From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Martin Weinelt <martin@linuxlounge.net>,
Nikolay Aleksandrov <nikolay@cumulusnetworks.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.19 32/50] net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
Date: Fri, 26 Jul 2019 17:25:07 +0200 [thread overview]
Message-ID: <20190726152303.934713855@linuxfoundation.org> (raw)
In-Reply-To: <20190726152300.760439618@linuxfoundation.org>
From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
[ Upstream commit e57f61858b7cf478ed6fa23ed4b3876b1c9625c4 ]
We take a pointer to grec prior to calling pskb_may_pull and use it
afterwards to get nsrcs so record nsrcs before the pull when handling
igmp3 and we get a pointer to nsrcs and call pskb_may_pull when handling
mld2 which again could lead to reading 2 bytes out-of-bounds.
==================================================================
BUG: KASAN: use-after-free in br_multicast_rcv+0x480c/0x4ad0 [bridge]
Read of size 2 at addr ffff8880421302b4 by task ksoftirqd/1/16
CPU: 1 PID: 16 Comm: ksoftirqd/1 Tainted: G OE 5.2.0-rc6+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
dump_stack+0x71/0xab
print_address_description+0x6a/0x280
? br_multicast_rcv+0x480c/0x4ad0 [bridge]
__kasan_report+0x152/0x1aa
? br_multicast_rcv+0x480c/0x4ad0 [bridge]
? br_multicast_rcv+0x480c/0x4ad0 [bridge]
kasan_report+0xe/0x20
br_multicast_rcv+0x480c/0x4ad0 [bridge]
? br_multicast_disable_port+0x150/0x150 [bridge]
? ktime_get_with_offset+0xb4/0x150
? __kasan_kmalloc.constprop.6+0xa6/0xf0
? __netif_receive_skb+0x1b0/0x1b0
? br_fdb_update+0x10e/0x6e0 [bridge]
? br_handle_frame_finish+0x3c6/0x11d0 [bridge]
br_handle_frame_finish+0x3c6/0x11d0 [bridge]
? br_pass_frame_up+0x3a0/0x3a0 [bridge]
? virtnet_probe+0x1c80/0x1c80 [virtio_net]
br_handle_frame+0x731/0xd90 [bridge]
? select_idle_sibling+0x25/0x7d0
? br_handle_frame_finish+0x11d0/0x11d0 [bridge]
__netif_receive_skb_core+0xced/0x2d70
? virtqueue_get_buf_ctx+0x230/0x1130 [virtio_ring]
? do_xdp_generic+0x20/0x20
? virtqueue_napi_complete+0x39/0x70 [virtio_net]
? virtnet_poll+0x94d/0xc78 [virtio_net]
? receive_buf+0x5120/0x5120 [virtio_net]
? __netif_receive_skb_one_core+0x97/0x1d0
__netif_receive_skb_one_core+0x97/0x1d0
? __netif_receive_skb_core+0x2d70/0x2d70
? _raw_write_trylock+0x100/0x100
? __queue_work+0x41e/0xbe0
process_backlog+0x19c/0x650
? _raw_read_lock_irq+0x40/0x40
net_rx_action+0x71e/0xbc0
? __switch_to_asm+0x40/0x70
? napi_complete_done+0x360/0x360
? __switch_to_asm+0x34/0x70
? __switch_to_asm+0x40/0x70
? __schedule+0x85e/0x14d0
__do_softirq+0x1db/0x5f9
? takeover_tasklets+0x5f0/0x5f0
run_ksoftirqd+0x26/0x40
smpboot_thread_fn+0x443/0x680
? sort_range+0x20/0x20
? schedule+0x94/0x210
? __kthread_parkme+0x78/0xf0
? sort_range+0x20/0x20
kthread+0x2ae/0x3a0
? kthread_create_worker_on_cpu+0xc0/0xc0
ret_from_fork+0x35/0x40
The buggy address belongs to the page:
page:ffffea0001084c00 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0
flags: 0xffffc000000000()
raw: 00ffffc000000000 ffffea0000cfca08 ffffea0001098608 0000000000000000
raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888042130180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888042130200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff888042130280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888042130300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888042130380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Disabling lock debugging due to kernel taint
Fixes: bc8c20acaea1 ("bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave")
Reported-by: Martin Weinelt <martin@linuxlounge.net>
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Tested-by: Martin Weinelt <martin@linuxlounge.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bridge/br_multicast.c | 27 ++++++++++++++++-----------
1 file changed, 16 insertions(+), 11 deletions(-)
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1147,6 +1147,7 @@ static int br_ip4_multicast_igmp3_report
