From patchwork Thu Nov 24 07:19:38 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 698646 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3tPVwp6N7Kz9srZ for ; Thu, 24 Nov 2016 18:20:42 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="IVkUJSty"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752151AbcKXHUB (ORCPT ); Thu, 24 Nov 2016 02:20:01 -0500 Received: from mail-io0-f195.google.com ([209.85.223.195]:35014 "EHLO mail-io0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751146AbcKXHUA (ORCPT ); Thu, 24 Nov 2016 02:20:00 -0500 Received: by mail-io0-f195.google.com with SMTP id h133so4189183ioe.2 for ; Wed, 23 Nov 2016 23:20:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Bibn8ZPMRQQzPwq9SURBPvrH4d3Wgz80ZiEizHE5pgE=; b=IVkUJStyzxAKZnyBGmWTWJQ+ciM1HSt0vBM4O54JoJTLTnnvHgDu/I+Y34PHQ7/tkQ KCs3nqrAgVU3Va5B989wkhROR4Jvr9d9BlLImLvU1EKKK8yEcEZznyWGZPJSxUh1kdSf ip2ZbjrjG3qErtLJ9YRP2waUsVAj//By5KYIsrcCyaYSR92yMw65aLDOtoJR7EbCoYc6 c584QimSqAJz9lXU6owatx3xmRBVYjeOhqtphi2JX4swA0/mi+RJVlA1ExaJzukwtzD9 ZrLQOKMs81qEcPhZWYSVInrfbWxdPEzVANx2C6FuBTOfu+RW+gBtjATVYpv/En26xe62 QKMA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Bibn8ZPMRQQzPwq9SURBPvrH4d3Wgz80ZiEizHE5pgE=; b=TIEPVm1eZqA4EiFP1ElvQQZ1kIv6ofYu48bVY54GQQNOfQ/kiiqtMEvcHa4ALTKA7m /bCYxtpJl8li+RYlZH5XT5bMYceecympVNw67rUOzA5WOYzVpxCt9rErQBpfp2MJuIqb t1it/zuBE3zfhrGwwfrGD98JlaVEWTVM2UyO88dOWUdZoS9Iigb3TaEWWEp2Z7twMD9d 7TrLF4F6+zGpPOhqri9nAuBcdtE9eJiDiIm5t/3Gq0mWNi30yihc5m9UPirf5jaxoTo7 LVe6AWpJXukxA0MpAEHUYsMaCjfpnbejWDqfHgP8rXFm+ZFeOdDiNmUiSGVIEOFohdSp 5RZw== X-Gm-Message-State: AKaTC005vF/j3wlj8gJ1gocSPWa7xGmHVAQx/tfVWUJ0XBccvo8nMc0M59zJECCYCESPpSotrJ2d/lziyPeMhg== X-Received: by 10.36.3.133 with SMTP id e127mr804938ite.41.1479971999315; Wed, 23 Nov 2016 23:19:59 -0800 (PST) MIME-Version: 1.0 Received: by 10.107.160.65 with HTTP; Wed, 23 Nov 2016 23:19:38 -0800 (PST) In-Reply-To: References: <860a2905e7f7467f864e13839eb05222@imshyb02.MITRE.ORG> From: Cong Wang Date: Wed, 23 Nov 2016 23:19:38 -0800 Message-ID: Subject: Re: [scr265482] ip_tunnel.c To: =?UTF-8?B?TGl5YW5nIFl1ICjkuo7nq4vmtIsxKQ==?= Cc: "security@kernel.org" , "netdev@vger.kernel.org" , "cve-request@mitre.org" Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Wed, Nov 23, 2016 at 6:47 PM, Liyang Yu (于立洋1) wrote: > Hi: > I found that the GRE tunnel in same case can cause integer overflow in ip_tunnel.c:397 > > Cause of the problem: > When tpi->seq less than tunnel->i_seqno, the packet will be droped. > > How to recurrence problem > 1. Create an tunnel use kernel GRE module. > 2. Use the tunnel to send packets for awile. > 3.Reboot one site of the tunnel. > 4. Communication interrupted What do you mean by "reboot one site of the tunnel"? If you mean something like delete and create it again, it has nothing related to integer overflow, the tunnel->o_seqno will restart from 0 and the tunnel->i_seqno will remain as it is since we can't detect the interruption of the tunnel traffic. If so, the following patch could help? if (err) diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index 5719d6b..2738ff2 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c @@ -277,6 +277,7 @@ static struct net_device *__ip_tunnel_create(struct net *net, tunnel = netdev_priv(dev); tunnel->parms = *parms; tunnel->net = net; + tunnel->o_seqno = UINT_MAX; err = register_netdevice(dev);