* [PATCH net 0/3] Fix out of bounds when parsing TCP options
@ 2021-06-09 14:22 Maxim Mikityanskiy
2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy
` (2 more replies)
0 siblings, 3 replies; 11+ messages in thread
From: Maxim Mikityanskiy @ 2021-06-09 14:22 UTC (permalink / raw)
To: Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller,
Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang,
Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni,
Christoph Paasch, Peter Krystad
Cc: Young Xiao, netdev, Maxim Mikityanskiy
This series fixes out-of-bounds access in various places in the kernel
where parsing of TCP options takes place. Fortunately, many more
occurrences don't have this bug.
Maxim Mikityanskiy (3):
netfilter: synproxy: Fix out of bounds when parsing TCP options
mptcp: Fix out of bounds when parsing TCP options
sch_cake: Fix out of bounds when parsing TCP options
net/mptcp/options.c | 2 ++
net/netfilter/nf_synproxy_core.c | 2 ++
net/sched/sch_cake.c | 4 ++++
3 files changed, 8 insertions(+)
--
2.25.1
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH net 1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options
2021-06-09 14:22 [PATCH net 0/3] Fix out of bounds when parsing TCP options Maxim Mikityanskiy
@ 2021-06-09 14:22 ` Maxim Mikityanskiy
2021-06-09 14:51 ` Florian Westphal
2021-06-09 14:22 ` [PATCH net 2/3] mptcp: " Maxim Mikityanskiy
2021-06-09 14:22 ` [PATCH net 3/3] sch_cake: " Maxim Mikityanskiy
2 siblings, 1 reply; 11+ messages in thread
From: Maxim Mikityanskiy @ 2021-06-09 14:22 UTC (permalink / raw)
To: Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller,
Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang,
Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni,
Christoph Paasch, Peter Krystad
Cc: Young Xiao, netdev, Maxim Mikityanskiy
The TCP option parser in synproxy (synproxy_parse_options) could read
one byte out of bounds. When the length is 1, the execution flow gets
into the loop, reads one byte of the opcode, and if the opcode is
neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds
the length of 1.
This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
out of bounds when parsing TCP options.").
Cc: Young Xiao <92siuyang@gmail.com>
Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
---
net/netfilter/nf_synproxy_core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index b100c04a0e43..621eb5ef9727 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
length--;
continue;
default:
+ if (length < 2)
+ return true;
opsize = *ptr++;
if (opsize < 2)
return true;
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH net 2/3] mptcp: Fix out of bounds when parsing TCP options
2021-06-09 14:22 [PATCH net 0/3] Fix out of bounds when parsing TCP options Maxim Mikityanskiy
2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy
@ 2021-06-09 14:22 ` Maxim Mikityanskiy
2021-06-10 0:07 ` Mat Martineau
2021-06-09 14:22 ` [PATCH net 3/3] sch_cake: " Maxim Mikityanskiy
2 siblings, 1 reply; 11+ messages in thread
From: Maxim Mikityanskiy @ 2021-06-09 14:22 UTC (permalink / raw)
To: Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller,
Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang,
Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni,
Christoph Paasch, Peter Krystad
Cc: Young Xiao, netdev, Maxim Mikityanskiy
The TCP option parser in mptcp (mptcp_get_options) could read one byte
out of bounds. When the length is 1, the execution flow gets into the
loop, reads one byte of the opcode, and if the opcode is neither
TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the
length of 1.
This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
out of bounds when parsing TCP options.").
Cc: Young Xiao <92siuyang@gmail.com>
Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
---
net/mptcp/options.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/mptcp/options.c b/net/mptcp/options.c
index 6b825fb3fa83..9b263f27ce9b 100644
--- a/net/mptcp/options.c
+++ b/net/mptcp/options.c
@@ -356,6 +356,8 @@ void mptcp_get_options(const struct sk_buff *skb,
length--;
continue;
default:
+ if (length < 2)
+ return;
opsize = *ptr++;
if (opsize < 2) /* "silly options" */
return;
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH net 3/3] sch_cake: Fix out of bounds when parsing TCP options
2021-06-09 14:22 [PATCH net 0/3] Fix out of bounds when parsing TCP options Maxim Mikityanskiy
2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy
2021-06-09 14:22 ` [PATCH net 2/3] mptcp: " Maxim Mikityanskiy
@ 2021-06-09 14:22 ` Maxim Mikityanskiy
2021-06-09 21:51 ` Toke Høiland-Jørgensen
2 siblings, 1 reply; 11+ messages in thread
From: Maxim Mikityanskiy @ 2021-06-09 14:22 UTC (permalink / raw)
To: Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller,
Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang,
Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni,
Christoph Paasch, Peter Krystad
Cc: Young Xiao, netdev, Maxim Mikityanskiy
The TCP option parser in cake qdisc (cake_get_tcpopt and
cake_tcph_may_drop) could read one byte out of bounds. When the length
is 1, the execution flow gets into the loop, reads one byte of the
opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads
one more byte, which exceeds the length of 1.
