From nobody Mon Feb 9 15:08:27 2026 Received: from mx.swemel.ru (mx.swemel.ru [95.143.211.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3445114A09E; Fri, 31 Jan 2025 08:27:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=95.143.211.150 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738312080; cv=none; b=DQjw9GnagDrKbv40aJ+uopVI1GU7J3Gl/QwEWyOALjfo+C8bhAxPHcy71cd8acLZES/lGxBznUx8q0v3zHmoax+/0HqTJC7QN6S2TjJeL+20ds4J86mYmlD4TclwbJATTHKvtJPQX0Ij4v9fLSXrG23MpLIFnvTSdnQbN8dU5Gk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738312080; c=relaxed/simple; bh=1Vf7SraXgcAr4MrtkaSvZn1+sMqYM8V24q3OmaIeIME=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gu32RqQDkWExR7BPvMPKBm+bVoJ5jMI+E1q0mQ2U4gCqn6yJBvDQ4HnTMCJIxr3VlIBCWl02zTi4+M8CuZsoDxrrtqLK+08lcq0SziMdCB4/Qfc1Tc03rELgKpnPYEUyDVmuUzZsClVKTyJ6z7A0FwvABcqb50VykFdoNbfozSU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=swemel.ru; spf=pass smtp.mailfrom=swemel.ru; dkim=pass (1024-bit key) header.d=swemel.ru header.i=@swemel.ru header.b=BihgjZ0M; arc=none smtp.client-ip=95.143.211.150 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=swemel.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=swemel.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=swemel.ru header.i=@swemel.ru header.b="BihgjZ0M" From: Denis Arefev DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=swemel.ru; s=mail; t=1738312068; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=w/LokgVE8APjfH1r2MM22fAxPhHX1CdEHBK2GYuUJ5w=; b=BihgjZ0MdSz7PeJy6OHvV33pvxGG2mqGoWy4XcyfDsItZqwUiwxv+llPVl7wD/gPygbO3P iGRQoFptbY/s2HjAvKw5bT07IDCtgxQUh5MoIxSRblBPvIj97LVrfwqESQgUJlQ835VbdE 5wu9BZQybWwzlygGzZzHJZAbU+Lqofo= To: stable@vger.kernel.org, Greg Kroah-Hartman Cc: "Michael S. Tsirkin" , Jason Wang , "David S. Miller" , Andrew Melnychenko , virtualization@lists.linux-foundation.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, lvc-project@linuxtesting.org, syzbot+01cdbc31e9c0ae9b33ac@syzkaller.appspotmail.com, syzbot+c99d835ff081ca30f986@syzkaller.appspotmail.com, Willem de Bruijn , Eric Dumazet Subject: [PATCH 5.10 1/5] net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation Date: Fri, 31 Jan 2025 11:27:37 +0300 Message-ID: <20250131082747.4101-2-arefev@swemel.ru> In-Reply-To: <20250131082747.4101-1-arefev@swemel.ru> References: <20250131082747.4101-1-arefev@swemel.ru> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: Willem de Bruijn commit fc8b2a619469378717e7270d2a4e1ef93c585f7a upstream. Syzbot reported two new paths to hit an internal WARNING using the new virtio gso type VIRTIO_NET_HDR_GSO_UDP_L4. RIP: 0010:skb_checksum_help+0x4a2/0x600 net/core/dev.c:3260 skb len=3D64521 gso_size=3D344 and RIP: 0010:skb_warn_bad_offload+0x118/0x240 net/core/dev.c:3262 Older virtio types have historically had loose restrictions, leading to many entirely impractical fuzzer generated packets causing problems deep in the kernel stack. Ideally, we would have had strict validation for all types from the start. New virtio types can have tighter validation. Limit UDP GSO packets inserted via virtio to the same limits imposed by the UDP_SEGMENT socket interface: 1. must use checksum offload 2. checksum offload matches UDP header 3. no more segments than UDP_MAX_SEGMENTS 4. UDP GSO does not take modifier flags, notably SKB_GSO_TCP_ECN Fixes: 860b7f27b8f7 ("linux/virtio_net.h: Support USO offload in vnet heade= r.") Reported-by: syzbot+01cdbc31e9c0ae9b33ac@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/0000000000005039270605eb0b7f@google.= com/ Reported-by: syzbot+c99d835ff081ca30f986@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/0000000000005426680605eb0b9f@google.= com/ Signed-off-by: Willem de Bruijn Reviewed-by: Eric Dumazet Acked-by: Jason Wang Signed-off-by: David S. Miller [Denis: minor fix to resolve merge conflict.] = =20 Signed-off-by: Denis Arefev = =20 --- Backport fix for CVE-2024-43817 Link: https://nvd.nist.gov/vuln/detail/cve-2024-43817=20 --- include/linux/virtio_net.h | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h index 6047058d6703..9bdba0c00c07 100644 --- a/include/linux/virtio_net.h +++ b/include/linux/virtio_net.h @@ -3,8 +3,8 @@ #define _LINUX_VIRTIO_NET_H =20 #include +#include #include -#include #include =20 static inline bool virtio_net_hdr_match_proto(__be16 protocol, __u8 gso_ty= pe) @@ -144,9 +144,22 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff= *skb, unsigned int nh_off =3D p_off; struct skb_shared_info *shinfo =3D skb_shinfo(skb); =20 - /* UFO may not include transport header in gso_size. */ - if (gso_type & SKB_GSO_UDP) + switch (gso_type & ~SKB_GSO_TCP_ECN) { + case SKB_GSO_UDP: + /* UFO may not include transport header in gso_size. */ nh_off -=3D thlen; + break; + case SKB_GSO_UDP_L4: + if (!(hdr->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM)) + return -EINVAL; + if (skb->csum_offset !=3D offsetof(struct udphdr, check)) + return -EINVAL; + if (skb->len - p_off > gso_size * UDP_MAX_SEGMENTS) + return -EINVAL; + if (gso_type !=3D SKB_GSO_UDP_L4) + return -EINVAL; + break; + } =20 /* Kernel has a special handling for GSO_BY_FRAGS. */ if (gso_size =3D=3D GSO_BY_FRAGS) --=20 2.43.0