From: "zhangpeng (AS)" <zhangpeng362@huawei.com>
To: Eric Dumazet <edumazet@google.com>
Cc: Matthew Wilcox <willy@infradead.org>, <linux-mm@kvack.org>,
<linux-fsdevel@vger.kernel.org>, <netdev@vger.kernel.org>,
<akpm@linux-foundation.org>, <davem@davemloft.net>,
<dsahern@kernel.org>, <kuba@kernel.org>, <pabeni@redhat.com>,
<arjunroy@google.com>, <wangkefeng.wang@huawei.com>
Subject: Re: SECURITY PROBLEM: Any user can crash the kernel with TCP ZEROCOPY
Date: Thu, 25 Jan 2024 17:22:41 +0800 [thread overview]
Message-ID: <531c536d-a7d1-2be5-10aa-8d6eb4dcb5c9@huawei.com> (raw)
In-Reply-To: <CANn89iJSxsx_6oTM+ggo90vacNM33e_DpgJJg1HQRfkdj3ewqg@mail.gmail.com>
On 2024/1/25 16:57, Eric Dumazet wrote:
> On Thu, Jan 25, 2024 at 3:18 AM zhangpeng (AS) <zhangpeng362@huawei.com> wrote:
>> On 2024/1/24 18:11, Eric Dumazet wrote:
>>
>>> On Wed, Jan 24, 2024 at 10:30 AM zhangpeng (AS) <zhangpeng362@huawei.com> wrote:
>>>> By using git-bisect, the patch that introduces this issue is 05255b823a617
>>>> ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive."). v4.18-rc1.
>>>>
>>>> Currently, there are no other repro or c reproduction programs can reproduce
>>>> the issue. The syz log used to reproduce the issue is as follows:
>>>>
>>>> r3 = socket$inet_tcp(0x2, 0x1, 0x0)
>>>> mmap(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0, 0x12, r3, 0x0)
>>>> r4 = socket$inet_tcp(0x2, 0x1, 0x0)
>>>> bind$inet(r4, &(0x7f0000000000)={0x2, 0x4e24, @multicast1}, 0x10)
>>>> connect$inet(r4, &(0x7f00000006c0)={0x2, 0x4e24, @empty}, 0x10)
>>>> r5 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
>>>> 0x181e42, 0x0)
>>>> fallocate(r5, 0x0, 0x0, 0x85b8818)
>>>> sendfile(r4, r5, 0x0, 0x3000)
>>>> getsockopt$inet_tcp_TCP_ZEROCOPY_RECEIVE(r4, 0x6, 0x23,
>>>> &(0x7f00000001c0)={&(0x7f0000ffb000/0x3000)=nil, 0x3000, 0x0, 0x0,
>>>> 0x0, 0x0, 0x0, 0x0, 0x0}, &(0x7f0000000440)=0x10)
>>>> r6 = openat$dir(0xffffffffffffff9c, &(0x7f00000000c0)='./file0\x00',
>>>> 0x181e42, 0x0)
>>>>
>>> Could you try the following fix then ?
>>>
>>> (We also could remove the !skb_frag_off(frag) condition, as the
>>> !PageCompound() is necessary it seems :/)
>>>
>>> Thanks a lot !
>>>
>>> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
>>> index 1baa484d21902d2492fc2830d960100dc09683bf..ee954ae7778a651a9da4de057e3bafe35a6e10d6
>>> 100644
>>> --- a/net/ipv4/tcp.c
>>> +++ b/net/ipv4/tcp.c
>>> @@ -1785,7 +1785,9 @@ static skb_frag_t *skb_advance_to_frag(struct
>>> sk_buff *skb, u32 offset_skb,
>>>
>>> static bool can_map_frag(const skb_frag_t *frag)
>>> {
>>> - return skb_frag_size(frag) == PAGE_SIZE && !skb_frag_off(frag);
>>> + return skb_frag_size(frag) == PAGE_SIZE &&
>>> + !skb_frag_off(frag) &&
>>> + !PageCompound(skb_frag_page(frag));
>>> }
>>>
>>> static int find_next_mappable_frag(const skb_frag_t *frag,
>> This patch doesn't fix this issue. The page cache that can trigger this issue
>> doesn't necessarily need to be compound. 🙁
> Ah, too bad :/
>
> So the issue is that the page had a mapping. I am no mm expert,
> I am not sure if we need to add more tests (like testing various
> illegal page flags) ?
>
> Can you test this ?
>
> (I am still converting the repro into C)
>
> Thanks.
>
> diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
> index 1baa484d21902d2492fc2830d960100dc09683bf..2128015227a5066ea74b3911ecaefe7992da132f
> 100644
> --- a/net/ipv4/tcp.c
> +++ b/net/ipv4/tcp.c
> @@ -1785,7 +1785,17 @@ static skb_frag_t *skb_advance_to_frag(struct
> sk_buff *skb, u32 offset_skb,
>
> static bool can_map_frag(const skb_frag_t *frag)
> {
> - return skb_frag_size(frag) == PAGE_SIZE && !skb_frag_off(frag);
> + struct page *page;
> +
> + if (skb_frag_size(frag) != PAGE_SIZE || skb_frag_off(frag))
> + return false;
> +
> + page = skb_frag_page(frag);
> +
> + if (PageCompound(page) || page->mapping)
> + return false;
> +
> + return true;
> }
>
> static int find_next_mappable_frag(const skb_frag_t *frag,
This patch can fix this issue.
In this scenario, page->mapping is inode->i_mapping of ext4,
but VMA is tcp VMA. It's weird.
If all the pages that need to be inserted by TCP zerocopy are
page->mapping == NULL, this solution could be used.
Thanks!
--
Best Regards,
Peng
next prev parent reply other threads:[~2024-01-25 9:22 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-19 9:20 [RFC PATCH] filemap: add mapping_mapped check in filemap_unaccount_folio() Peng Zhang
2024-01-19 13:40 ` Matthew Wilcox
2024-01-20 6:46 ` zhangpeng (AS)
2024-01-22 16:04 ` SECURITY PROBLEM: Any user can crash the kernel with TCP ZEROCOPY Matthew Wilcox
2024-01-22 16:30 ` Eric Dumazet
2024-01-22 17:12 ` Matthew Wilcox
2024-01-22 17:39 ` Eric Dumazet
2024-01-24 9:30 ` zhangpeng (AS)
2024-01-24 10:11 ` Eric Dumazet
2024-01-25 2:18 ` zhangpeng (AS)
2024-01-25 8:57 ` Eric Dumazet
2024-01-25 9:22 ` zhangpeng (AS) [this message]
2024-01-25 10:31 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=531c536d-a7d1-2be5-10aa-8d6eb4dcb5c9@huawei.com \
--to=zhangpeng362@huawei.com \
--cc=akpm@linux-foundation.org \
--cc=arjunroy@google.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=wangkefeng.wang@huawei.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox