From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
syzbot+62cbf263225ae13ff153@syzkaller.appspotmail.com,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
David Howells <dhowells@redhat.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>,
David Ahern <dsahern@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Jakub Kicinski <kuba@kernel.org>,
netdev@vger.kernel.org, bpf@vger.kernel.org,
syzkaller-bugs@googlegroups.com, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 45/55] ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
Date: Mon, 9 Oct 2023 15:06:44 +0200 [thread overview]
Message-ID: <20231009130109.423956294@linuxfoundation.org> (raw)
In-Reply-To: <20231009130107.717692466@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 9d4c75800f61e5d75c1659ba201b6c0c7ead3070 ]
Including the transhdrlen in length is a problem when the packet is
partially filled (e.g. something like send(MSG_MORE) happened previously)
when appending to an IPv4 or IPv6 packet as we don't want to repeat the
transport header or account for it twice. This can happen under some
circumstances, such as splicing into an L2TP socket.
The symptom observed is a warning in __ip6_append_data():
WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800
that occurs when MSG_SPLICE_PAGES is used to append more data to an already
partially occupied skbuff. The warning occurs when 'copy' is larger than
the amount of data in the message iterator. This is because the requested
length includes the transport header length when it shouldn't. This can be
triggered by, for example:
sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);
bind(sfd, ...); // ::1
connect(sfd, ...); // ::1 port 7
send(sfd, buffer, 4100, MSG_MORE);
sendfile(sfd, dfd, NULL, 1024);
Fix this by only adding transhdrlen into the length if the write queue is
empty in l2tp_ip6_sendmsg(), analogously to how UDP does things.
l2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds
the UDP packet itself.
Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
Reported-by: syzbot+62cbf263225ae13ff153@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/0000000000001c12b30605378ce8@google.com/
Suggested-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Eric Dumazet <edumazet@google.com>
cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: David Ahern <dsahern@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Jakub Kicinski <kuba@kernel.org>
cc: netdev@vger.kernel.org
cc: bpf@vger.kernel.org
cc: syzkaller-bugs@googlegroups.com
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/l2tp/l2tp_ip6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index a241ead3dd921..d797708a1a5ef 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -532,7 +532,6 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
*/
if (len > INT_MAX - transhdrlen)
return -EMSGSIZE;
- ulen = len + transhdrlen;
/* Mirror BSD error message compatibility */
if (msg->msg_flags & MSG_OOB)
@@ -659,6 +658,7 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
back_from_confirm:
lock_sock(sk);
+ ulen = len + skb_queue_empty(&sk->sk_write_queue) ? transhdrlen : 0;
err = ip6_append_data(sk, ip_generic_getfrag, msg,
ulen, transhdrlen, &ipc6,
&fl6, (struct rt6_info *)dst,
--
2.40.1
next prev parent reply other threads:[~2023-10-09 13:49 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-09 13:05 [PATCH 4.14 00/55] 4.14.327-rc1 review Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 01/55] NFS/pNFS: Report EINVAL errors from connect() to the server Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 02/55] ipv4: fix null-deref in ipv4_link_failure Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 03/55] powerpc/perf/hv-24x7: Update domain value check Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 04/55] dccp: fix dccp_v4_err()/dccp_v6_err() again Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 05/55] team: fix null-ptr-deref when team device type is changed Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 06/55] gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 07/55] i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 08/55] clk: tegra: fix error return case for recalc_rate Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 09/55] xtensa: boot: dont add include-dirs Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 10/55] xtensa: boot/lib: fix function prototypes Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 11/55] parisc: sba: Fix compile warning wrt list of SBA devices Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 12/55] parisc: iosapic.c: Fix sparse warnings Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 13/55] parisc: irq: Make irq_stack_union static to avoid sparse warning Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 14/55] selftests/ftrace: Correctly enable event in instance-event.tc Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 15/55] ring-buffer: Avoid softlockup in ring_buffer_resize() Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 16/55] ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset() Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 17/55] fbdev/sh7760fb: Depend on FB=y Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 18/55] ata: ahci: Drop pointless VPRINTK() calls and convert the remaining ones Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 19/55] ata: libahci: clear pending interrupt status Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 20/55] watchdog: iTCO_wdt: No need to stop the timer in probe Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 21/55] watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 22/55] serial: 8250_port: Check IRQ data before use Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 23/55] nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 24/55] ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 25/55] i2c: i801: unregister tco_pdev in i801_probe() error path Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 26/55] btrfs: properly report 0 avail for very full file systems Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 27/55] ata: libata-core: Fix ata_port_request_pm() locking Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 28/55] ata: libata-core: Fix port and device removal Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 29/55] ata: libata-sata: increase PMP SRST timeout to 10s Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 30/55] fs: binfmt_elf_efpic: fix personality for ELF-FDPIC Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 31/55] vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 32/55] ext4: fix rec_len verify error Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 33/55] net/sched: sch_hfsc: Ensure inner classes have fsc curve Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 34/55] ata: libata: disallow dev-initiated LPM transitions to unsupported states Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 35/55] media: dvb: symbol fixup for dvb_attach() - again Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 36/55] scsi: zfcp: Fix a double put in zfcp_port_enqueue() Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 37/55] wifi: mwifiex: Fix tlv_buf_left calculation Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 38/55] btrfs: reject unknown mount options early Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 39/55] ubi: Refuse attaching if mtds erasesize is 0 Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 40/55] wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 41/55] drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close() Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 42/55] regmap: rbtree: Fix wrong register marked as in-cache when creating new node Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 43/55] scsi: target: core: Fix deadlock due to recursive locking Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 44/55] modpost: add missing else to the "of" check Greg Kroah-Hartman
2023-10-09 13:06 ` Greg Kroah-Hartman [this message]
2023-10-09 13:06 ` [PATCH 4.14 46/55] net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 47/55] tcp: fix delayed ACKs for MSS boundary condition Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 48/55] sctp: update transport state when processing a dupcook packet Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 49/55] sctp: update hb timer immediately after users change hb_interval Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 50/55] cpupower: add Makefile dependencies for install targets Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 51/55] IB/mlx4: Fix the size of a buffer in add_port_entries() Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 52/55] gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 53/55] RDMA/cma: Fix truncation compilation warning in make_cma_ports Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 54/55] RDMA/mlx5: Fix NULL string error Greg Kroah-Hartman
2023-10-09 13:06 ` [PATCH 4.14 55/55] parisc: Restore __ldcw_align for PA-RISC 2.0 processors Greg Kroah-Hartman
2023-10-10 9:57 ` [PATCH 4.14 00/55] 4.14.327-rc1 review Jon Hunter
2023-10-10 14:49 ` Harshit Mogalapalli
2023-10-10 18:17 ` Guenter Roeck
2023-10-11 1:18 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231009130109.423956294@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bpf@vger.kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+62cbf263225ae13ff153@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=willemdebruijn.kernel@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox