Merge: CVE-2024-43817: net: missing check virtio

MR: https://gitlab.com/redhat/rhel/src/kernel/rhel-9/-/merge_requests/2365

CVE: CVE-2024-43817

backport e269d79 ("net: missing check virtio") to fix the CVE

89add40 ("net: drop bad gso csum_start and offset in virtio_net_hdr") is a fix for e269d79

backport fc8b2a6 ("net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation") to have the correct context for 89add40 (a case() with SKB_GSO_UDP and SKB_GSO_UDP_L4 rather than a if()"

1382e3b ("net: change maximum number of UDP segments to 128") is a fix for fc8b2a6

Omitted-fix: b128ed5 ("udp: fix receiving fraglist GSO packets")

We don't need b128ed5 ("udp: fix receiving fraglist GSO packets") that is a fix for 89add40 because it adds only "!(skb_shinfo(gso_skb)-\>gso_type & SKB_GSO_FRAGLIST)" on the line that cannot happens because 9840036 ("gso: fix dodgy bit handling for GSO_UDP_L4") is not backported.

JIRA: https://issues.redhat.com/browse/RHEL-54891

Signed-off-by: Laurent Vivier <lvivier@redhat.com>

Approved-by: Jason Wang <jasowang@redhat.com>
Approved-by: Florian Westphal <fwestpha@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: Lucas Zampieri <lzampier@redhat.com>

Author: zampierilucas

include/linux/udp.h

@@ -91,7 +91,7 @@ struct udp_sock {
 	int		forward_threshold;
 };
 
-#define UDP_MAX_SEGMENTS	(1 << 6UL)
+#define UDP_MAX_SEGMENTS	(1 << 7UL)
 
 static inline struct udp_sock *udp_sk(const struct sock *sk)
 {

include/linux/virtio_net.h

@@ -3,8 +3,8 @@
 #define _LINUX_VIRTIO_NET_H
 
 #include <linux/if_vlan.h>
+#include <linux/udp.h>
 #include <uapi/linux/tcp.h>
-#include <uapi/linux/udp.h>
 #include <uapi/linux/virtio_net.h>
 
 static inline bool virtio_net_hdr_match_proto(__be16 protocol, __u8 gso_type)
@@ -151,9 +151,27 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
 		unsigned int nh_off = p_off;
 		struct skb_shared_info *shinfo = skb_shinfo(skb);
 
-		/* UFO may not include transport header in gso_size. */
-		if (gso_type & SKB_GSO_UDP)
+		switch (gso_type & ~SKB_GSO_TCP_ECN) {
+		case SKB_GSO_UDP:
+			/* UFO may not include transport header in gso_size. */
 			nh_off -= thlen;
+			break;
+		case SKB_GSO_UDP_L4:
+			if (!(hdr->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM))
+				return -EINVAL;
+			if (skb->csum_offset != offsetof(struct udphdr, check))
+				return -EINVAL;
+			if (skb->len - p_off > gso_size * UDP_MAX_SEGMENTS)
+				return -EINVAL;
+			if (gso_type != SKB_GSO_UDP_L4)
+				return -EINVAL;
+			break;
+		case SKB_GSO_TCPV4:
+		case SKB_GSO_TCPV6:
+			if (skb->csum_offset != offsetof(struct tcphdr, check))
+				return -EINVAL;
+			break;
+		}
 
 		/* Too small packets are not really GSO ones. */
 		if (skb->len - nh_off > gso_size) {

net/ipv4/tcp_offload.c

@@ -73,6 +73,9 @@ struct sk_buff *tcp_gso_segment(struct sk_buff *skb,
 	if (thlen < sizeof(*th))
 		goto out;
 
+	if (unlikely(skb_checksum_start(skb) != skb_transport_header(skb)))
+		goto out;
+
 	if (!pskb_may_pull(skb, thlen))
 		goto out;
 

net/ipv4/udp_offload.c

@@ -281,6 +281,10 @@ struct sk_buff *__udp_gso_segment(struct sk_buff *gso_skb,
 	if (gso_skb->len <= sizeof(*uh) + mss)
 		return ERR_PTR(-EINVAL);
 
+	if (unlikely(skb_checksum_start(gso_skb) !=
+		     skb_transport_header(gso_skb)))
+		return ERR_PTR(-EINVAL);
+
 	skb_pull(gso_skb, sizeof(*uh));
 
 	/* clear destructor to avoid skb_segment assigning it to tail */

tools/testing/selftests/net/udpgso.c

@@ -34,7 +34,7 @@
 #endif
 
 #ifndef UDP_MAX_SEGMENTS
-#define UDP_MAX_SEGMENTS	(1 << 6UL)
+#define UDP_MAX_SEGMENTS	(1 << 7UL)
 #endif
 
 #define CONST_MTU_TEST	1500