmail.com>,
netdev@vger.kernel.org,
Mat Martineau <mathew.j.martineau@linux.intel.com>,
Matthieu Baerts <matthieu.baerts@tessares.net>,
Jakub Kicinski <kuba@kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Cong Wang <xiyou.wangcong@gmail.com>,
Jiri Pirko <jiri@resnulli.us>, Patrick McHardy <kaber@trash.net>,
Jesper Dangaard Brouer <brouer@redhat.com>,
Paolo Abeni <pabeni@redhat.com>,
Christoph Paasch <cpaasch@apple.com>,
Peter Krystad <peter.krystad@linux.intel.com>
Subject: Re: [PATCH net 3/3] sch_cake: Fix out of bounds when parsing TCP options
Date: Thu, 10 Jun 2021 16:33:22 +0200 [thread overview]
Message-ID: <87a6nxvlfx.fsf@toke.dk> (raw)
In-Reply-To: <cddbb9c5-58d2-64c4-f77b-9991ec977dc3@nvidia.com>
Maxim Mikityanskiy <maximmi@nvidia.com> writes:
> On 2021-06-10 00:51, Toke Høiland-Jørgensen wrote:
>> Maxim Mikityanskiy <maximmi@nvidia.com> writes:
>>
>>> The TCP option parser in cake qdisc (cake_get_tcpopt and
>>> cake_tcph_may_drop) could read one byte out of bounds. When the length
>>> is 1, the execution flow gets into the loop, reads one byte of the
>>> opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads
>>> one more byte, which exceeds the length of 1.
>>>
>>> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
>>> out of bounds when parsing TCP options.").
>>>
>>> Cc: Young Xiao <92siuyang@gmail.com>
>>> Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter")
>>> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
>>
>> Thanks for fixing this!
>>
>> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
>>
>
> Could you also review whether Florian's comment on patch 1 is relevant
> to this patch too? I have concerns about cake_get_tcphdr, which returns
> `skb_header_pointer(skb, offset, min(__tcp_hdrlen(tcph), bufsize),
> buf)`. Although I don't see a way for it to get out of bounds (it will
> read garbage instead of TCP header in the worst case), such code doesn't
> look robust.
>
> It's not possible for it to get out of bounds, because there is a call
> to skb_header_pointer above with sizeof(_tcph), which ensures that the
> SKB has at least 20 bytes after the beginning of the TCP header, which
> means that the second skb_header_pointer will either point to SKB (where
> we have at least 20 bytes) or to buf (which is allocated by the caller,
> so the caller shouldn't overflow its own buffer).
>
> On the other hand, parsing garbage doesn't look like a valid behavior
> compared to dropping/ignoring/whatever-cake-does-with-bad-packets, so we
> may want to handle it, for example:
>
> return skb_header_pointer(skb, offset,
> - min(__tcp_hdrlen(tcph), bufsize), buf);
> + min(max(sizeof(struct tcphdr),
> __tcp_hdrlen(tcph)), bufsize), buf);
>
> What do you think? Or did I just miss some early check for doff?
No, I think your analysis is correct: It won't lead to any out-of-bounds
reads, but I suppose we could end up trying to parse garbage. However,
if we do get a packet that sets doff to an invalid value, and we try to
parse it, we're essentially parsing garbage anyway. So I think the fix
should rather be something like:
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 7d37638ee1c7..d312d75ab698 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -943,7 +943,7 @@ static struct tcphdr *cake_get_tcphdr(const struct sk_buff *skb,
}
tcph = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
- if (!tcph)
+ if (!tcph || tcph->doff < 5)
return NULL;
return skb_header_pointer(skb, offset,
> (I realize it's egress path and the packets produced by the system
> itself are unlikely to have bad doff, but it's not impossible, for
> example, with AF_PACKET, BPF hooks in tc, etc.)
Most CAKE deployments primarily handles forwarded packets, and I suppose
malformed TCP packets could make it through the forwarding path as
well...
-Toke
prev parent reply other threads:[~2021-06-10 14:33 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-09 14:22 [PATCH net 0/3] Fix out of bounds when parsing TCP options Maxim Mikityanskiy
2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy
2021-06-09 14:51 ` Florian Westphal
2021-06-10 7:05 ` Maxim Mikityanskiy
2021-06-10 8:56 ` Florian Westphal
2021-06-09 14:22 ` [PATCH net 2/3] mptcp: " Maxim Mikityanskiy
2021-06-10 0:07 ` Mat Martineau
2021-06-09 14:22 ` [PATCH net 3/3] sch_cake: " Maxim Mikityanskiy
2021-06-09 21:51 ` Toke Høiland-Jørgensen
2021-06-10 11:19 ` Maxim Mikityanskiy
2021-06-10 14:33 ` Toke Høiland-Jørgensen [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a6nxvlfx.fsf@toke.dk \
--to=toke@toke.dk \
--cc=92siuyang@gmail.com \
--cc=brouer@redhat.com \
--cc=cpaasch@apple.com \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=jhs@mojatatu.com \
--cc=jiri@resnulli.us \
--cc=kaber@trash.net \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=mathew.j.martineau@linux.intel.com \
--cc=matthieu.baerts@tessares.net \
--cc=maximmi@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=peter.krystad@linux.intel.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.