Re: [PATCH v1 net] ipv6: Fix out-of-bound access in fib6_add_rt2node().

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Shigeru Yoshida <syoshida@redhat.com>
To: Kuniyuki Iwashima <kuniyu@google.com>
Cc: "David S. Miller" <davem@davemloft.net>,
	 David Ahern <dsahern@kernel.org>,
	 Eric Dumazet <edumazet@google.com>,
	 Jakub Kicinski <kuba@kernel.org>,
	 Paolo Abeni <pabeni@redhat.com>,
	 Simon Horman <horms@kernel.org>,
	 Kuniyuki Iwashima <kuni1840@gmail.com>,
	netdev@vger.kernel.org,
	syzbot+707d6a5da1ab9e0c6f9d@syzkaller.appspotmail.com
Subject: Re: [PATCH v1 net] ipv6: Fix out-of-bound access in fib6_add_rt2node().
Date: Thu, 12 Feb 2026 18:27:38 +0900	[thread overview]
Message-ID: <87ecmqs451.fsf@redhat.com> (raw)
In-Reply-To: <20260211175133.3657034-1-kuniyu@google.com> (Kuniyuki Iwashima's message of "Wed, 11 Feb 2026 17:50:21 +0000")

Kuniyuki Iwashima <kuniyu@google.com> writes:

> syzbot reported out-of-bound read in fib6_add_rt2node(). [0]
>
> When IPv6 route is created with RTA_NH_ID, struct fib6_info
> does not have the trailing struct fib6_nh.
>
> The cited commit started to check !iter->fib6_nh->fib_nh_gw_family
> to ensure that rt6_qualify_for_ecmp() will return false for iter.
>
> If iter->nh is not NULL, rt6_qualify_for_ecmp() returns false anyway.
>
> Let's check iter->nh before reading iter->fib6_nh and avoid OOB read.
>
> [0]:
> BUG: KASAN: slab-out-of-bounds in fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142
> Read of size 1 at addr ffff8880384ba6de by task syz.0.18/5500
>
> CPU: 0 UID: 0 PID: 5500 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> Call Trace:
>  <TASK>
>  dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
>  print_address_description mm/kasan/report.c:378 [inline]
>  print_report+0xba/0x230 mm/kasan/report.c:482
>  kasan_report+0x117/0x150 mm/kasan/report.c:595
>  fib6_add_rt2node+0x349c/0x3500 net/ipv6/ip6_fib.c:1142
>  fib6_add_rt2node_nh net/ipv6/ip6_fib.c:1363 [inline]
>  fib6_add+0x910/0x18c0 net/ipv6/ip6_fib.c:1531
>  __ip6_ins_rt net/ipv6/route.c:1351 [inline]
>  ip6_route_add+0xde/0x1b0 net/ipv6/route.c:3957
>  inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660
>  rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958
>  netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550
>  netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
>  netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
>  netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
>  sock_sendmsg_nosec net/socket.c:727 [inline]
>  __sock_sendmsg net/socket.c:742 [inline]
>  ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592
>  ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646
>  __sys_sendmsg net/socket.c:2678 [inline]
>  __do_sys_sendmsg net/socket.c:2683 [inline]
>  __se_sys_sendmsg net/socket.c:2681 [inline]
>  __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f9316b9aeb9
> Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffd8809b678 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
> RAX: ffffffffffffffda RBX: 00007f9316e15fa0 RCX: 00007f9316b9aeb9
> RDX: 0000000000000000 RSI: 0000200000004380 RDI: 0000000000000003
> RBP: 00007f9316c08c1f R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 00007f9316e15fac R14: 00007f9316e15fa0 R15: 00007f9316e15fa0
>  </TASK>
>
> Allocated by task 5499:
>  kasan_save_stack mm/kasan/common.c:57 [inline]
>  kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
>  poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
>  __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
>  kasan_kmalloc include/linux/kasan.h:263 [inline]
>  __do_kmalloc_node mm/slub.c:5657 [inline]
>  __kmalloc_noprof+0x40c/0x7e0 mm/slub.c:5669
>  kmalloc_noprof include/linux/slab.h:961 [inline]
>  kzalloc_noprof include/linux/slab.h:1094 [inline]
>  fib6_info_alloc+0x30/0xf0 net/ipv6/ip6_fib.c:155
>  ip6_route_info_create+0x142/0x860 net/ipv6/route.c:3820
>  ip6_route_add+0x49/0x1b0 net/ipv6/route.c:3949
>  inet6_rtm_newroute+0x268/0x19e0 net/ipv6/route.c:5660
>  rtnetlink_rcv_msg+0x7d5/0xbe0 net/core/rtnetlink.c:6958
>  netlink_rcv_skb+0x232/0x4b0 net/netlink/af_netlink.c:2550
>  netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
>  netlink_unicast+0x80f/0x9b0 net/netlink/af_netlink.c:1344
>  netlink_sendmsg+0x813/0xb40 net/netlink/af_netlink.c:1894
>  sock_sendmsg_nosec net/socket.c:727 [inline]
>  __sock_sendmsg net/socket.c:742 [inline]
>  ____sys_sendmsg+0xa68/0xad0 net/socket.c:2592
>  ___sys_sendmsg+0x2a5/0x360 net/socket.c:2646
>  __sys_sendmsg net/socket.c:2678 [inline]
>  __do_sys_sendmsg net/socket.c:2683 [inline]
>  __se_sys_sendmsg net/socket.c:2681 [inline]
>  __x64_sys_sendmsg+0x1bd/0x2a0 net/socket.c:2681
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Fixes: bbf4a17ad9ff ("ipv6: Fix ECMP sibling count mismatch when clearing RTF_ADDRCONF")
> Reported-by: syzbot+707d6a5da1ab9e0c6f9d@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/698cbfba.050a0220.2eeac1.009d.GAE@google.com/
> Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
> ---
>  net/ipv6/ip6_fib.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Thank you for catching this.

Reviewed-by: Shigeru Yoshida <syoshida@redhat.com>

next prev parent reply	other threads:[~2026-02-12  9:27 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-11 17:50 [PATCH v1 net] ipv6: Fix out-of-bound access in fib6_add_rt2node() Kuniyuki Iwashima
2026-02-11 19:51 ` Fernando Fernandez Mancera
2026-02-12  9:27 ` Shigeru Yoshida [this message]
2026-02-13 20:30 ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87ecmqs451.fsf@redhat.com \
    --to=syoshida@redhat.com \
    --cc=davem@davemloft.net \
    --cc=dsahern@kernel.org \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=kuni1840@gmail.com \
    --cc=kuniyu@google.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=syzbot+707d6a5da1ab9e0c6f9d@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.