Re: [PATCH net v4] net: use skb_header_pointer() only for DODGY TCPv4 GSO skbs

[Willem de Bruijn]

Guoyu Su wrote:
> Syzbot reported a KMSAN uninit-value warning in gso_features_check()
> called from netif_skb_features() [1].
> 
> The current direct skb->len check is not sufficient for SKB_GSO_DODGY
> packets. In the AF_PACKET/PACKET_VNET_HDR path, packet_snd() can build
> a DODGY GSO skb whose total length is large enough, while the IPv4
> header is not fully available as initialized linear data for a direct
> iph->frag_off access.
> 
> Use skb_header_pointer() to fetch the IPv4 header only for DODGY packets
> and clear mangleid_features conservatively if the header cannot be
> accessed or the DF bit is not set.
> 
> Keep the existing direct ip_hdr()/inner_ip_hdr() access for non-DODGY
> packets so that buggy internal callers are still exposed.
> 
> [1] https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
> 
> Fixes: cbc53e08a793 ("GSO: Add GSO type for fixed IPv4 ID")
> Reported-by: syzbot+1543a7d954d9c6d00407@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=1543a7d954d9c6d00407
> Tested-by: syzbot+1543a7d954d9c6d00407@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Guoyu Su <yss2813483011xxl@xxxxxxxxx>
> ---
> v4:
>  - Move struct iphdr _iph to the outer scope so a pointer returned by
>    skb_header_pointer() remains valid when iph->frag_off is checked.
> 
> v3: https://lore.kernel.org/netdev/20260312104351.185370-1-yss2813483011xxl@xxxxxxxxx/
> v2: https://lore.kernel.org/netdev/20260308083319.1255118-1-yss2813483011xxl@xxxxxxxxx/
> v1: https://lore.kernel.org/netdev/20260307162905.3697050-1-yss2813483011xxl@xxxxxxxxx/
> 
>  net/core/dev.c | 16 +++++++++++++---
>  1 file changed, 13 insertions(+), 3 deletions(-)
> 
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 14a83f2035b9..d47bf7b1fa99 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -3805,10 +3805,20 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
>  	 * segmentation-offloads.rst).
>  	 */
>  	if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4) {
> -		struct iphdr *iph = skb->encapsulation ?
> -				    inner_ip_hdr(skb) : ip_hdr(skb);
> +		int nhoff = skb->encapsulation ?
> +			    skb_inner_network_offset(skb) :
> +			    skb_network_offset(skb);

can be moved inside the unlikely branch

> +		const struct iphdr *iph;
> +		struct iphdr _iph;
> +
> +		if (unlikely(skb_shinfo(skb)->gso_type & SKB_GSO_DODGY)) {
> +			iph = nhoff < 0 ? NULL :

why the negative check?
> +			      skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
> +		} else {
> +			iph = skb->encapsulation ? inner_ip_hdr(skb) : ip_hdr(skb);
> +		}
>  
> -		if (!(iph->frag_off & htons(IP_DF)))
> +		if (!iph || !(iph->frag_off & htons(IP_DF)))
>  			features &= ~dev->mangleid_features;
>  	}
>  
> -- 
> 2.34.1
>