From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>,
<netdev@vger.kernel.org>
Subject: [PATCH 15/15] xfrm: fix a NULL-ptr deref in xfrm_local_error
Date: Fri, 29 May 2020 13:04:08 +0200 [thread overview]
Message-ID: <20200529110408.6349-16-steffen.klassert@secunet.com> (raw)
In-Reply-To: <20200529110408.6349-1-steffen.klassert@secunet.com>
From: Xin Long <lucien.xin@gmail.com>
This patch is to fix a crash:
[ ] kasan: GPF could be caused by NULL-ptr deref or user memory access
[ ] general protection fault: 0000 [#1] SMP KASAN PTI
[ ] RIP: 0010:ipv6_local_error+0xac/0x7a0
[ ] Call Trace:
[ ] xfrm6_local_error+0x1eb/0x300
[ ] xfrm_local_error+0x95/0x130
[ ] __xfrm6_output+0x65f/0xb50
[ ] xfrm6_output+0x106/0x46f
[ ] udp_tunnel6_xmit_skb+0x618/0xbf0 [ip6_udp_tunnel]
[ ] vxlan_xmit_one+0xbc6/0x2c60 [vxlan]
[ ] vxlan_xmit+0x6a0/0x4276 [vxlan]
[ ] dev_hard_start_xmit+0x165/0x820
[ ] __dev_queue_xmit+0x1ff0/0x2b90
[ ] ip_finish_output2+0xd3e/0x1480
[ ] ip_do_fragment+0x182d/0x2210
[ ] ip_output+0x1d0/0x510
[ ] ip_send_skb+0x37/0xa0
[ ] raw_sendmsg+0x1b4c/0x2b80
[ ] sock_sendmsg+0xc0/0x110
This occurred when sending a v4 skb over vxlan6 over ipsec, in which case
skb->protocol == htons(ETH_P_IPV6) while skb->sk->sk_family == AF_INET in
xfrm_local_error(). Then it will go to xfrm6_local_error() where it tries
to get ipv6 info from a ipv4 sk.
This issue was actually fixed by Commit 628e341f319f ("xfrm: make local
error reporting more robust"), but brought back by Commit 844d48746e4b
("xfrm: choose protocol family by skb protocol").
So to fix it, we should call xfrm6_local_error() only when skb->protocol
is htons(ETH_P_IPV6) and skb->sk->sk_family is AF_INET6.
Fixes: 844d48746e4b ("xfrm: choose protocol family by skb protocol")
Reported-by: Xiumei Mu <xmu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
net/xfrm/xfrm_output.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c
index 69c33cab8f49..69c4900db817 100644
--- a/net/xfrm/xfrm_output.c
+++ b/net/xfrm/xfrm_output.c
@@ -642,7 +642,8 @@ void xfrm_local_error(struct sk_buff *skb, int mtu)
if (skb->protocol == htons(ETH_P_IP))
proto = AF_INET;
- else if (skb->protocol == htons(ETH_P_IPV6))
+ else if (skb->protocol == htons(ETH_P_IPV6) &&
+ skb->sk->sk_family == AF_INET6)
proto = AF_INET6;
else
return;
--
2.17.1
next prev parent reply other threads:[~2020-05-29 11:10 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-29 11:03 pull request (net): ipsec 2020-05-29 Steffen Klassert
2020-05-29 11:03 ` [PATCH 01/15] xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input Steffen Klassert
2020-05-29 11:03 ` [PATCH 02/15] xfrm: do pskb_pull properly in __xfrm_transport_prep Steffen Klassert
2020-05-29 11:03 ` [PATCH 03/15] esp6: get the right proto for transport mode in esp6_gso_encap Steffen Klassert
2020-05-29 11:03 ` [PATCH 04/15] xfrm: remove the xfrm_state_put call becofe going to out_reset Steffen Klassert
2020-05-29 11:03 ` [PATCH 05/15] xfrm: fix error in comment Steffen Klassert
2020-05-29 11:03 ` [PATCH 06/15] xfrm: espintcp: save and call old ->sk_destruct Steffen Klassert
2020-05-29 11:04 ` [PATCH 07/15] esp6: support ipv6 nexthdrs process for beet gso segment Steffen Klassert
2020-05-29 11:04 ` [PATCH 08/15] esp4: " Steffen Klassert
2020-05-29 11:04 ` [PATCH 09/15] xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output Steffen Klassert
2020-05-29 11:04 ` [PATCH 10/15] ip_vti: receive ipip packet by calling ip_tunnel_rcv Steffen Klassert
2020-05-29 11:04 ` [PATCH 11/15] xfrm interface: fix oops when deleting a x-netns interface Steffen Klassert
2020-05-29 11:04 ` [PATCH 12/15] esp6: calculate transport_header correctly when sel.family != AF_INET6 Steffen Klassert
2020-05-29 11:04 ` [PATCH 13/15] esp4: improve xfrm4_beet_gso_segment() to be more readable Steffen Klassert
2020-05-29 11:04 ` [PATCH 14/15] xfrm: fix a warning in xfrm_policy_insert_list Steffen Klassert
2020-05-29 11:04 ` Steffen Klassert [this message]
2020-05-29 20:06 ` pull request (net): ipsec 2020-05-29 David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200529110408.6349-16-steffen.klassert@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.