[thirdparty/kernel/stable-queue.git] / releases / 4.9.13 / ip-fix-ip_checksum-handling.patch

From foo@baz Thu Feb 23 21:13:05 CET 2017
From: Paolo Abeni <pabeni@redhat.com>
Date: Tue, 21 Feb 2017 09:33:18 +0100
Subject: ip: fix IP_CHECKSUM handling

From: Paolo Abeni <pabeni@redhat.com>


[ Upstream commit ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32 ]

The skbs processed by ip_cmsg_recv() are not guaranteed to
be linear e.g. when sending UDP packets over loopback with
MSGMORE.
Using csum_partial() on [potentially] the whole skb len
is dangerous; instead be on the safe side and use skb_checksum().

Thanks to syzkaller team to detect the issue and provide the
reproducer.

v1 -> v2:
 - move the variable declaration in a tighter scope

Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ip_sockglue.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -105,10 +105,10 @@ static void ip_cmsg_recv_checksum(struct
 	if (skb->ip_summed != CHECKSUM_COMPLETE)
 		return;
 
-	if (offset != 0)
-		csum = csum_sub(csum,
-				csum_partial(skb_transport_header(skb) + tlen,
-					     offset, 0));
+	if (offset != 0) {
+		int tend_off = skb_transport_offset(skb) + tlen;
+		csum = csum_sub(csum, skb_checksum(skb, tend_off, offset, 0));
+	}
 
 	put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), &csum);
 }
Commit	Line	Data
b2af825a GKH	1	From foo@baz Thu Feb 23 21:13:05 CET 2017
	2	From: Paolo Abeni <pabeni@redhat.com>
	3	Date: Tue, 21 Feb 2017 09:33:18 +0100
	4	Subject: ip: fix IP_CHECKSUM handling
	5
	6	From: Paolo Abeni <pabeni@redhat.com>
	7
	8
	9	[ Upstream commit ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32 ]
	10
	11	The skbs processed by ip_cmsg_recv() are not guaranteed to
	12	be linear e.g. when sending UDP packets over loopback with
	13	MSGMORE.
	14	Using csum_partial() on [potentially] the whole skb len
	15	is dangerous; instead be on the safe side and use skb_checksum().
	16
	17	Thanks to syzkaller team to detect the issue and provide the
	18	reproducer.
	19
	20	v1 -> v2:
	21	- move the variable declaration in a tighter scope
	22
	23	Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv")
	24	Reported-by: Andrey Konovalov <andreyknvl@google.com>
	25	Signed-off-by: Paolo Abeni <pabeni@redhat.com>
	26	Acked-by: Eric Dumazet <edumazet@google.com>
	27	Signed-off-by: David S. Miller <davem@davemloft.net>
	28	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	29	---
	30	net/ipv4/ip_sockglue.c \| 8 ++++----
	31	1 file changed, 4 insertions(+), 4 deletions(-)
	32
	33	--- a/net/ipv4/ip_sockglue.c
	34	+++ b/net/ipv4/ip_sockglue.c
	35	@@ -105,10 +105,10 @@ static void ip_cmsg_recv_checksum(struct
	36	if (skb->ip_summed != CHECKSUM_COMPLETE)
	37	return;
	38
	39	- if (offset != 0)
	40	- csum = csum_sub(csum,
	41	- csum_partial(skb_transport_header(skb) + tlen,
	42	- offset, 0));
	43	+ if (offset != 0) {
	44	+ int tend_off = skb_transport_offset(skb) + tlen;
	45	+ csum = csum_sub(csum, skb_checksum(skb, tend_off, offset, 0));
	46	+ }
	47
	48	put_cmsg(msg, SOL_IP, IP_CHECKSUM, sizeof(__wsum), &csum);
	49	}