From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+d373d60fddbdc915e666@syzkaller.appspotmail.com,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 32/93] icmp: guard against too small mtu
Date: Wed, 12 Apr 2023 10:33:33 +0200 [thread overview]
Message-ID: <20230412082824.454076124@linuxfoundation.org> (raw)
In-Reply-To: <20230412082823.045155996@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 7d63b67125382ff0ffdfca434acbc94a38bd092b ]
syzbot was able to trigger a panic [1] in icmp_glue_bits(), or
more exactly in skb_copy_and_csum_bits()
There is no repro yet, but I think the issue is that syzbot
manages to lower device mtu to a small value, fooling __icmp_send()
__icmp_send() must make sure there is enough room for the
packet to include at least the headers.
We might in the future refactor skb_copy_and_csum_bits() and its
callers to no longer crash when something bad happens.
[1]
kernel BUG at net/core/skbuff.c:3343 !
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 15766 Comm: syz-executor.0 Not tainted 6.3.0-rc4-syzkaller-00039-gffe78bbd5121 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
RIP: 0010:skb_copy_and_csum_bits+0x798/0x860 net/core/skbuff.c:3343
Code: f0 c1 c8 08 41 89 c6 e9 73 ff ff ff e8 61 48 d4 f9 e9 41 fd ff ff 48 8b 7c 24 48 e8 52 48 d4 f9 e9 c3 fc ff ff e8 c8 27 84 f9 <0f> 0b 48 89 44 24 28 e8 3c 48 d4 f9 48 8b 44 24 28 e9 9d fb ff ff
RSP: 0018:ffffc90000007620 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 00000000000001e8 RCX: 0000000000000100
RDX: ffff8880276f6280 RSI: ffffffff87fdd138 RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000000001e8 R11: 0000000000000001 R12: 000000000000003c
R13: 0000000000000000 R14: ffff888028244868 R15: 0000000000000b0e
FS: 00007fbc81f1c700(0000) GS:ffff88802ca00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2df43000 CR3: 00000000744db000 CR4: 0000000000150ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
icmp_glue_bits+0x7b/0x210 net/ipv4/icmp.c:353
__ip_append_data+0x1d1b/0x39f0 net/ipv4/ip_output.c:1161
ip_append_data net/ipv4/ip_output.c:1343 [inline]
ip_append_data+0x115/0x1a0 net/ipv4/ip_output.c:1322
icmp_push_reply+0xa8/0x440 net/ipv4/icmp.c:370
__icmp_send+0xb80/0x1430 net/ipv4/icmp.c:765
ipv4_send_dest_unreach net/ipv4/route.c:1239 [inline]
ipv4_link_failure+0x5a9/0x9e0 net/ipv4/route.c:1246
dst_link_failure include/net/dst.h:423 [inline]
arp_error_report+0xcb/0x1c0 net/ipv4/arp.c:296
neigh_invalidate+0x20d/0x560 net/core/neighbour.c:1079
neigh_timer_handler+0xc77/0xff0 net/core/neighbour.c:1166
call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700
expire_timers+0x29b/0x4b0 kernel/time/timer.c:1751
__run_timers kernel/time/timer.c:2022 [inline]
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+d373d60fddbdc915e666@syzkaller.appspotmail.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20230330174502.1915328-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/icmp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index 609c4ff7edc69..7b749a98327c2 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -755,6 +755,11 @@ void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
room = 576;
room -= sizeof(struct iphdr) + icmp_param.replyopts.opt.opt.optlen;
room -= sizeof(struct icmphdr);
+ /* Guard against tiny mtu. We need to include at least one
+ * IP network header for this message to make any sense.
