From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alexander Potapenko <glider@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 53/60] ipv4, ipv6: ensure raw socket message is big enough to hold an IP header
Date: Thu, 11 May 2017 16:13:16 +0200 [thread overview]
Message-ID: <20170511141239.325926117@linuxfoundation.org> (raw)
In-Reply-To: <20170511141237.094835992@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Potapenko <glider@google.com>
[ Upstream commit 86f4c90a1c5c1493f07f2d12c1079f5bf01936f2 ]
raw_send_hdrinc() and rawv6_send_hdrinc() expect that the buffer copied
from the userspace contains the IPv4/IPv6 header, so if too few bytes are
copied, parts of the header may remain uninitialized.
This bug has been detected with KMSAN.
For the record, the KMSAN report:
==================================================================
BUG: KMSAN: use of unitialized memory in nf_ct_frag6_gather+0xf5a/0x44a0
inter: 0
CPU: 0 PID: 1036 Comm: probe Not tainted 4.11.0-rc5+ #2455
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x143/0x1b0 lib/dump_stack.c:52
kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078
__kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510
nf_ct_frag6_gather+0xf5a/0x44a0 net/ipv6/netfilter/nf_conntrack_reasm.c:577
ipv6_defrag+0x1d9/0x280 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68
nf_hook_entry_hookfn ./include/linux/netfilter.h:102
nf_hook_slow+0x13f/0x3c0 net/netfilter/core.c:310
nf_hook ./include/linux/netfilter.h:212
NF_HOOK ./include/linux/netfilter.h:255
rawv6_send_hdrinc net/ipv6/raw.c:673
rawv6_sendmsg+0x2fcb/0x41a0 net/ipv6/raw.c:919
inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633
sock_sendmsg net/socket.c:643
SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
SyS_sendto+0xbc/0xe0 net/socket.c:1664
do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246
RIP: 0033:0x436e03
RSP: 002b:00007ffce48baf38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000436e03
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007ffce48baf90 R08: 00007ffce48baf50 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000401790 R14: 0000000000401820 R15: 0000000000000000
origin: 00000000d9400053
save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362
kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257
kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270
slab_alloc_node mm/slub.c:2735
__kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341
__kmalloc_reserve net/core/skbuff.c:138
__alloc_skb+0x2cd/0x740 net/core/skbuff.c:231
alloc_skb ./include/linux/skbuff.h:933
alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678
sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903
sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920
rawv6_send_hdrinc net/ipv6/raw.c:638
rawv6_sendmsg+0x2918/0x41a0 net/ipv6/raw.c:919
inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633
sock_sendmsg net/socket.c:643
SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696
SyS_sendto+0xbc/0xe0 net/socket.c:1664
do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285
return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246
==================================================================
, triggered by the following syscalls:
socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3
sendto(3, NULL, 0, 0, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "ff00::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EPERM
A similar report is triggered in net/ipv4/raw.c if we use a PF_INET socket
instead of a PF_INET6 one.
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/raw.c | 3 +++
net/ipv6/raw.c | 2 ++
2 files changed, 5 insertions(+)
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -354,6 +354,9 @@ static int raw_send_hdrinc(struct sock *
rt->dst.dev->mtu);
return -EMSGSIZE;
}
+ if (length < sizeof(struct iphdr))
+ return -EINVAL;
+
if (flags&MSG_PROBE)
goto out;
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -630,6 +630,8 @@ static int rawv6_send_hdrinc(struct sock
ipv6_local_error(sk, EMSGSIZE, fl6, rt->dst.dev->mtu);
return -EMSGSIZE;
}
+ if (length < sizeof(struct ipv6hdr))
+ return -EINVAL;
if (flags&MSG_PROBE)
goto out;
next prev parent reply other threads:[~2017-05-11 14:28 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-11 14:12 [PATCH 4.4 00/60] 4.4.68-stable review Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 01/60] 9p: fix a potential acl leak Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 02/60] ARM: 8452/3: PJ4: make coprocessor access sequences buildable in Thumb2 mode Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 03/60] cpupower: Fix turbo frequency reporting for pre-Sandy Bridge cores Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 04/60] powerpc/powernv: Fix opal_exit tracepoint opcode Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 05/60] power: supply: bq24190_charger: Fix irq trigger to IRQF_TRIGGER_FALLING Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 06/60] power: supply: bq24190_charger: Call set_mode_host() on pm_resume() Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 07/60] power: supply: bq24190_charger: Install irq_handler_thread() at end of probe() Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 08/60] power: supply: bq24190_charger: Call power_supply_changed() for relevant component Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 09/60] power: supply: bq24190_charger: Dont read fault register outside irq_handle_thread() Greg Kroah-Hartman
2017-05-11 14:12 ` Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 10/60] power: supply: bq24190_charger: Handle fault before status on interrupt Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 11/60] leds: ktd2692: avoid harmless maybe-uninitialized warning Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 12/60] ARM: OMAP5 / DRA7: Fix HYP mode boot for thumb2 build Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 13/60] mwifiex: debugfs: Fix (sometimes) off-by-1 SSID print Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 14/60] mwifiex: remove redundant dma padding in AMSDU Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 15/60] mwifiex: Avoid skipping WEP key deletion for AP Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 16/60] x86/ioapic: Restore IO-APIC irq_chip retrigger callback Greg Kroah-Hartman
2017-05-11 17:05 ` Ben Hutchings
2017-05-11 21:17 ` Thomas Gleixner
2017-05-12 9:42 ` Greg Kroah-Hartman
[not found] ` <20170511141237.094835992-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>
2017-05-11 14:12 ` [PATCH 4.4 17/60] x86/pci-calgary: Fix iommu_free() comparison of unsigned expression >= 0 Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 18/60] clk: Make x86/ conditional on CONFIG_COMMON_CLK Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 19/60] kprobes/x86: Fix kernel panic when certain exception-handling addresses are probed Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 20/60] x86/platform/intel-mid: Correct MSI IRQ line for watchdog device Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 24/60] usb: host: ehci-exynos: Decrese node refcount on exynos_ehci_get_phy() error paths Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 25/60] usb: host: ohci-exynos: " Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 26/60] usb: chipidea: Only read/write OTGSC from one place Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 27/60] usb: chipidea: Handle extcon events properly Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 28/60] USB: serial: keyspan_pda: fix receive sanity checks Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 29/60] USB: serial: digi_acceleport: fix incomplete rx sanity check Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 30/60] USB: serial: ssu100: fix control-message error handling Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 31/60] USB: serial: io_edgeport: fix epic-descriptor handling Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 32/60] USB: serial: ti_usb_3410_5052: fix control-message error handling Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 33/60] USB: serial: ark3116: fix open " Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 34/60] USB: serial: ftdi_sio: fix latency-timer " Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 35/60] USB: serial: quatech2: fix control-message " Greg Kroah-Hartman
2017-05-11 14:12 ` [PATCH 4.4 36/60] USB: serial: mct_u232: fix modem-status " Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 37/60] USB: serial: io_edgeport: fix descriptor " Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 38/60] USB: serial: sierra: fix bogus alternate-setting assumption Greg Kroah-Hartman
2017-05-12 11:26 ` Ben Hutchings
2017-05-12 12:14 ` Johan Hovold
2017-05-12 13:10 ` Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 39/60] phy: qcom-usb-hs: Add depends on EXTCON Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 40/60] serial: 8250_omap: Fix probe and remove for PM runtime Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 41/60] scsi: mac_scsi: Fix MAC_SCSI=m option when SCSI=m Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 42/60] scsi: scsi_dh_emc: return success in clariion_std_inquiry() Greg Kroah-Hartman
2017-05-12 11:36 ` Ben Hutchings
2017-05-12 13:12 ` Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 43/60] MIPS: R2-on-R6 MULTU/MADDU/MSUBU emulation bugfix Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 44/60] brcmfmac: Ensure pointer correctly set if skb data location changes Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 45/60] brcmfmac: Make skb header writable before use Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 46/60] staging: wlan-ng: add missing byte order conversion Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 47/60] staging: emxx_udc: remove incorrect __init annotations Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 48/60] ALSA: hda - Fix deadlock of controller device lock at unbinding Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 49/60] tcp: do not underestimate skb->truesize in tcp_trim_head() Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 50/60] bpf, arm64: fix jit branch offset related to ldimm64 Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 51/60] tcp: fix wraparound issue in tcp_lp Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 52/60] tcp: do not inherit fastopen_req from parent Greg Kroah-Hartman
2017-05-11 14:13 ` Greg Kroah-Hartman [this message]
2017-05-11 14:13 ` [PATCH 4.4 54/60] rtnetlink: NUL-terminate IFLA_PHYS_PORT_NAME string Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 55/60] ipv6: initialize route null entry in addrconf_init() Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 56/60] ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 57/60] bnxt_en: allocate enough space for ->ntp_fltr_bmap Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 58/60] f2fs: sanity check segment count Greg Kroah-Hartman
2017-05-11 14:13 ` [PATCH 4.4 60/60] block: get rid of blk_integrity_revalidate() Greg Kroah-Hartman
2017-05-11 21:03 ` [PATCH 4.4 00/60] 4.4.68-stable review Guenter Roeck
2017-05-12 15:54 ` Greg Kroah-Hartman
2017-05-12 15:26 ` Shuah Khan
2017-05-12 19:49 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170511141239.325926117@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=glider@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.