Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
udp: fix out-of-bound at segmentation time
In the following scenario: GRO -> SKB_GSO_FRAGLIST aggregation -> forward -> xmit over UDP tunnel -> segmentation __udp_gso_segment_list() will take place and later skb_udp_tunnel_segment() will try to make the segmented packets outer UDP header checksum via gso_make_checksum(). The latter expect valids SKB_GSO_CB(skb)->csum and SKB_GSO_CB(skb)->csum_start, but such fields are not initialized by __udp_gso_segment_list(). gso_make_checksum() will end-up using a negative offset and that will trigger the following splat: ================================================================== BUG: KASAN: slab-out-of-bounds in do_csum+0x3d8/0x400 Read of size 1 at addr ffff888113ab5880 by task napi/br_port-81/1105 CPU: 1 PID: 1105 Comm: napi/br_port-81 Not tainted 5.12.0-rc2.mptcp_autotune_ce84e1323bebe+ torvalds#268 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 Call Trace: dump_stack+0xfa/0x151 print_address_description.constprop.0+0x16/0xa0 __kasan_report.cold+0x37/0x80 kasan_report+0x3a/0x50 do_csum+0x3d8/0x400 csum_partial+0x21/0x30 __skb_udp_tunnel_segment+0xd79/0x1ae0 skb_udp_tunnel_segment+0x233/0x460 udp4_ufo_fragment+0x50d/0x720 inet_gso_segment+0x525/0x1120 skb_mac_gso_segment+0x278/0x570 __udp_gso_segment_list() already has all the relevant data handy, fix the issue traversing the segments list and updating the GSO CB, if this is a tunnel GSO packet. The issue is present since SKB_GSO_FRAGLIST introduction, but is observable only since commit 18f25dc ("udp: skip L4 aggregation for UDP tunnel packets") Fixes: 18f25dc ("udp: skip L4 aggregation for UDP tunnel packets") Signed-off-by: Paolo Abeni <pabeni@redhat.com>
- Loading branch information