Re: [PATCH] 6lowpan: iphc: reset mac_header after decompress to fix panic

[Michael Scott <michael@opensourcefoundries.com>]

Hello Alexander,


On 07/02/2018 11:54 AM, Alexander Aring wrote:
> Hi,
>
> On Tue, Jun 19, 2018 at 04:44:06PM -0700, Michael Scott wrote:
>> After decompression of 6lowpan socket data, an IPv6 header is inserted
>> before the existing socket payload.  After this, we reset the
>> network_header value of the skb to account for the difference in payload
>> size from prior to decompression + the addition of the IPv6 header.
>>
>> However, we fail to reset the mac_header value.
>>
>> Leaving the mac_header value untouched here, can cause a calculation
>> error in net/packet/af_packet.c packet_rcv() function when an
>> AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
>> interface.
>>
>> On line 2088, the data pointer is moved backward by the value returned
>> from skb_mac_header().  If skb->data is adjusted so that it is before
>> the skb->head pointer (which can happen when an old value of mac_header
>> is left in place) the kernel generates a panic in net/core/skbuff.c
>> line 1717.
>>
>> This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
>> 802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
>> sources for compression and decompression.
>>
>> Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
>> ---
>>   net/6lowpan/iphc.c | 1 +
>>   1 file changed, 1 insertion(+)
>>
>> diff --git a/net/6lowpan/iphc.c b/net/6lowpan/iphc.c
>> index 6b1042e21656..52fad5dad9f7 100644
>> --- a/net/6lowpan/iphc.c
>> +++ b/net/6lowpan/iphc.c
>> @@ -770,6 +770,7 @@ int lowpan_header_decompress(struct sk_buff *skb, const struct net_device *dev,
>>   		hdr.hop_limit, &hdr.daddr);
>>   
>>   	skb_push(skb, sizeof(hdr));
>> +	skb_reset_mac_header(skb);
>>   	skb_reset_network_header(skb);
>>   	skb_copy_to_linear_data(skb, &hdr, sizeof(hdr));
>>   
> I think it's good to make that if the mac_header gets a dangled pointer.
> But we don't have a mac header at this point anymore...
>
> There exists also some functionality that the MAC header is not set, I
> suppose this can be usefuly for tun like interfaces e.g. RAW IP what we
> have here.
>
> skb_mac_header_was_set
>
> which does:
>
> return skb->mac_header != (typeof(skb->mac_header))~0U;
>
> maybe we can set it as (typeof(skb->mac_header))~0U and then everything
> will run as far the kernel will not crash anymore.
>
> Question is for me: which upper layer wants access MAC header here on
> receive path?
> It cannot parsed anyhow because so far I know no upper layer can parse
> at the moment 802.15.4 frames (which is a complex format). Maybe over
> some header_ops callback?

I was testing a C program which performs NAT64 handling on packets
destined to a certain IPv6 subnet (64:ff9b::). To do this, the 
application opens a RAW socket like this: sniff_sock = socket(PF_PACKET, 
SOCK_RAW, htons(ETH_P_ALL)); It then sets promiscuous mode and enters a 
looping call of:
length = recv(sniff_sock, buffer, PACKET_BUFFER, MSG_TRUNC); My host PC 
kernel would then promptly crash on me. (I'm going to purposely avoid 
the obvious point of: this probably isn't the best way to parse packets 
for NAT64 translation as you will get every single packet incoming or 
outgoing on the host.) Turns out, testing the program on an 802.15.4 
6lowpan interface exposed some of the issues which this mailing list 
(but not myself) is well aware of (no L2 data in the RAW packets) and 
also led me to debugging this patch to stop the kernel crash. TL;DR: To 
summarize, any PF_PACKET SOCK_RAW socket which recv()'s IPv6 data from a 
6lowpan node will cause this kernel crash eventually (checked on kernel 
4.15, 4.16, 4.17 and 4.18-rc1). - Mike
>
> - Alex