LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* Can a valid vnet header have both csum_start and csum_offset 0?
@ 2021-08-10 19:06 Shreyansh Chouhan
  2021-08-12  4:36 ` Shreyansh Chouhan
  0 siblings, 1 reply; 4+ messages in thread
From: Shreyansh Chouhan @ 2021-08-10 19:06 UTC (permalink / raw)
  To: davem, kuba, edumazet, willemb, xie.he.0141, gustavoars,
	wanghai38, tannerlove, eyal.birger, rsanger, jiapeng.chong
  Cc: netdev, linux-kernel

Hi,

When parsing the vnet header in __packet_snd_vnet_parse[1], we do not
check for if the values of csum_start and csum_offset given in the
header are both 0.

Having both these values 0, however, causes a crash[2] further down the
gre xmit code path. In the function ipgre_xmit, we pull the ip header
and gre header from skb->data, this results in an invalid
skb->csum_start which was calculated from the vnet header. The
skb->csum_start offset in this case turns out to be lower than
skb->transport_header. This causes us to pass a negative number as an
argument to csum_partial[3] and eventually to do_csum[4], which then causes
a kernel oops in the while loop.

I do not understand what should the correct behavior be in this
scenario, should we consider this vnet header as invalid? (Which I think
is the most likely solution, however I do not have experience with
networking.) Or should we rather accomodate for both csum_start
and csum_offset values to be 0 in ipgre_xmit?

Regards,
Shreyansh Chouhan

--

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/net/packet/af_packet.c#n2480
[2] https://syzkaller.appspot.com/bug?id=c391f74aac26dd8311c45743ae618f9d5e38b674
[3] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/skbuff.h#n4662
[4] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/lib/csum-partial_64.c#n35

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-08-18  5:13 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-10 19:06 Can a valid vnet header have both csum_start and csum_offset 0? Shreyansh Chouhan
2021-08-12  4:36 ` Shreyansh Chouhan
2021-08-16 15:17   ` Willem de Bruijn
2021-08-18  5:12     ` Shreyansh Chouhan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).