[net,v2,0/3] Fix out of bounds when parsing TCP options

Message ID	20210610164031.3412479-1-maximmi@nvidia.com
Headers	show Return-Path: <netdev-owner@kernel.org> Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.112.34 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.112.34; helo=mail.nvidia.com; From: Maxim Mikityanskiy <maximmi@nvidia.com> To: Mat Martineau <mathew.j.martineau@linux.intel.com>, Matthieu Baerts <matthieu.baerts@tessares.net>, Jakub Kicinski <kuba@kernel.org>, "David S. Miller" <davem@davemloft.net>, Pablo Neira Ayuso <pablo@netfilter.org>, Jozsef Kadlecsik <kadlec@netfilter.org>, Florian Westphal <fw@strlen.de>, =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>, "Jamal Hadi Salim" <jhs@mojatatu.com>, Cong Wang <xiyou.wangcong@gmail.com>, Jiri Pirko <jiri@resnulli.us>, Patrick McHardy <kaber@trash.net>, Jesper Dangaard Brouer <brouer@redhat.com>, Paolo Abeni <pabeni@redhat.com>, Christoph Paasch <cpaasch@apple.com>, Peter Krystad <peter.krystad@linux.intel.com> CC: Young Xiao <92siuyang@gmail.com>, <netdev@vger.kernel.org>, <mptcp@lists.linux.dev>, Maxim Mikityanskiy <maximmi@nvidia.com> Subject: [PATCH net v2 0/3] Fix out of bounds when parsing TCP options Date: Thu, 10 Jun 2021 19:40:28 +0300 Message-ID: <20210610164031.3412479-1-maximmi@nvidia.com> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Fix out of bounds when parsing TCP options \| expand [net,v2,0/3] Fix out of bounds when parsing TCP options [net,v2,1/3] netfilter: synproxy: Fix out of bounds when parsing TCP options [net,v2,2/3] mptcp: Fix out of bounds when parsing TCP options [net,v2,3/3] sch_cake: Fix out of bounds when parsing TCP options and header

Message ID

20210610164031.3412479-1-maximmi@nvidia.com

Headers

Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
	216.228.112.34 as permitted sender)
	receiver=protection.outlook.com; 
	client-ip=216.228.112.34; helo=mail.nvidia.com;
From: Maxim Mikityanskiy <maximmi@nvidia.com>
To: Mat Martineau <mathew.j.martineau@linux.intel.com>, Matthieu Baerts
	<matthieu.baerts@tessares.net>, Jakub Kicinski <kuba@kernel.org>,
	"David S. Miller" <davem@davemloft.net>, Pablo Neira Ayuso
	<pablo@netfilter.org>,         Jozsef Kadlecsik <kadlec@netfilter.org>,
	Florian Westphal <fw@strlen.de>, 
	=?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>,
	"Jamal Hadi Salim" <jhs@mojatatu.com>, Cong Wang
	<xiyou.wangcong@gmail.com>,         Jiri Pirko <jiri@resnulli.us>,
	Patrick McHardy <kaber@trash.net>, Jesper Dangaard Brouer
	<brouer@redhat.com>,         Paolo Abeni <pabeni@redhat.com>,
	Christoph Paasch <cpaasch@apple.com>, 
	Peter Krystad <peter.krystad@linux.intel.com>
CC: Young Xiao <92siuyang@gmail.com>, <netdev@vger.kernel.org>,
	<mptcp@lists.linux.dev>, Maxim Mikityanskiy <maximmi@nvidia.com>
Subject: [PATCH net v2 0/3] Fix out of bounds when parsing TCP options
Date: Thu, 10 Jun 2021 19:40:28 +0300
Message-ID: <20210610164031.3412479-1-maximmi@nvidia.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Jun 2021 16:40:53.5089
	(UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: b07931c8-d78c-4d87-ec05-08d92c2e8382
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;
	Ip=[216.228.112.34]; Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT032.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR12MB4709
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Series

Fix out of bounds when parsing TCP options | expand

Message

Maxim Mikityanskiy June 10, 2021, 4:40 p.m. UTC

This series fixes out-of-bounds access in various places in the kernel
where parsing of TCP options takes place. Fortunately, many more
occurrences don't have this bug.

v2 changes:

synproxy: Added an early return when length < 0 to avoid calling
skb_header_pointer with negative length.

sch_cake: Added doff validation to avoid parsing garbage.

Maxim Mikityanskiy (3):
  netfilter: synproxy: Fix out of bounds when parsing TCP options
  mptcp: Fix out of bounds when parsing TCP options
  sch_cake: Fix out of bounds when parsing TCP options and header

 net/mptcp/options.c              | 2 ++
 net/netfilter/nf_synproxy_core.c | 5 +++++
 net/sched/sch_cake.c             | 6 +++++-
 3 files changed, 12 insertions(+), 1 deletion(-)