From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, David Lebrun <dlebrun@google.com>,
Mathieu Xhonneux <m.xhonneux@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 30/41] ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline
Date: Sat, 9 Jun 2018 17:30:02 +0200 [thread overview]
Message-ID: <20180609152928.070917073@linuxfoundation.org> (raw)
In-Reply-To: <20180609152926.389750182@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mathieu Xhonneux <m.xhonneux@gmail.com>
[ Upstream commit bbb40a0b75209734ff9286f3326171638c9f6569 ]
seg6_do_srh_encap and seg6_do_srh_inline can possibly do an
out-of-bounds access when adding the SRH to the packet. This no longer
happen when expanding the skb not only by the size of the SRH (+
outer IPv6 header), but also by skb->mac_len.
[ 53.793056] BUG: KASAN: use-after-free in seg6_do_srh_encap+0x284/0x620
[ 53.794564] Write of size 14 at addr ffff88011975ecfa by task ping/674
[ 53.796665] CPU: 0 PID: 674 Comm: ping Not tainted 4.17.0-rc3-ARCH+ #90
[ 53.796670] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.11.0-20171110_100015-anatol 04/01/2014
[ 53.796673] Call Trace:
[ 53.796679] <IRQ>
[ 53.796689] dump_stack+0x71/0xab
[ 53.796700] print_address_description+0x6a/0x270
[ 53.796707] kasan_report+0x258/0x380
[ 53.796715] ? seg6_do_srh_encap+0x284/0x620
[ 53.796722] memmove+0x34/0x50
[ 53.796730] seg6_do_srh_encap+0x284/0x620
[ 53.796741] ? seg6_do_srh+0x29b/0x360
[ 53.796747] seg6_do_srh+0x29b/0x360
[ 53.796756] seg6_input+0x2e/0x2e0
[ 53.796765] lwtunnel_input+0x93/0xd0
[ 53.796774] ipv6_rcv+0x690/0x920
[ 53.796783] ? ip6_input+0x170/0x170
[ 53.796791] ? eth_gro_receive+0x2d0/0x2d0
[ 53.796800] ? ip6_input+0x170/0x170
[ 53.796809] __netif_receive_skb_core+0xcc0/0x13f0
[ 53.796820] ? netdev_info+0x110/0x110
[ 53.796827] ? napi_complete_done+0xb6/0x170
[ 53.796834] ? e1000_clean+0x6da/0xf70
[ 53.796845] ? process_backlog+0x129/0x2a0
[ 53.796853] process_backlog+0x129/0x2a0
[ 53.796862] net_rx_action+0x211/0x5c0
[ 53.796870] ? napi_complete_done+0x170/0x170
[ 53.796887] ? run_rebalance_domains+0x11f/0x150
[ 53.796891] __do_softirq+0x10e/0x39e
[ 53.796894] do_softirq_own_stack+0x2a/0x40
[ 53.796895] </IRQ>
[ 53.796898] do_softirq.part.16+0x54/0x60
[ 53.796900] __local_bh_enable_ip+0x5b/0x60
[ 53.796903] ip6_finish_output2+0x416/0x9f0
[ 53.796906] ? ip6_dst_lookup_flow+0x110/0x110
[ 53.796909] ? ip6_sk_dst_lookup_flow+0x390/0x390
[ 53.796911] ? __rcu_read_unlock+0x66/0x80
[ 53.796913] ? ip6_mtu+0x44/0xf0
[ 53.796916] ? ip6_output+0xfc/0x220
[ 53.796918] ip6_output+0xfc/0x220
[ 53.796921] ? ip6_finish_output+0x2b0/0x2b0
[ 53.796923] ? memcpy+0x34/0x50
[ 53.796926] ip6_send_skb+0x43/0xc0
[ 53.796929] rawv6_sendmsg+0x1216/0x1530
[ 53.796932] ? __orc_find+0x6b/0xc0
[ 53.796934] ? rawv6_rcv_skb+0x160/0x160
[ 53.796937] ? __rcu_read_unlock+0x66/0x80
[ 53.796939] ? __rcu_read_unlock+0x66/0x80
[ 53.796942] ? is_bpf_text_address+0x1e/0x30
[ 53.796944] ? kernel_text_address+0xec/0x100
[ 53.796946] ? __kernel_text_address+0xe/0x30
[ 53.796948] ? unwind_get_return_address+0x2f/0x50
[ 53.796950] ? __save_stack_trace+0x92/0x100
[ 53.796954] ? save_stack+0x89/0xb0
[ 53.796956] ? kasan_kmalloc+0xa0/0xd0
[ 53.796958] ? kmem_cache_alloc+0xd2/0x1f0
[ 53.796961] ? prepare_creds+0x23/0x160
[ 53.796963] ? __x64_sys_capset+0x252/0x3e0
[ 53.796966] ? do_syscall_64+0x69/0x160
[ 53.796968] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 53.796971] ? __alloc_pages_nodemask+0x170/0x380
[ 53.796973] ? __alloc_pages_slowpath+0x12c0/0x12c0
[ 53.796977] ? tty_vhangup+0x20/0x20
[ 53.796979] ? policy_nodemask+0x1a/0x90
[ 53.796982] ? __mod_node_page_state+0x8d/0xa0
[ 53.796986] ? __check_object_size+0xe7/0x240
[ 53.796989] ? __sys_sendto+0x229/0x290
[ 53.796991] ? rawv6_rcv_skb+0x160/0x160
[ 53.796993] __sys_sendto+0x229/0x290
[ 53.796996] ? __ia32_sys_getpeername+0x50/0x50
[ 53.796999] ? commit_creds+0x2de/0x520
[ 53.797002] ? security_capset+0x57/0x70
[ 53.797004] ? __x64_sys_capset+0x29f/0x3e0
[ 53.797007] ? __x64_sys_rt_sigsuspend+0xe0/0xe0
