[net,2/2] net/sched: sch_frag: fix stack OOB read while fragmenting IPv4 packets

Commit Message

Davide Caratti April 19, 2021, 3:23 p.m. UTC

when 'act_mirred' tries to fragment IPv4 packets that had been previously
re-assembled using 'act_ct', splats like the following can be observed on
kernels built with KASAN:

 BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60
 Read of size 1 at addr ffff888147009574 by task ping/947

 CPU: 0 PID: 947 Comm: ping Not tainted 5.12.0-rc6+ #418
 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014
 Call Trace:
  <IRQ>
  dump_stack+0x92/0xc1
  print_address_description.constprop.7+0x1a/0x150
  kasan_report.cold.13+0x7f/0x111
  ip_do_fragment+0x1b03/0x1f60
  sch_fragment+0x4bf/0xe40
  tcf_mirred_act+0xc3d/0x11a0 [act_mirred]
  tcf_action_exec+0x104/0x3e0
  fl_classify+0x49a/0x5e0 [cls_flower]
  tcf_classify_ingress+0x18a/0x820
  __netif_receive_skb_core+0xae7/0x3340
  __netif_receive_skb_one_core+0xb6/0x1b0
  process_backlog+0x1ef/0x6c0
  __napi_poll+0xaa/0x500
  net_rx_action+0x702/0xac0
  __do_softirq+0x1e4/0x97f
  do_softirq+0x71/0x90
  </IRQ>
  __local_bh_enable_ip+0xdb/0xf0
  ip_finish_output2+0x760/0x2120
  ip_do_fragment+0x15a5/0x1f60
  __ip_finish_output+0x4c2/0xea0
  ip_output+0x1ca/0x4d0
  ip_send_skb+0x37/0xa0
  raw_sendmsg+0x1c4b/0x2d00
  sock_sendmsg+0xdb/0x110
  __sys_sendto+0x1d7/0x2b0
  __x64_sys_sendto+0xdd/0x1b0
  do_syscall_64+0x33/0x40
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7f82e13853eb
 Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89
 RSP: 002b:00007ffe01fad888 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
 RAX: ffffffffffffffda RBX: 00005571aac13700 RCX: 00007f82e13853eb
 RDX: 0000000000002330 RSI: 00005571aac13700 RDI: 0000000000000003
 RBP: 0000000000002330 R08: 00005571aac10500 R09: 0000000000000010
 R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe01faefb0
 R13: 00007ffe01fad890 R14: 00007ffe01fad980 R15: 00005571aac0f0a0

 The buggy address belongs to the page:
 page:000000001dff2e03 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x147009
 flags: 0x17ffffc0001000(reserved)
 raw: 0017ffffc0001000 ffffea00051c0248 ffffea00051c0248 0000000000000000
 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
 page dumped because: kasan: bad access detected

 Memory state around the buggy address:
  ffff888147009400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff888147009480: f1 f1 f1 f1 04 f2 f2 f2 f2 f2 f2 f2 00 00 00 00
 >ffff888147009500: 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 f2
                                                              ^
  ffff888147009580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff888147009600: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2

for IPv4 packets, sch_fragment() uses a temporary struct dst_entry. Then,
in the following call graph:

  ip_do_fragment()
    ip_skb_dst_mtu()
      ip_dst_mtu_maybe_forward()
        ip_mtu_locked()

the pointer to struct dst_entry is used as pointer to struct rtable: this
turns the access to struct members like rt_mtu_locked into an OOB read in
the stack. Fix this changing the temporary variable used for IPv4 packets
in sch_fragment(), similarly to what is done for IPv6 few lines below.

Fixes: c129412f74e9 ("net/sched: sch_frag: add generic packet fragment support.")
Cc: <stable@vger.kernel.org> # 5.11
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
 net/sched/sch_frag.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Comments

Marcelo Ricardo Leitner April 19, 2021, 5:38 p.m. UTC | #1

On Mon, Apr 19, 2021 at 05:23:44PM +0200, Davide Caratti wrote:
> when 'act_mirred' tries to fragment IPv4 packets that had been previously
> re-assembled using 'act_ct', splats like the following can be observed on
> kernels built with KASAN:

Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

Cong Wang April 19, 2021, 6:46 p.m. UTC | #2

On Mon, Apr 19, 2021 at 8:24 AM Davide Caratti <dcaratti@redhat.com> wrote:
> diff --git a/net/sched/sch_frag.c b/net/sched/sch_frag.c
> index e1e77d3fb6c0..8c06381391d6 100644
> --- a/net/sched/sch_frag.c
> +++ b/net/sched/sch_frag.c
> @@ -90,16 +90,16 @@ static int sch_fragment(struct net *net, struct sk_buff *skb,
>         }
>
>         if (skb_protocol(skb, true) == htons(ETH_P_IP)) {
> -               struct dst_entry sch_frag_dst;
> +               struct rtable sch_frag_rt = { 0 };

Is setting these fields 0 sufficient here? Because normally a struct table
is initialized by rt_dst_alloc() which sets several of them to non-zero,
notably, rt->rt_type and rt->rt_uncached.

Similar for the IPv6 part, which is initialized by rt6_info_init().

Thanks.

Davide Caratti April 20, 2021, 8:59 a.m. UTC | #3

hello Cong, thanks for looking at this!

On Mon, 2021-04-19 at 11:46 -0700, Cong Wang wrote:
> On Mon, Apr 19, 2021 at 8:24 AM Davide Caratti <dcaratti@redhat.com> wrote:
> > diff --git a/net/sched/sch_frag.c b/net/sched/sch_frag.c
> > index e1e77d3fb6c0..8c06381391d6 100644
> > --- a/net/sched/sch_frag.c
> > +++ b/net/sched/sch_frag.c
> > @@ -90,16 +90,16 @@ static int sch_fragment(struct net *net, struct sk_buff *skb,
> >         }
> > 
> >         if (skb_protocol(skb, true) == htons(ETH_P_IP)) {
> > -               struct dst_entry sch_frag_dst;
> > +               struct rtable sch_frag_rt = { 0 };
> 
> Is setting these fields 0 sufficient here? Because normally a struct table
> is initialized by rt_dst_alloc() which sets several of them to non-zero,
> notably, rt->rt_type and rt->rt_uncached.
> 
> Similar for the IPv6 part, which is initialized by rt6_info_init().

for what we do now in openvswitch and sch_frag, that should be
sufficient: a similar thing is done by br_netfilter [1], apparently for
the same "refragmentation" purposes. On a fedora host (running 5.10, but
it shouldn't be much different than current Linux), I just dumped
'fake_rtable' from a bridge device:

# ip link add name test-br0 type bridge
# ip link set dev test-br0 up
# ip link add name test-port0 type dummy
# ip link set dev test-port0 master test-br0 up
# crash 
[...]
crash> net                                                             
   NET_DEVICE     NAME   IP ADDRESS(ES)
[...]
ffff89fb44ed8000  test-br0
ffff89fbfc45c000  test-port0
crash> p sizeof(struct net_device)
$12 = 3200
crash> p ((struct net_bridge*)(0xffff89fb44ed8000 + 3200))->fake_rtable
$13 = {
  dst = {
    dev = 0xffff89fb44ed8000, 
    ops = 0xffffffffc0afef40, 
    _metrics = 18446744072647256257, 
    expires = 0, 
    xfrm = 0x0, 
    input = 0x0, 
    output = 0x0, 
    flags = 18, <-- that should be DST_NOXFRM | DST_FAKE_RTABLE
    obsolete = 0, 
    header_len = 0, 
    trailer_len = 0, 
    __refcnt = {
      counter = 1
    }, 
    __use = 0, 
    lastuse = 0, 
    lwtstate = 0x0, 
    callback_head = {
      next = 0x0, 
      func = 0x0
    }, 
    error = 0, 
    __pad = 0, 
    tclassid = 0
  }, 
  rt_genid = 0, 
  rt_flags = 0, 
  rt_type = 0, 
  rt_is_input = 0 '\000', 
  rt_uses_gateway = 0 '\000', 
  rt_iif = 0, 
  rt_gw_family = 0 '\000', 
  {
    rt_gw4 = 0, 
    rt_gw6 = {
      in6_u = {
        u6_addr8 = "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000", 
        u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, 
        u6_addr32 = {0, 0, 0, 0}
      }
    }
  }, 
  rt_mtu_locked = 0, 
  rt_pmtu = 0, 
  rt_uncached = {
    next = 0x0, 
    prev = 0x0
  }, 
  rt_uncached_list = 0x0                                               
}                 

only fake_rtable.dst members are set to something, the remaining are all zero-ed.

Cong Wang April 20, 2021, 7:25 p.m. UTC | #4

On Tue, Apr 20, 2021 at 1:59 AM Davide Caratti <dcaratti@redhat.com> wrote:
>
> hello Cong, thanks for looking at this!
>
> On Mon, 2021-04-19 at 11:46 -0700, Cong Wang wrote:
> > On Mon, Apr 19, 2021 at 8:24 AM Davide Caratti <dcaratti@redhat.com> wrote:
> > > diff --git a/net/sched/sch_frag.c b/net/sched/sch_frag.c
> > > index e1e77d3fb6c0..8c06381391d6 100644
> > > --- a/net/sched/sch_frag.c
> > > +++ b/net/sched/sch_frag.c
> > > @@ -90,16 +90,16 @@ static int sch_fragment(struct net *net, struct sk_buff *skb,
> > >         }
> > >
> > >         if (skb_protocol(skb, true) == htons(ETH_P_IP)) {
> > > -               struct dst_entry sch_frag_dst;
> > > +               struct rtable sch_frag_rt = { 0 };
> >
> > Is setting these fields 0 sufficient here? Because normally a struct table
> > is initialized by rt_dst_alloc() which sets several of them to non-zero,
> > notably, rt->rt_type and rt->rt_uncached.
> >
> > Similar for the IPv6 part, which is initialized by rt6_info_init().
>
> for what we do now in openvswitch and sch_frag, that should be
> sufficient: a similar thing is done by br_netfilter [1], apparently for
> the same "refragmentation" purposes. On a fedora host (running 5.10, but
> it shouldn't be much different than current Linux), I just dumped
> 'fake_rtable' from a bridge device:

Sounds fair. It looks like all of these cases merely use dst->dev->mtu,
so it is overkill to pass a full dst just to satisfy some callees.

Anyway, your patch should be okay as a fix for -net.

Thanks.

Cong Wang April 20, 2021, 7:27 p.m. UTC | #5

On Mon, Apr 19, 2021 at 8:24 AM Davide Caratti <dcaratti@redhat.com> wrote:
>
> when 'act_mirred' tries to fragment IPv4 packets that had been previously
> re-assembled using 'act_ct', splats like the following can be observed on
> kernels built with KASAN:
[...]
> for IPv4 packets, sch_fragment() uses a temporary struct dst_entry. Then,
> in the following call graph:
>
>   ip_do_fragment()
>     ip_skb_dst_mtu()
>       ip_dst_mtu_maybe_forward()
>         ip_mtu_locked()
>
> the pointer to struct dst_entry is used as pointer to struct rtable: this
> turns the access to struct members like rt_mtu_locked into an OOB read in
> the stack. Fix this changing the temporary variable used for IPv4 packets
> in sch_fragment(), similarly to what is done for IPv6 few lines below.
>
> Fixes: c129412f74e9 ("net/sched: sch_frag: add generic packet fragment support.")
> Cc: <stable@vger.kernel.org> # 5.11
> Reported-by: Shuang Li <shuali@redhat.com>
> Signed-off-by: Davide Caratti <dcaratti@redhat.com>

Acked-by: Cong Wang <cong.wang@bytedance.com>

Thanks.

Patch

diff --git a/net/sched/sch_frag.c b/net/sched/sch_frag.c
index e1e77d3fb6c0..8c06381391d6 100644
--- a/net/sched/sch_frag.c
+++ b/net/sched/sch_frag.c
@@ -90,16 +90,16 @@  static int sch_fragment(struct net *net, struct sk_buff *skb,
 	}
 
 	if (skb_protocol(skb, true) == htons(ETH_P_IP)) {
-		struct dst_entry sch_frag_dst;
+		struct rtable sch_frag_rt = { 0 };
 		unsigned long orig_dst;
 
 		sch_frag_prepare_frag(skb, xmit);
-		dst_init(&sch_frag_dst, &sch_frag_dst_ops, NULL, 1,
+		dst_init(&sch_frag_rt.dst, &sch_frag_dst_ops, NULL, 1,
 			 DST_OBSOLETE_NONE, DST_NOCOUNT);
-		sch_frag_dst.dev = skb->dev;
+		sch_frag_rt.dst.dev = skb->dev;
 
 		orig_dst = skb->_skb_refdst;
-		skb_dst_set_noref(skb, &sch_frag_dst);
+		skb_dst_set_noref(skb, &sch_frag_rt.dst);
 		IPCB(skb)->frag_max_size = mru;
 
 		ret = ip_do_fragment(net, skb->sk, skb, sch_frag_xmit);