+ */
+ if (room <= (int)sizeof(struct iphdr))
+ goto ende;
icmp_param.data_len = skb_in->len - icmp_param.offset;
if (icmp_param.data_len > room)
--
2.39.2
next prev parent reply other threads:[~2023-04-12 8:36 UTC|newest]
Thread overview: 106+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-04-12 8:33 [PATCH 5.15 00/93] 5.15.107-rc1 review Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 01/93] soc: sifive: ccache: Rename SiFive L2 cache to Composable cache Greg Kroah-Hartman
2023-04-12 9:36 ` Conor Dooley
2023-04-12 10:14 ` Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 02/93] soc: sifive: ccache: determine the cache level from dts Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 03/93] soc: sifive: ccache: reduce printing on init Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 04/93] soc: sifive: ccache: use pr_fmt() to remove CCACHE: prefixes Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 05/93] soc: sifive: ccache: fix missing iounmap() in error path in sifive_ccache_init() Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 06/93] soc: sifive: ccache: fix missing free_irq() " Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 07/93] soc: sifive: ccache: fix missing of_node_put() " Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 08/93] ocfs2: ocfs2_mount_volume does cleanup job before return error Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 09/93] ocfs2: rewrite error handling of ocfs2_fill_super Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 10/93] ocfs2: fix memory leak in ocfs2_mount_volume() Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 11/93] NFSD: Fix sparse warning Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 12/93] NFSD: pass range end to vfs_fsync_range() instead of count Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 13/93] RDMA/irdma: Do not request 2-level PBLEs for CQ alloc Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 14/93] platform/x86: int3472: Split into 2 drivers Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 15/93] platform/x86: int3472/discrete: Ensure the clk/power enable pins are in output mode Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 16/93] iavf: return errno code instead of status code Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 17/93] iavf/iavf_main: actually log ->src mask when talking about it Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 18/93] serial: 8250_exar: derive nr_ports from PCI ID for Acces I/O cards Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 19/93] serial: exar: Add support for Sealevel 7xxxC serial cards Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 20/93] drm/amdgpu: Prevent race between late signaled fences and GPU reset Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 21/93] drm/amdgpu: fix amdgpu_job_free_resources v2 Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 22/93] bpf: hash map, avoid deadlock with suitable hash mask Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 23/93] gpio: GPIO_REGMAP: select REGMAP instead of depending on it Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 24/93] Drivers: vmbus: Check for channel allocation before looking up relids Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 25/93] pwm: cros-ec: Explicitly set .polarity in .get_state() Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 26/93] pwm: sprd: " Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 27/93] KVM: s390: pv: fix external interruption loop not always detected Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 28/93] wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 29/93] net: qrtr: combine nameservice into main module Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 30/93] net: qrtr: Fix a refcount bug in qrtr_recvmsg() Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 31/93] NFSD: Avoid calling OPDESC() with ops->opnum == OP_ILLEGAL Greg Kroah-Hartman
2023-04-12 8:33 ` Greg Kroah-Hartman [this message]
2023-04-12 8:33 ` [PATCH 5.15 33/93] net: dont let netpoll invoke NAPI if in xmit context Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 34/93] net: dsa: mv88e6xxx: Reset mv88e6393x force WD event bit Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 35/93] sctp: check send stream number after wait_for_sndbuf Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 36/93] net: qrtr: Do not do DEL_SERVER broadcast after DEL_CLIENT Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 37/93] ipv6: Fix an uninit variable access bug in __ip6_make_skb() Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 38/93] platform/x86: think-lmi: Fix memory leak when showing current settings Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 39/93] platform/x86: think-lmi: Fix memory leaks when parsing ThinkStation WMI strings Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 40/93] platform/x86: think-lmi: Clean up display of current_value on Thinkstation Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 41/93] gpio: davinci: Add irq chip flag to skip set wake Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 42/93] net: ethernet: ti: am65-cpsw: Fix mdio cleanup in probe Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 43/93] net: stmmac: fix up RX flow hash indirection table when setting channels Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 44/93] sunrpc: only free unix grouplist after RCU settles Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 45/93] NFSD: callback request does not use correct credential for AUTH_SYS Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 46/93] ice: fix wrong fallback logic for FDIR Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 47/93] ice: Reset FDIR counter in FDIR init stage Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 48/93] ethtool: reset #lanes when lanes is