[ 53.797011] ? __do_page_fault+0x664/0x770
[ 53.797014] __x64_sys_sendto+0x74/0x90
[ 53.797017] do_syscall_64+0x69/0x160
[ 53.797019] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 53.797022] RIP: 0033:0x7f43b7a6714a
[ 53.797023] RSP: 002b:00007ffd891bd368 EFLAGS: 00000246 ORIG_RAX:
000000000000002c
[ 53.797026] RAX: ffffffffffffffda RBX: 00000000006129c0 RCX: 00007f43b7a6714a
[ 53.797028] RDX: 0000000000000040 RSI: 00000000006129c0 RDI: 0000000000000004
[ 53.797029] RBP: 00007ffd891be640 R08: 0000000000610940 R09: 000000000000001c
[ 53.797030] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
[ 53.797032] R13: 000000000060e6a0 R14: 0000000000008004 R15: 000000000040b661
[ 53.797171] Allocated by task 642:
[ 53.797460] kasan_kmalloc+0xa0/0xd0
[ 53.797463] kmem_cache_alloc+0xd2/0x1f0
[ 53.797465] getname_flags+0x40/0x210
[ 53.797467] user_path_at_empty+0x1d/0x40
[ 53.797469] do_faccessat+0x12a/0x320
[ 53.797471] do_syscall_64+0x69/0x160
[ 53.797473] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 53.797607] Freed by task 642:
[ 53.797869] __kasan_slab_free+0x130/0x180
[ 53.797871] kmem_cache_free+0xa8/0x230
[ 53.797872] filename_lookup+0x15b/0x230
[ 53.797874] do_faccessat+0x12a/0x320
[ 53.797876] do_syscall_64+0x69/0x160
[ 53.797878] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 53.798014] The buggy address belongs to the object at ffff88011975e600
which belongs to the cache names_cache of size 4096
[ 53.799043] The buggy address is located 1786 bytes inside of
4096-byte region [ffff88011975e600, ffff88011975f600)
[ 53.800013] The buggy address belongs to the page:
[ 53.800414] page:ffffea000465d600 count:1 mapcount:0
mapping:0000000000000000 index:0x0 compound_mapcount: 0
[ 53.801259] flags: 0x17fff0000008100(slab|head)
[ 53.801640] raw: 017fff0000008100 0000000000000000 0000000000000000
0000000100070007
[ 53.803147] raw: dead000000000100 dead000000000200 ffff88011b185a40
0000000000000000
[ 53.803787] page dumped because: kasan: bad access detected
[ 53.804384] Memory state around the buggy address:
[ 53.804788] ffff88011975eb80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 53.805384] ffff88011975ec00: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 53.805979] >ffff88011975ec80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 53.806577] ^
[ 53.807165] ffff88011975ed00: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 53.807762] ffff88011975ed80: fb fb fb fb fb fb fb fb fb fb fb fb
fb fb fb fb
[ 53.808356] ==================================================================
[ 53.808949] Disabling lock debugging due to kernel taint
Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
Signed-off-by: David Lebrun <dlebrun@google.com>
Signed-off-by: Mathieu Xhonneux <m.xhonneux@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/seg6_iptunnel.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv6/seg6_iptunnel.c
+++ b/net/ipv6/seg6_iptunnel.c
@@ -103,7 +103,7 @@ int seg6_do_srh_encap(struct sk_buff *sk
hdrlen = (osrh->hdrlen + 1) << 3;
tot_len = hdrlen + sizeof(*hdr);
- err = skb_cow_head(skb, tot_len);
+ err = skb_cow_head(skb, tot_len + skb->mac_len);
if (unlikely(err))
return err;
@@ -161,7 +161,7 @@ int seg6_do_srh_inline(struct sk_buff *s
hdrlen = (osrh->hdrlen + 1) << 3;
- err = skb_cow_head(skb, hdrlen);
+ err = skb_cow_head(skb, hdrlen + skb->mac_len);
if (unlikely(err))
return err;
next prev parent reply other threads:[~2018-06-09 15:36 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-09 15:29 [PATCH 4.14 00/41] 4.14.49-stable review Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 01/41] scsi: sd_zbc: Fix potential memory leak Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 02/41] scsi: sd_zbc: Avoid that resetting a zone fails sporadically Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 03/41] mmap: introduce sane default mmap limits Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 04/41] mmap: relax file size limit for regular files Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 