[net,0/3] Fix out of bounds when parsing TCP options

Message ID	20210609142212.3096691-1-maximmi@nvidia.com
Headers	show Return-Path: <netdev-owner@kernel.org> Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.112.36 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.112.36; helo=mail.nvidia.com; From: Maxim Mikityanskiy <maximmi@nvidia.com> To: Mat Martineau <mathew.j.martineau@linux.intel.com>, Matthieu Baerts <matthieu.baerts@tessares.net>, Jakub Kicinski <kuba@kernel.org>, "David S. Miller" <davem@davemloft.net>, Pablo Neira Ayuso <pablo@netfilter.org>, Jozsef Kadlecsik <kadlec@netfilter.org>, Florian Westphal <fw@strlen.de>, =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>, "Jamal Hadi Salim" <jhs@mojatatu.com>, Cong Wang <xiyou.wangcong@gmail.com>, Jiri Pirko <jiri@resnulli.us>, Patrick McHardy <kaber@trash.net>, Jesper Dangaard Brouer <brouer@redhat.com>, Paolo Abeni <pabeni@redhat.com>, Christoph Paasch <cpaasch@apple.com>, Peter Krystad <peter.krystad@linux.intel.com> CC: Young Xiao <92siuyang@gmail.com>, <netdev@vger.kernel.org>, "Maxim Mikityanskiy" <maximmi@nvidia.com> Subject: [PATCH net 0/3] Fix out of bounds when parsing TCP options Date: Wed, 9 Jun 2021 17:22:09 +0300 Message-ID: <20210609142212.3096691-1-maximmi@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain Precedence: bulk
Series	Fix out of bounds when parsing TCP options \| expand [net,0/3] Fix out of bounds when parsing TCP options [net,1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options [net,2/3] mptcp: Fix out of bounds when parsing TCP options [net,3/3] sch_cake: Fix out of bounds when parsing TCP options

Maxim Mikityanskiy June 9, 2021, 2:22 p.m. UTC

This series fixes out-of-bounds access in various places in the kernel
where parsing of TCP options takes place. Fortunately, many more
occurrences don't have this bug.

Maxim Mikityanskiy (3):
  netfilter: synproxy: Fix out of bounds when parsing TCP options
  mptcp: Fix out of bounds when parsing TCP options
  sch_cake: Fix out of bounds when parsing TCP options

 net/mptcp/options.c              | 2 ++
 net/netfilter/nf_synproxy_core.c | 2 ++
 net/sched/sch_cake.c             | 4 ++++
 3 files changed, 8 insertions(+)

Florian Westphal June 9, 2021, 2:51 p.m. UTC | #1

Maxim Mikityanskiy <maximmi@nvidia.com> wrote:
> The TCP option parser in synproxy (synproxy_parse_options) could read
> one byte out of bounds. When the length is 1, the execution flow gets
> into the loop, reads one byte of the opcode, and if the opcode is
> neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds
> the length of 1.
> 
> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
> out of bounds when parsing TCP options.").
> 
> Cc: Young Xiao <92siuyang@gmail.com>
> Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")
> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
> ---
>  net/netfilter/nf_synproxy_core.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
> index b100c04a0e43..621eb5ef9727 100644
> --- a/net/netfilter/nf_synproxy_core.c
> +++ b/net/netfilter/nf_synproxy_core.c
> @@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
>  			length--;
>  			continue;
>  		default:
> +			if (length < 2)
> +				return true;

Would you mind a v2 that also rejects bogus th->doff value when
computing the length?

Thanks.

Toke Høiland-Jørgensen June 9, 2021, 9:51 p.m. UTC | #2

Maxim Mikityanskiy <maximmi@nvidia.com> writes:

> The TCP option parser in cake qdisc (cake_get_tcpopt and
> cake_tcph_may_drop) could read one byte out of bounds. When the length
> is 1, the execution flow gets into the loop, reads one byte of the
> opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads
> one more byte, which exceeds the length of 1.
>
> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack
> out of bounds when parsing TCP options.").
>
> Cc: Young Xiao <92siuyang@gmail.com>
> Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter")
> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>

Thanks for fixing this!

Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>

Maxim Mikityanskiy June 10, 2021, 7:05 a.m. UTC | #3

On 2021-06-09 17:51, Florian Westphal wrote:
> Maxim Mikityanskiy <maximmi@nvidia.com> wrote:

>> The TCP option parser in synproxy (synproxy_parse_options) could read

>> one byte out of bounds. When the length is 1, the execution flow gets

>> into the loop, reads one byte of the opcode, and if the opcode is

>> neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds

>> the length of 1.

>>

>> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack

>> out of bounds when parsing TCP options.").

>>

>> Cc: Young Xiao <92siuyang@gmail.com>

>> Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")

>> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>

>> ---

>>   net/netfilter/nf_synproxy_core.c | 2 ++

>>   1 file changed, 2 insertions(+)

>>

>> diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c

>> index b100c04a0e43..621eb5ef9727 100644

>> --- a/net/netfilter/nf_synproxy_core.c

>> +++ b/net/netfilter/nf_synproxy_core.c

>> @@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,

>>   			length--;

>>   			continue;

>>   		default:

>> +			if (length < 2)

>> +				return true;

> 

> Would you mind a v2 that also rejects bogus th->doff value when

> computing the length?


Could you elaborate? The length is a signed int calculated as `(th->doff 
* 4) - sizeof(*th)`. Invalid doff values (0..4) lead to negative length, 
so we never enter the loop. Or are you concerned of passing a negative 
length to skb_header_pointer?

> 

> Thanks.

>

Florian Westphal June 10, 2021, 8:56 a.m. UTC | #4

Maxim Mikityanskiy <maximmi@nvidia.com> wrote:
> On 2021-06-09 17:51, Florian Westphal wrote:

> > Maxim Mikityanskiy <maximmi@nvidia.com> wrote:

> > > The TCP option parser in synproxy (synproxy_parse_options) could read

> > > one byte out of bounds. When the length is 1, the execution flow gets

> > > into the loop, reads one byte of the opcode, and if the opcode is

> > > neither TCPOPT_EOL nor TCPOPT_NOP, it reads one more byte, which exceeds

> > > the length of 1.

> > > 

> > > This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack

> > > out of bounds when parsing TCP options.").

> > > 

> > > Cc: Young Xiao <92siuyang@gmail.com>

> > > Fixes: 48b1de4c110a ("netfilter: add SYNPROXY core/target")

> > > Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>

> > > ---

> > >   net/netfilter/nf_synproxy_core.c | 2 ++

> > >   1 file changed, 2 insertions(+)

> > > 

> > > diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c

> > > index b100c04a0e43..621eb5ef9727 100644

> > > --- a/net/netfilter/nf_synproxy_core.c

> > > +++ b/net/netfilter/nf_synproxy_core.c

> > > @@ -47,6 +47,8 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,

> > >   			length--;

> > >   			continue;

> > >   		default:

> > > +			if (length < 2)

> > > +				return true;

> > 

> > Would you mind a v2 that also rejects bogus th->doff value when

> > computing the length?

> 

> Could you elaborate? The length is a signed int calculated as `(th->doff *

> 4) - sizeof(*th)`. Invalid doff values (0..4) lead to negative length, so we

> never enter the loop. Or are you concerned of passing a negative length to

> skb_header_pointer?


Yes, negative length to skb_header_pointer.  For other usage (mptcp for
example) tcp stack validated th->doff already, but thats not the case for synproxy.

Maxim Mikityanskiy June 10, 2021, 11:19 a.m. UTC | #5

On 2021-06-10 00:51, Toke Høiland-Jørgensen wrote:
> Maxim Mikityanskiy <maximmi@nvidia.com> writes:

> 

>> The TCP option parser in cake qdisc (cake_get_tcpopt and

>> cake_tcph_may_drop) could read one byte out of bounds. When the length

>> is 1, the execution flow gets into the loop, reads one byte of the

>> opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads

>> one more byte, which exceeds the length of 1.

>>

>> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack

>> out of bounds when parsing TCP options.").

>>

>> Cc: Young Xiao <92siuyang@gmail.com>

>> Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter")

>> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>

> 

> Thanks for fixing this!

> 

> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>

> 

Could you also review whether Florian's comment on patch 1 is relevant 
to this patch too? I have concerns about cake_get_tcphdr, which returns 
`skb_header_pointer(skb, offset, min(__tcp_hdrlen(tcph), bufsize), 
buf)`. Although I don't see a way for it to get out of bounds (it will 
read garbage instead of TCP header in the worst case), such code doesn't 
look robust.

It's not possible for it to get out of bounds, because there is a call 
to skb_header_pointer above with sizeof(_tcph), which ensures that the 
SKB has at least 20 bytes after the beginning of the TCP header, which 
means that the second skb_header_pointer will either point to SKB (where 
we have at least 20 bytes) or to buf (which is allocated by the caller, 
so the caller shouldn't overflow its own buffer).

On the other hand, parsing garbage doesn't look like a valid behavior 
compared to dropping/ignoring/whatever-cake-does-with-bad-packets, so we 
may want to handle it, for example:

          return skb_header_pointer(skb, offset,
-                                  min(__tcp_hdrlen(tcph), bufsize), buf);
+                                  min(max(sizeof(struct tcphdr), 
__tcp_hdrlen(tcph)), bufsize), buf);

What do you think? Or did I just miss some early check for doff?

(I realize it's egress path and the packets produced by the system 
itself are unlikely to have bad doff, but it's not impossible, for 
example, with AF_PACKET, BPF hooks in tc, etc.)

Toke Høiland-Jørgensen June 10, 2021, 2:33 p.m. UTC | #6

Maxim Mikityanskiy <maximmi@nvidia.com> writes:

> On 2021-06-10 00:51, Toke Høiland-Jørgensen wrote:

>> Maxim Mikityanskiy <maximmi@nvidia.com> writes:

>> 

>>> The TCP option parser in cake qdisc (cake_get_tcpopt and

>>> cake_tcph_may_drop) could read one byte out of bounds. When the length

>>> is 1, the execution flow gets into the loop, reads one byte of the

>>> opcode, and if the opcode is neither TCPOPT_EOL nor TCPOPT_NOP, it reads

>>> one more byte, which exceeds the length of 1.

>>>

>>> This fix is inspired by commit 9609dad263f8 ("ipv4: tcp_input: fix stack

>>> out of bounds when parsing TCP options.").

>>>

>>> Cc: Young Xiao <92siuyang@gmail.com>

>>> Fixes: 8b7138814f29 ("sch_cake: Add optional ACK filter")

>>> Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>

>> 

>> Thanks for fixing this!

>> 

>> Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>

>> 

>

> Could you also review whether Florian's comment on patch 1 is relevant 

> to this patch too? I have concerns about cake_get_tcphdr, which returns 

> `skb_header_pointer(skb, offset, min(__tcp_hdrlen(tcph), bufsize), 

> buf)`. Although I don't see a way for it to get out of bounds (it will 

> read garbage instead of TCP header in the worst case), such code doesn't 

> look robust.

>

> It's not possible for it to get out of bounds, because there is a call 

> to skb_header_pointer above with sizeof(_tcph), which ensures that the 

> SKB has at least 20 bytes after the beginning of the TCP header, which 

> means that the second skb_header_pointer will either point to SKB (where 

> we have at least 20 bytes) or to buf (which is allocated by the caller, 

> so the caller shouldn't overflow its own buffer).

>

> On the other hand, parsing garbage doesn't look like a valid behavior 

> compared to dropping/ignoring/whatever-cake-does-with-bad-packets, so we 

> may want to handle it, for example:

>

>           return skb_header_pointer(skb, offset,

> -                                  min(__tcp_hdrlen(tcph), bufsize), buf);

> +                                  min(max(sizeof(struct tcphdr), 

> __tcp_hdrlen(tcph)), bufsize), buf);

>

> What do you think? Or did I just miss some early check for doff?


No, I think your analysis is correct: It won't lead to any out-of-bounds
reads, but I suppose we could end up trying to parse garbage. However,
if we do get a packet that sets doff to an invalid value, and we try to
parse it, we're essentially parsing garbage anyway. So I think the fix
should rather be something like:

diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 7d37638ee1c7..d312d75ab698 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -943,7 +943,7 @@ static struct tcphdr *cake_get_tcphdr(const struct sk_buff *skb,
        }
 
        tcph = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
-       if (!tcph)
+       if (!tcph || tcph->doff < 5)
                return NULL;
 
        return skb_header_pointer(skb, offset,

> (I realize it's egress path and the packets produced by the system 

> itself are unlikely to have bad doff, but it's not impossible, for 

> example, with AF_PACKET, BPF hooks in tc, etc.)


Most CAKE deployments primarily handles forwarded packets, and I suppose
malformed TCP packets could make it through the forwarding path as
well...

-Toke

[net,0/3] Fix out of bounds when parsing TCP options

Message

Comments