This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
out of bounds when parsing TCP options.").
Cc: Young Xiao <92siuyang@gmail.com>
Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
---
net/sched/sch_cake.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 7d37638ee1c7..6b03eebf0a78 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -967,6 +967,8 @@ static const void *cake_get_tcpopt(const struct tcphdr *tcph,
length--;
continue;
}
+ if (length < 2)
+ break;
opsize = *ptr++;
if (opsize < 2 || opsize > length)
break;
@@ -1104,6 +1106,8 @@ static bool cake_tcph_may_drop(const struct tcphdr *tcph,
length--;
continue;
}
+ if (length < 2)
+ break;
opsize = *ptr++;
if (opsize < 2 || opsize > length)
break;
--
2.25.1
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH net 1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options
2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy
@ 2021-06-09 14:51 ` Florian Westphal
2021-06-10 7:05 ` Maxim Mikityanskiy
0 siblings, 1 reply; 11+ messages in thread
From: Florian Westphal @ 2021-06-09 14:51 UTC (permalink / raw)
To: Maxim Mikityanskiy
Cc: Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller,
Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang,
Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni,
Christoph Paasch, Peter Krystad, Young Xiao, netdev
Maxim Mikityanskiy <maximmi@nvidia.com> wrote:
> The TCP option parser in synproxy (synproxy_parse_options) could read
> one byte out of bounds. When the length is 1, the execution flow gets
> into the loop, reads one byte of the opcode, and if the opcode is
> neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds
> the length of 1.
>
> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
> out of bounds when parsing TCP options.").
>
> Cc: Young Xiao <92siuyang@gmail.com>
> Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
> ---
> net/netfilter/nf_synproxy_core.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
> index b100c04a0e43..621eb5ef9727 100644
> --- a/net/netfilter/nf_synproxy_core.c
> +++ b/net/netfilter/nf_synproxy_core.c
> @@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
> length--;
> continue;
> default:
> + if (length < 2)
> + return true;
Would you mind a v2 that also rejects bogus th->doff value when
computing the length?
Thanks.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH net 3/3] sch_cake: Fix out of bounds when parsing TCP options
2021-06-09 14:22 ` [PATCH net 3/3] sch_cake: " Maxim Mikityanskiy
@ 2021-06-09 21:51 ` Toke Høiland-Jørgensen
2021-06-10 11:19 ` Maxim Mikityanskiy
0 siblings, 1 reply; 11+ messages in thread
From: Toke Høiland-Jørgensen @ 2021-06-09 21:51 UTC (permalink / raw)
To: Maxim Mikityanskiy, Mat Martineau, Matthieu Baerts,
Jakub Kicinski, David S. Miller, Pablo Neira Ayuso,
Jozsef Kadlecsik, Florian Westphal, Jamal Hadi Salim, Cong Wang,
Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni,
Christoph Paasch, Peter Krystad
Cc: Young Xiao, netdev, Maxim Mikityanskiy
Maxim Mikityanskiy <maximmi@nvidia.com> writes:
> The TCP option parser in cake qdisc (cake_get_tcpopt and
> cake_tcph_may_drop) could read one byte out of bounds. When the length
> is 1, the execution flow gets into the loop, reads one byte of the
> opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads
> one more byte, which exceeds the length of 1.
>
> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
> out of bounds when parsing TCP options.").
>
> Cc: Young Xiao <92siuyang@gmail.com>
> Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter")
> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Thanks for fixing this!
