[PATCH 4.4 15/47] net: validate lwtstate->data before returning from skb_tunnel_info()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Taehee Yoo <ap420073@gmail.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.4 15/47] net: validate lwtstate->data before returning from skb_tunnel_info()
Date: Mon, 26 Jul 2021 17:38:33 +0200	[thread overview]
Message-ID: <20210726153823.463007647@linuxfoundation.org> (raw)
In-Reply-To: <20210726153822.980271128@linuxfoundation.org>

From: Taehee Yoo <ap420073@gmail.com>

commit 67a9c94317402b826fc3db32afc8f39336803d97 upstream.

skb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info
type without validation. lwtstate->data can have various types such as
mpls_iptunnel_encap, etc and these are not compatible.
So skb_tunnel_info() should validate before returning that pointer.

Splat looks like:
BUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan]
Read of size 2 at addr ffff888106ec2698 by task ping/811

CPU: 1 PID: 811 Comm: ping Not tainted 5.13.0+ #1195
Call Trace:
 dump_stack_lvl+0x56/0x7b
 print_address_description.constprop.8.cold.13+0x13/0x2ee
 ? vxlan_get_route+0x418/0x4b0 [vxlan]
 ? vxlan_get_route+0x418/0x4b0 [vxlan]
 kasan_report.cold.14+0x83/0xdf
 ? vxlan_get_route+0x418/0x4b0 [vxlan]
 vxlan_get_route+0x418/0x4b0 [vxlan]
 [ ... ]
 vxlan_xmit_one+0x148b/0x32b0 [vxlan]
 [ ... ]
 vxlan_xmit+0x25c5/0x4780 [vxlan]
 [ ... ]
 dev_hard_start_xmit+0x1ae/0x6e0
 __dev_queue_xmit+0x1f39/0x31a0
 [ ... ]
 neigh_xmit+0x2f9/0x940
 mpls_xmit+0x911/0x1600 [mpls_iptunnel]
 lwtunnel_xmit+0x18f/0x450
 ip_finish_output2+0x867/0x2040
 [ ... ]

Fixes: 61adedf3e3f1 ("route: move lwtunnel state to dst_entry")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/dst_metadata.h |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/include/net/dst_metadata.h
+++ b/include/net/dst_metadata.h
@@ -31,7 +31,9 @@ static inline struct ip_tunnel_info *skb
 		return &md_dst->u.tun_info;
 
 	dst = skb_dst(skb);
-	if (dst && dst->lwtstate)
+	if (dst && dst->lwtstate &&
+	    (dst->lwtstate->type == LWTUNNEL_ENCAP_IP ||
+	     dst->lwtstate->type == LWTUNNEL_ENCAP_IP6))
 		return lwt_tun_info(dst->lwtstate);
 
 	return NULL;

next prev parent reply	other threads:[~2021-07-26 15:40 UTC|newest]

Thread overview: 51+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-26 15:38 [PATCH 4.4 00/47] 4.4.277-rc1 review Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 01/47] ARM: brcmstb: dts: fix NAND nodes names Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 02/47] ARM: dts: BCM63xx: Fix " Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 03/47] ARM: dts: imx6: phyFLEX: Fix UART hardware flow control Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 04/47] ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 05/47] thermal/core: Correct function name thermal_zone_device_unregister() Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 06/47] kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 07/47] scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 08/47] sched/fair: Fix CFS bandwidth hrtimer expiry type Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 09/47] Revert "memory: fsl_ifc: fix leak of IO mapping on probe failure" Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 10/47] x86/fpu: Make init_fpstate correct with optimized XSAVE Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 11/47] net: ipv6: fix return value of ip6_skb_dst_mtu Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 12/47] net: bcmgenet: Ensure all TX/RX queues DMAs are disabled Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 13/47] net: moxa: fix UAF in moxart_mac_probe Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 14/47] net: ti: fix UAF in tlan_remove_one Greg Kroah-Hartman
2021-07-26 15:38 ` Greg Kroah-Hartman [this message]
2021-07-26 15:38 ` [PATCH 4.4 16/47] tcp: annotate data races around tp->mtu_info Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 17/47] ipv6: tcp: drop silly ICMPv6 packet too big messages Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 18/47] iavf: Fix an error handling path in iavf_probe() Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 19/47] igb: Check if num of q_vectors is smaller than max before array access Greg Kroah-Hartman
2021-07-26 21:57   ` Pavel Machek
2021-07-26 15:38 ` [PATCH 4.4 20/47] perf test session_topology: Delete session->evlist Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 21/47] perf test bpf: Free obj_buf Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 22/47] perf probe-file: Delete namelist in del_events() on the error path Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 23/47] s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1] Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 24/47] net: fix uninit-value in caif_seqpkt_sendmsg Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 25/47] net: decnet: Fix sleeping inside in af_decnet Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 26/47] netrom: Decrease sock refcount when sock timers expire Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 27/47] scsi: iscsi: Fix iface sysfs attr detection Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 28/47] scsi: target: Fix protect handling in WRITE SAME(32) Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 29/47] Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem" Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 30/47] proc: Avoid mixing integer types in mem_rw() Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 31/47] s390/ftrace: fix ftrace_update_ftrace_func implementation Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 32/47] ALSA: sb: Fix potential ABBA deadlock in CSP driver Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 33/47] xhci: Fix lost USB 2 remote wake Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 34/47] KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 35/47] usb: hub: Disable USB 3 device initiated lpm if exit latency is too high Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 36/47] USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 37/47] usb: max-3421: Prevent corruption of freed memory Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 38/47] usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop() Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 39/47] USB: serial: option: add support for u-blox LARA-R6 family Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 40/47] USB: serial: cp210x: fix comments for GE CS1000 Greg Kroah-Hartman
2021-07-26 15:38 ` [PATCH 4.4 41/47] USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick Greg Kroah-Hartman
2021-07-26 15:39 ` [PATCH 4.4 42/47] tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop Greg Kroah-Hartman
2021-07-26 15:39 ` [PATCH 4.4 43/47] media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() Greg Kroah-Hartman
2021-07-26 15:39 ` [PATCH 4.4 44/47] net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear Greg Kroah-Hartman
2021-07-26 15:39 ` [PATCH 4.4 45/47] iio: accel: bma180: Use explicit member assignment Greg Kroah-Hartman
2021-07-26 15:39 ` [PATCH 4.4 46/47] iio: accel: bma180: Fix BMA25x bandwidth register values Greg Kroah-Hartman
2021-07-26 15:39 ` [PATCH 4.4 47/47] btrfs: compression: dont try to compress if we dont have enough pages Greg Kroah-Hartman
2021-07-27  0:37 ` [PATCH 4.4 00/47] 4.4.277-rc1 review Shuah Khan
2021-07-27  3:49 ` Naresh Kamboju

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210726153823.463007647@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=ap420073@gmail.com \
    --cc=davem@davemloft.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.