575444 – veth interface bug delivers corrupt TCP/IP data to linux containers

Bug 575444 - veth interface bug delivers corrupt TCP/IP data to linux containers

Summary: veth interface bug delivers corrupt TCP/IP data to linux containers

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	Normal major (vote)
Assignee:	Gentoo Kernel Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2016-02-23 10:55 UTC by ChaosEngine
Modified:	2022-03-25 22:47 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ChaosEngine 2016-02-23 10:55:49 UTC

From patch which has been accepted upstream:

"Packets that arrive from real hardware devices have ip_summed ==
CHECKSUM_UNNECESSARY if the hardware verified the checksums, or
CHECKSUM_NONE if the packet is bad or it was unable to verify it. The
current version of veth will replace CHECKSUM_NONE with
CHECKSUM_UNNECESSARY, which causes corrupt packets routed from hardware to
a veth device to be delivered to the application."

Reproducible: Didn't try

Steps to Reproduce:
1. send data to container
2. inject broken packets
3. broken packets are received
Actual Results:  
broken packets are accepted on veth interface, TCP/IP check-summing does not work

Expected Results:  
broken packets should not be accepted on veth interface, TCP/IP check-summing should work

Unstable ~arch gentoo-sources-4.4* have this patch applied.
Backporting is an option.

Direct link to patch:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce8c839b74e3017996fad4e1b7ba2e2625ede82f

Comment 1 John Helmert III archtester

2022-03-25 22:47:01 UTC

Fix in 4.4