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH net 2/3] mptcp: Fix out of bounds when parsing TCP options
2021-06-09 14:22 ` [PATCH net 2/3] mptcp: " Maxim Mikityanskiy
@ 2021-06-10 0:07 ` Mat Martineau
0 siblings, 0 replies; 11+ messages in thread
From: Mat Martineau @ 2021-06-10 0:07 UTC (permalink / raw)
To: Maxim Mikityanskiy
Cc: Matthieu Baerts, Jakub Kicinski, David S. Miller,
Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang,
Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni,
Christoph Paasch, Peter Krystad, Young Xiao, netdev
On Wed, 9 Jun 2021, Maxim Mikityanskiy wrote:
> The TCP option parser in mptcp (mptcp_get_options) could read one byte
> out of bounds. When the length is 1, the execution flow gets into the
> loop, reads one byte of the opcode, and if the opcode is neither
> TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds the
> length of 1.
>
> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
> out of bounds when parsing TCP options.").
>
> Cc: Young Xiao <92siuyang@gmail.com>
> Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections")
> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
> ---
> net/mptcp/options.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/mptcp/options.c b/net/mptcp/options.c
> index 6b825fb3fa83..9b263f27ce9b 100644
> --- a/net/mptcp/options.c
> +++ b/net/mptcp/options.c
> @@ -356,6 +356,8 @@ void mptcp_get_options(const struct sk_buff *skb,
> length--;
> continue;
> default:
> + if (length < 2)
> + return;
> opsize = *ptr++;
> if (opsize < 2) /* "silly options" */
> return;
> --
> 2.25.1
Florian's comment on patch 1 prompted me to double-check th->doff
validation, and for MPTCP we're covered by the check in tcp_v4_rcv(). So
this patch looks good:
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
If you send a v2 series, please also cc: mptcp@lists.linux.dev
Thanks!
--
Mat Martineau
Intel
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH net 1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options
2021-06-09 14:51 ` Florian Westphal
@ 2021-06-10 7:05 ` Maxim Mikityanskiy
2021-06-10 8:56 ` Florian Westphal
0 siblings, 1 reply; 11+ messages in thread
From: Maxim Mikityanskiy @ 2021-06-10 7:05 UTC (permalink / raw)
To: Florian Westphal
Cc: Mat Martineau, Matthieu Baerts, Jakub Kicinski, David S. Miller,
Pablo Neira Ayuso, Jozsef Kadlecsik,
Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang,
Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni,
Christoph Paasch, Peter Krystad, Young Xiao, netdev
On 2021-06-09 17:51, Florian Westphal wrote:
> Maxim Mikityanskiy <maximmi@nvidia.com> wrote:
>> The TCP option parser in synproxy (synproxy_parse_options) could read
>> one byte out of bounds. When the length is 1, the execution flow gets
>> into the loop, reads one byte of the opcode, and if the opcode is
>> neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds
>> the length of 1.
>>
>> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
>> out of bounds when parsing TCP options.").
>>
>> Cc: Young Xiao <92siuyang@gmail.com>
>> Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
>> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
>> ---
>> net/netfilter/nf_synproxy_core.c | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
>> index b100c04a0e43..621eb5ef9727 100644
>> --- a/net/netfilter/nf_synproxy_core.c
>> +++ b/net/netfilter/nf_synproxy_core.c
>> @@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
>> length--;
>> continue;
>> default:
>> + if (length < 2)
>> + return true;
>
> Would you mind a v2 that also rejects bogus th->doff value when
> computing the length?
Could you elaborate? The length is a signed int calculated as `(th->doff
* 4) - sizeof(*th)`. Invalid doff values (0..4) lead to negative length,
so we never enter the loop. Or are you concerned of passing a negative
length to skb_header_pointer?
>
> Thanks.
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH net 1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options
2021-06-10 7:05 ` Maxim Mikityanskiy
@ 2021-06-10 8:56 ` Florian Westphal
0 siblings, 0 replies; 11+ messages in thread
From: Florian Westphal @ 2021-06-10 8:56 UTC (permalink / raw)
To: Maxim Mikityanskiy
Cc: Florian Westphal, Mat Martineau, Matthieu Baerts, Jakub Kicinski,
David S. Miller, Pablo Neira Ayuso, Jozsef Kadlecsik,
Toke Høiland-Jørgensen, Jamal Hadi Salim, Cong Wang,
Jiri Pirko, Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni,
Christoph Paasch, Peter Krystad, Young Xiao, netdev
Maxim Mikityanskiy <maximmi@nvidia.com> wrote:
> On 2021-06-09 17:51, Florian Westphal wrote:
> > Maxim Mikityanskiy <maximmi@nvidia.com> wrote:
> > > The TCP option parser in synproxy (synproxy_parse_options) could read
> > > one byte out of bounds. When the length is 1, the execution flow gets
> > > into the loop, reads one byte of the opcode, and if the opcode is
> > > neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds
> > > the length of 1.
> > >
> > > This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
> > > out of bounds when parsing TCP options.").
> > >
> > > Cc: Young Xiao <92siuyang@gmail.com>
> > > Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
> > > Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
> > > ---
> > > net/netfilter/nf_synproxy_core.c | 2 ++
> > > 1 file changed, 2 insertions(+)
> > >
> > > diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
> > > index b100c04a0e43..621eb5ef9727 100644
> > > --- a/net/netfilter/nf_synproxy_core.c
> > > +++ b/net/netfilter/nf_synproxy_core.c
> > > @@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
> > > length--;
> > > continue;
> > > default:
> > > + if (length < 2)
> > > + return true;
> >
> > Would you mind a v2 that also rejects bogus th->doff value when
> > computing the length?
>
> Could you elaborate? The length is a signed int calculated as `(th->doff *
> 4) - sizeof(*th)`. Invalid doff values (0..4) lead to negative length, so we
> never enter the loop. Or are you concerned of passing a negative length to
> skb_header_pointer?
Yes, negative length to skb_header_pointer. For other usage (mptcp for
example) tcp stack validated th->doff already, but thats not the case for synproxy.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH net 3/3] sch_cake: Fix out of bounds when parsing TCP options
2021-06-09 21:51 ` Toke Høiland-Jørgensen
@ 2021-06-10 11:19 ` Maxim Mikityanskiy
2021-06-10 14:33 ` Toke Høiland-Jørgensen
0 siblings, 1 reply; 11+ messages in thread
From: Maxim Mikityanskiy @ 2021-06-10 11:19 UTC (permalink / raw)
To: Toke Høiland-Jørgensen, Florian Westphal
Cc: Young Xiao, netdev, Mat Martineau, Matthieu Baerts,
Jakub Kicinski, David S. Miller, Pablo Neira Ayuso,
Jozsef Kadlecsik, Jamal Hadi Salim, Cong Wang, Jiri Pirko,
Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni,
Christoph Paasch, Peter Krystad
On 2021-06-10 00:51, Toke Høiland-Jørgensen wrote:
> Maxim Mikityanskiy <maximmi@nvidia.com> writes:
>
>> The TCP option parser in cake qdisc (cake_get_tcpopt and
>> cake_tcph_may_drop) could read one byte out of bounds. When the length
>> is 1, the execution flow gets into the loop, reads one byte of the
>> opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads
>> one more byte, which exceeds the length of 1.
>>
>> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
>> out of bounds when parsing TCP options.").
>>
>> Cc: Young Xiao <92siuyang@gmail.com>
>> Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter")
>> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
>
> Thanks for fixing this!
>
> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
>
Could you also review whether Florian's comment on patch 1 is relevant
to this patch too? I have concerns about cake_get_tcphdr, which returns
`skb_header_pointer(skb, offset, min(__tcp_hdrlen(tcph), bufsize),
buf)`. Although I don't see a way for it to get out of bounds (it will
read garbage instead of TCP header in the worst case), such code doesn't
look robust.
It's not possible for it to get out of bounds, because there is a call
to skb_header_pointer above with sizeof(_tcph), which ensures that the
SKB has at least 20 bytes after the beginning of the TCP header, which
means that the second skb_header_pointer will either point to SKB (where
we have at least 20 bytes) or to buf (which is allocated by the caller,
so the caller shouldn't overflow its own buffer).
On the other hand, parsing garbage doesn't look like a valid behavior
compared to dropping/ignoring/whatever-cake-does-with-bad-packets, so we
may want to handle it, for example:
return skb_header_pointer(skb, offset,
- min(__tcp_hdrlen(tcph), bufsize), buf);
+ min(max(sizeof(struct tcphdr),
__tcp_hdrlen(tcph)), bufsize), buf);
What do you think? Or did I just miss some early check for doff?
(I realize it's egress path and the packets produced by the system
itself are unlikely to have bad doff, but it's not impossible, for
example, with AF_PACKET, BPF hooks in tc, etc.)
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH net 3/3] sch_cake: Fix out of bounds when parsing TCP options
2021-06-10 11:19 ` Maxim Mikityanskiy
@ 2021-06-10 14:33 ` Toke Høiland-Jørgensen
0 siblings, 0 replies; 11+ messages in thread
From: Toke Høiland-Jørgensen @ 2021-06-10 14:33 UTC (permalink / raw)
To: Maxim Mikityanskiy, Florian Westphal
Cc: Young Xiao, netdev, Mat Martineau, Matthieu Baerts,
Jakub Kicinski, David S. Miller, Pablo Neira Ayuso,
Jozsef Kadlecsik, Jamal Hadi Salim, Cong Wang, Jiri Pirko,
Patrick McHardy, Jesper Dangaard Brouer, Paolo Abeni,
Christoph Paasch, Peter Krystad
Maxim Mikityanskiy <maximmi@nvidia.com> writes:
> On 2021-06-10 00:51, Toke Høiland-Jørgensen wrote:
>> Maxim Mikityanskiy <maximmi@nvidia.com> writes:
>>
>>> The TCP option parser in cake qdisc (cake_get_tcpopt and
>>> cake_tcph_may_drop) could read one byte out of bounds. When the length
>>> is 1, the execution flow gets into the loop, reads one byte of the
>>> opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads
>>> one more byte, which exceeds the length of 1.
>>>
>>> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
>>> out of bounds when parsing TCP options.").
>>>
>>> Cc: Young Xiao <92siuyang@gmail.com>
>>> Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter")
>>> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
>>
>> Thanks for fixing this!
>>
>> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
>>
>
> Could you also review whether Florian's comment on patch 1 is relevant
> to this patch too? I have concerns about cake_get_tcphdr, which returns
> `skb_header_pointer(skb, offset, min(__tcp_hdrlen(tcph), bufsize),
> buf)`. Although I don't see a way for it to get out of bounds (it will
> read garbage instead of TCP header in the worst case), such code doesn't
> look robust.
>
> It's not possible for it to get out of bounds, because there is a call
> to skb_header_pointer above with sizeof(_tcph), which ensures that the
> SKB has at least 20 bytes after the beginning of the TCP header, which
> means that the second skb_header_pointer will either point to SKB (where
> we have at least 20 bytes) or to buf (which is allocated by the caller,
> so the caller shouldn't overflow its own buffer).
>
> On the other hand, parsing garbage doesn't look like a valid behavior
> compared to dropping/ignoring/whatever-cake-does-with-bad-packets, so we
> may want to handle it, for example:
>
> return skb_header_pointer(skb, offset,
> - min(__tcp_hdrlen(tcph), bufsize), buf);
> + min(max(sizeof(struct tcphdr),
> __tcp_hdrlen(tcph)), bufsize), buf);
>
> What do you think? Or did I just miss some early check for doff?
No, I think your analysis is correct: It won't lead to any out-of-bounds
reads, but I suppose we could end up trying to parse garbage. However,
if we do get a packet that sets doff to an invalid value, and we try to
parse it, we're essentially parsing garbage anyway. So I think the fix
should rather be something like:
diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 7d37638ee1c7..d312d75ab698 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -943,7 +943,7 @@ static struct tcphdr *cake_get_tcphdr(const struct sk_buff *skb,
}
tcph = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
- if (!tcph)
+ if (!tcph || tcph->doff < 5)
return NULL;
return skb_header_pointer(skb, offset,
> (I realize it's egress path and the packets produced by the system
> itself are unlikely to have bad doff, but it's not impossible, for
> example, with AF_PACKET, BPF hooks in tc, etc.)
Most CAKE deployments primarily handles forwarded packets, and I suppose
malformed TCP packets could make it through the forwarding path as
well...
-Toke
^ permalink raw reply related [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-06-10 14:33 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-09 14:22 [PATCH net 0/3] Fix out of bounds when parsing TCP options Maxim Mikityanskiy
2021-06-09 14:22 ` [PATCH net 1/3] netfilter: synproxy: " Maxim Mikityanskiy
2021-06-09 14:51 ` Florian Westphal
2021-06-10 7:05 ` Maxim Mikityanskiy
2021-06-10 8:56 ` Florian Westphal
2021-06-09 14:22 ` [PATCH net 2/3] mptcp: " Maxim Mikityanskiy
2021-06-10 0:07 ` Mat Martineau
2021-06-09 14:22 ` [PATCH net 3/3] sch_cake: " Maxim Mikityanskiy
2021-06-09 21:51 ` Toke Høiland-Jørgensen
2021-06-10 11:19 ` Maxim Mikityanskiy
2021-06-10 14:33 ` Toke Høiland-Jørgensen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.