05/41] btrfs: define SUPER_FLAG_METADUMP_V2 Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 07/41] be2net: Fix error detection logic for BE3 Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 08/41] bnx2x: use the right constant Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 09/41] dccp: dont free ccid2_hc_tx_sock struct in dccp_disconnect() Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 10/41] enic: set DMA mask to 47 bit Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 11/41] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 12/41] ip6_tunnel: remove magic mtu value 0xFFF8 Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 13/41] ipmr: properly check rhltable_init() return value Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 14/41] ipv4: remove warning in ip_recv_error Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 15/41] ipv6: omit traffic class when calculating flow hash Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 16/41] isdn: eicon: fix a missing-check bug Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 17/41] kcm: Fix use-after-free caused by clonned sockets Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 18/41] netdev-FAQ: clarify DaveMs position for stable backports Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 19/41] net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 20/41] net: metrics: add proper netlink validation Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 21/41] net/packet: refine check for priv area size Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 22/41] net: phy: broadcom: Fix bcm_write_exp() Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 24/41] packet: fix reserve calculation Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 25/41] qed: Fix mask for physical address in ILT entry Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 26/41] sctp: not allow transport timeout value less than HZ/5 for hb_timer Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 27/41] team: use netdev_features_t instead of u32 Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 28/41] vhost: synchronize IOTLB message with dev cleanup Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 29/41] vrf: check the original netdevice for generating redirect Greg Kroah-Hartman
2018-06-09 15:30 ` Greg Kroah-Hartman [this message]
2018-06-09 15:30 ` [PATCH 4.14 31/41] net: phy: broadcom: Fix auxiliary control register reads Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 32/41] net-sysfs: Fix memory leak in XPS configuration Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 33/41] virtio-net: correctly transmit XDP buff after linearizing Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 34/41] net/mlx4: Fix irq-unsafe spinlock usage Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 35/41] tun: Fix NULL pointer dereference in XDP redirect Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 36/41] virtio-net: correctly check num_buf during err path Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 37/41] net/mlx5e: When RXFCS is set, add FCS data into checksum calculation Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 38/41] virtio-net: fix leaking page for gso packet during mergeable XDP Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 39/41] rtnetlink: validate attributes in do_setlink() Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 40/41] cls_flower: Fix incorrect idr release when failing to modify rule Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 41/41] PCI: hv: Do not wait forever on a device that has disappeared Greg Kroah-Hartman
2018-06-10 9:06 ` [PATCH 4.14 00/41] 4.14.49-stable review Naresh Kamboju
2018-06-10 15:13 ` Guenter Roeck
2018-06-11 19:36 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180609152928.070917073@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dlebrun@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=m.xhonneux@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.