[PATCH 4.11 17/28] ipv4, ipv6: ensure raw socket message is big enough to hold an IP header

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Alexander Potapenko <glider@google.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.11 17/28] ipv4, ipv6: ensure raw socket message is big enough to hold an IP header
Date: Thu, 11 May 2017 16:12:34 +0200	[thread overview]
Message-ID: <20170511141222.194003024@linuxfoundation.org> (raw)
In-Reply-To: <20170511141221.109842231@linuxfoundation.org>

4.11-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexander Potapenko <glider@google.com>


[ Upstream commit 86f4c90a1c5c1493f07f2d12c1079f5bf01936f2 ]

raw_send_hdrinc() and rawv6_send_hdrinc() expect that the buffer copied
from the userspace contains the IPv4/IPv6 header, so if too few bytes are
copied, parts of the header may remain uninitialized.

This bug has been detected with KMSAN.

For the record, the KMSAN report:

==================================================================
BUG: KMSAN: use of unitialized memory in nf_ct_frag6_gather+0xf5a/0x44a0
inter: 0
CPU: 0 PID: 1036 Comm: probe Not tainted 4.11.0-rc5+ #2455
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x143/0x1b0 lib/dump_stack.c:52
 kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078
 __kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510
 nf_ct_frag6_gather+0xf5a/0x44a0 net/ipv6/netfilter/nf_conntrack_reasm.c:577
 ipv6_defrag+0x1d9/0x280 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
 nf_hook_entry_hookfn ./include/linux/netfilter.h:102
 nf_hook_slow+0x13f/0x3c0 net/netfilter/core.c:310
 nf_hook ./include/linux/netfilter.h:212
 NF_HOOK ./include/linux/netfilter.h:255
 rawv6_send_hdrinc net/ipv6/raw.c:673
 rawv6_sendmsg+0x2fcb/0x41a0 net/ipv6/raw.c:919
 inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633
 sock_sendmsg net/socket.c:643
 SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
 SyS_sendto+0xbc/0xe0 net/socket.c:1664
 do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
 entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246
RIP: 0033:0x436e03
RSP: 002b:00007ffce48baf38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000436e03
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffce48baf90 R08: 00007ffce48baf50 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000401790 R14: 0000000000401820 R15: 0000000000000000
origin: 00000000d9400053
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362
 kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257
 kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270
 slab_alloc_node mm/slub.c:2735
 __kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341
 __kmalloc_reserve net/core/skbuff.c:138
 __alloc_skb+0x2cd/0x740 net/core/skbuff.c:231
 alloc_skb ./include/linux/skbuff.h:933
 alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678
 sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903
 sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920
 rawv6_send_hdrinc net/ipv6/raw.c:638
 rawv6_sendmsg+0x2918/0x41a0 net/ipv6/raw.c:919
 inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633
 sock_sendmsg net/socket.c:643
 SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
 SyS_sendto+0xbc/0xe0 net/socket.c:1664
 do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
 return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246
==================================================================

, triggered by the following syscalls:
  socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
  sendto(3, NULL, 0, 0, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "ff00::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EPERM

A similar report is triggered in net/ipv4/raw.c if we use a PF_INET socket
instead of a PF_INET6 one.

Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/raw.c |    3 +++
 net/ipv6/raw.c |    2 ++
 2 files changed, 5 insertions(+)

--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -358,6 +358,9 @@ static int raw_send_hdrinc(struct sock *
 			       rt->dst.dev->mtu);
 		return -EMSGSIZE;
 	}
+	if (length < sizeof(struct iphdr))
+		return -EINVAL;
+
 	if (flags&MSG_PROBE)
 		goto out;
 
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -632,6 +632,8 @@ static int rawv6_send_hdrinc(struct sock
 		ipv6_local_error(sk, EMSGSIZE, fl6, rt->dst.dev->mtu);
 		return -EMSGSIZE;
 	}
+	if (length < sizeof(struct ipv6hdr))
+		return -EINVAL;
 	if (flags&MSG_PROBE)
 		goto out;

next prev parent reply	other threads:[~2017-05-11 14:14 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-11 14:12 [PATCH 4.11 00/28] 4.11.1-stable review Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 01/28] dm ioctl: prevent stack leak in dm ioctl call Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 02/28] drm/sti: fix GDP size to support up to UHD resolution Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 04/28] brcmfmac: Ensure pointer correctly set if skb data location changes Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 05/28] brcmfmac: Make skb header writable before use Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 06/28] sparc64: fix fault handling in NGbzero.S and GENbzero.S Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 08/28] net: macb: fix phy interrupt parsing Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 09/28] tcp: fix access to sk->sk_state in tcp_poll() Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 10/28] geneve: fix incorrect setting of UDP checksum flag Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 11/28] bpf: enhance verifier to understand stack pointer arithmetic Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 12/28] bpf, arm64: fix jit branch offset related to ldimm64 Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 13/28] tcp: fix wraparound issue in tcp_lp Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 14/28] net: ipv6: Do not duplicate DAD on link up Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 16/28] tcp: do not inherit fastopen_req from parent Greg Kroah-Hartman
2017-05-11 14:12 ` Greg Kroah-Hartman [this message]
2017-05-11 14:12 ` [PATCH 4.11 18/28] rtnetlink: NUL-terminate IFLA_PHYS_PORT_NAME string Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 19/28] ipv6: initialize route null entry in addrconf_init() Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 20/28] ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 21/28] tcp: randomize timestamps on syncookies Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 22/28] bnxt_en: allocate enough space for ->ntp_fltr_bmap Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 23/28] bpf: dont let ldimm64 leak map addresses on unprivileged Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 24/28] net: mdio-mux: bcm-iproc: call mdiobus_free() in error path Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 25/28] f2fs: sanity check segment count Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 26/28] xen/arm,arm64: fix xen_dma_ops after 815dd18 "Consolidate get_dma_ops..." Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 27/28] xen: Revert commits da72ff5bfcb0 and 72a9b186292d Greg Kroah-Hartman
2017-05-11 14:12   ` Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.11 28/28] block: get rid of blk_integrity_revalidate() Greg Kroah-Hartman
2017-05-12 15:25 ` [PATCH 4.11 00/28] 4.11.1-stable review Shuah Khan
2017-05-12 15:47   ` Greg Kroah-Hartman
2017-05-12 16:01   ` Shuah Khan
2017-05-15 14:36     ` Matt Fleming
2017-05-15 17:28       ` Shuah Khan
2017-05-25 11:39         ` Matt Fleming
     [not found]           ` <20170525113908.GC3546-mF/unelCI9GS6iBeEJttW/XRex20P6io@public.gmane.org>
2017-05-25 20:06             ` Ard Biesheuvel
2017-05-25 20:06               ` Ard Biesheuvel
2017-05-12 19:50 ` Guenter Roeck
2017-05-14 10:59   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20170511141222.194003024@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=glider@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.