int type;
int err = 0;
__be32 group;
+ u16 nsrcs;
ih = igmpv3_report_hdr(skb);
num = ntohs(ih->ngrec);
@@ -1160,8 +1161,9 @@ static int br_ip4_multicast_igmp3_report
grec = (void *)(skb->data + len - sizeof(*grec));
group = grec->grec_mca;
type = grec->grec_type;
+ nsrcs = ntohs(grec->grec_nsrcs);
- len += ntohs(grec->grec_nsrcs) * 4;
+ len += nsrcs * 4;
if (!pskb_may_pull(skb, len))
return -EINVAL;
@@ -1182,7 +1184,7 @@ static int br_ip4_multicast_igmp3_report
src = eth_hdr(skb)->h_source;
if ((type == IGMPV3_CHANGE_TO_INCLUDE ||
type == IGMPV3_MODE_IS_INCLUDE) &&
- ntohs(grec->grec_nsrcs) == 0) {
+ nsrcs == 0) {
br_ip4_multicast_leave_group(br, port, group, vid, src);
} else {
err = br_ip4_multicast_add_group(br, port, group, vid,
@@ -1217,23 +1219,26 @@ static int br_ip6_multicast_mld2_report(
len = skb_transport_offset(skb) + sizeof(*icmp6h);
for (i = 0; i < num; i++) {
- __be16 *nsrcs, _nsrcs;
+ __be16 *_nsrcs, __nsrcs;
+ u16 nsrcs;
- nsrcs = skb_header_pointer(skb,
- len + offsetof(struct mld2_grec,
- grec_nsrcs),
- sizeof(_nsrcs), &_nsrcs);
- if (!nsrcs)
+ _nsrcs = skb_header_pointer(skb,
+ len + offsetof(struct mld2_grec,
+ grec_nsrcs),
+ sizeof(__nsrcs), &__nsrcs);
+ if (!_nsrcs)
return -EINVAL;
+ nsrcs = ntohs(*_nsrcs);
+
if (!pskb_may_pull(skb,
len + sizeof(*grec) +
- sizeof(struct in6_addr) * ntohs(*nsrcs)))
+ sizeof(struct in6_addr) * nsrcs))
return -EINVAL;
grec = (struct mld2_grec *)(skb->data + len);
len += sizeof(*grec) +
- sizeof(struct in6_addr) * ntohs(*nsrcs);
+ sizeof(struct in6_addr) * nsrcs;
/* We treat these as MLDv1 reports for now. */
switch (grec->grec_type) {
@@ -1252,7 +1257,7 @@ static int br_ip6_multicast_mld2_report(
src = eth_hdr(skb)->h_source;
if ((grec->grec_type == MLD2_CHANGE_TO_INCLUDE ||
grec->grec_type == MLD2_MODE_IS_INCLUDE) &&
- ntohs(*nsrcs) == 0) {
+ nsrcs == 0) {
br_ip6_multicast_leave_group(br, port, &grec->grec_mca,
vid, src);
} else {
next prev parent reply other threads:[~2019-07-26 15:34 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 15:24 [PATCH 4.19 00/50] 4.19.62-stable review Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 01/50] bnx2x: Prevent load reordering in tx completion processing Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 02/50] caif-hsi: fix possible deadlock in cfhsi_exit_module() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 03/50] hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 04/50] igmp: fix memory leak in igmpv3_del_delrec() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 05/50] ipv4: dont set IPv6 only flags to IPv4 addresses Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 06/50] ipv6: rt6_check should return NULL if from is NULL Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 07/50] ipv6: Unlink sibling route in case of failure Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 08/50] net: bcmgenet: use promisc for unsupported filters Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 09/50] net: dsa: mv88e6xxx: wait after reset deactivation Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 10/50] net: make skb_dst_force return true when dst is refcounted Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 11/50] net: neigh: fix multiple neigh timer scheduling Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 12/50] net: openvswitch: fix csum updates for MPLS actions Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 13/50] net: phy: sfp: hwmon: Fix scaling of RX power Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 14/50] net: stmmac: Re-work the queue selection for TSO packets Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 15/50] nfc: fix potential illegal memory access Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 16/50] r8169: fix issue with confused RX unit after PHY power-down on RTL8411b Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 17/50] rxrpc: Fix send on a connected, but unbound socket Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 18/50] sctp: fix error handling on stream scheduler initialization Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 19/50] sky2: Disable MSI on ASUS P6T Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 20/50] tcp: be more careful in tcp_fragment() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 21/50] tcp: fix tcp_set_congestion_control() use from bpf hook Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 22/50] tcp: Reset bytes_acked and bytes_received when disconnecting Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 23/50] vrf: make sure skb->data contains ip header to make routing Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 4.19 24/50] net/mlx5e: IPoIB, Add error path in mlx5_rdma_setup_rn Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 25/50] macsec: fix use-after-free of skb during RX Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 26/50] macsec: fix checksumming after decryption Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 27/50] netrom: fix a memory leak in nr_rx_frame() Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 28/50] netrom: hold sock when setting skb->destructor Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 29/50] net_sched: unset TCQ_F_CAN_BYPASS when adding filters Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 30/50] net/tls: make sure offload also gets the keys wiped Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 31/50] sctp: not bind the socket in sctp_connect Greg Kroah-Hartman
2019-07-26 15:25 ` Greg Kroah-Hartman [this message]
2019-07-26 15:25 ` [PATCH 4.19 33/50] net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 34/50] net: bridge: dont cache ether dest pointer on input Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 35/50] net: bridge: stp: dont cache eth dest pointer before skb pull Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 36/50] dma-buf: balance refcount inbalance Greg Kroah-Hartman
2019-07-26 15:25 ` Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 37/50] dma-buf: Discard old fence_excl on retrying get_fences_rcu for realloc Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 38/50] gpio: davinci: silence error prints in case of EPROBE_DEFER Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 39/50] MIPS: lb60: Fix pin mappings Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 40/50] perf/core: Fix exclusive events grouping Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 41/50] perf/core: Fix race between close() and fork() Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 42/50] ext4: dont allow any modifications to an immutable file Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 43/50] ext4: enforce the immutable flag on open files Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 44/50] mm: add filemap_fdatawait_range_keep_errors() Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 45/50] jbd2: introduce jbd2_inode dirty range scoping Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 46/50] ext4: use " Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 47/50] ext4: allow directory holes Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 48/50] KVM: nVMX: do not use dangling shadow VMCS after guest reset Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 49/50] KVM: nVMX: Clear pending KVM_REQ_GET_VMCS12_PAGES when leaving nested Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 4.19 50/50] mm: vmscan: scan anonymous pages on file refaults Greg Kroah-Hartman
2019-07-27 2:14 ` [PATCH 4.19 00/50] 4.19.62-stable review kernelci.org bot
2019-07-27 2:35 ` shuah
2019-07-27 4:40 ` Naresh Kamboju
2019-07-27 16:06 ` Guenter Roeck
2019-07-29 9:02 ` Jon Hunter
2019-07-29 9:02 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190726152303.934713855@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=martin@linuxlounge.net \
--cc=nikolay@cumulusnetworks.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.