omitted Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 49/93] gve: Secure enough bytes in the first TX desc for all TCP pkts Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 50/93] kbuild: refactor single builds of *.ko Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 51/93] usb: xhci: tegra: fix sleep in atomic call Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 52/93] xhci: also avoid the XHCI_ZERO_64B_REGS quirk with a passthrough iommu Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 53/93] usb: cdnsp: Fixes error: uninitialized symbol len Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 54/93] usb: dwc3: pci: add support for the Intel Meteor Lake-S Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 55/93] USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 56/93] usb: typec: altmodes/displayport: Fix configure initial pin assignment Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 57/93] USB: serial: option: add Telit FE990 compositions Greg Kroah-Hartman
2023-04-12 8:33 ` [PATCH 5.15 58/93] USB: serial: option: add Quectel RM500U-CN modem Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 59/93] iio: adis16480: select CONFIG_CRC32 Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 60/93] iio: adc: ti-ads7950: Set `can_sleep` flag for GPIO chip Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 61/93] iio: dac: cio-dac: Fix max DAC write value check for 12-bit Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 62/93] iio: light: cm32181: Unregister second I2C client if present Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 63/93] tty: serial: sh-sci: Fix transmit end interrupt handler Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 64/93] tty: serial: sh-sci: Fix Rx on RZ/G2L SCI Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 65/93] tty: serial: fsl_lpuart: avoid checking for transfer complete when UARTCTRL_SBK is asserted in lpuart32_tx_empty Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 66/93] nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 67/93] nilfs2: fix sysfs interface lifetime Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 68/93] dt-bindings: serial: renesas,scif: Fix 4th IRQ for 4-IRQ SCIFs Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 69/93] ksmbd: do not call kvmalloc() with __GFP_NORETRY | __GFP_NO_WARN Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 70/93] ALSA: hda/realtek: Add quirk for Clevo X370SNW Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 71/93] coresight: etm4x: Do not access TRCIDR1 for identification Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 72/93] coresight-etm4: Fix for() loop drvdata->nr_addr_cmp range bug Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 73/93] iio: adc: ad7791: fix IRQ flags Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 74/93] scsi: qla2xxx: Fix memory leak in qla2x00_probe_one() Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 75/93] scsi: iscsi_tcp: Check that sock is valid before iscsi_set_param() Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 76/93] smb3: allow deferred close timeout to be configurable Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 77/93] smb3: lower default deferred close timeout to address perf regression Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 78/93] cifs: sanitize paths in cifs_update_super_prepath Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 79/93] perf/core: Fix the same task check in perf_event_set_output Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 80/93] ftrace: Mark get_lock_parent_ip() __always_inline Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 81/93] ftrace: Fix issue that direct->addr not restored in modify_ftrace_direct() Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 82/93] fs: drop peer group ids under namespace lock Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 83/93] can: j1939: j1939_tp_tx_dat_new(): fix out-of-bounds memory access Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 84/93] can: isotp: isotp_ops: fix poll() to not report false EPOLLOUT events Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 85/93] tracing: Free error logs of tracing instances Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 86/93] ASoC: hdac_hdmi: use set_stream() instead of set_tdm_slots() Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 87/93] mm: vmalloc: avoid warn_alloc noise caused by fatal signal Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 88/93] drm/panfrost: Fix the panfrost_mmu_map_fault_addr() error path Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 89/93] drm/nouveau/disp: Support more modes by checking with lower bpc Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 90/93] ring-buffer: Fix race while reader and writer are on the same page Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 91/93] mm/swap: fix swap_info_struct race between swapoff and get_swap_pages() Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 92/93] drm/bridge: lt9611: Fix PLL being unable to lock Greg Kroah-Hartman
2023-04-12 8:34 ` [PATCH 5.15 93/93] mm: take a page reference when removing device exclusive entries Greg Kroah-Hartman
2023-04-12 16:53 ` [PATCH 5.15 00/93] 5.15.107-rc1 review Florian Fainelli
2023-04-12 19:41 ` Shuah Khan
2023-04-12 20:41 ` Guenter Roeck
2023-04-12 21:47 ` [PATCH 5.15 00/93] 5.15.107-rc1 review (possible amdgpu regression) Eddie Chapman
2023-04-13 14:46 ` Greg Kroah-Hartman
2023-06-07 22:24 ` Eddie Chapman
2023-04-13 2:04 ` [PATCH 5.15 00/93] 5.15.107-rc1 review Bagas Sanjaya
2023-04-13 13:28 ` Ron Economos
2023-04-13 14:18 ` Naresh Kamboju
2023-04-13 14:51 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230412082824.454076124@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+d373d60fddbdc915e666@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox