[PATCH 4.9 35/66] ipv6: fix udpv6 sendmsg crash caused by too small MTU

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, syzbot <syzkaller@googlegroups.com>,
	Mike Maloney <maloney@google.com>,
	Eric Dumazet <edumazet@google.com>,
	"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 35/66] ipv6: fix udpv6 sendmsg crash caused by too small MTU
Date: Mon, 29 Jan 2018 13:56:59 +0100	[thread overview]
Message-ID: <20180129123841.735178656@linuxfoundation.org> (raw)
In-Reply-To: <20180129123839.842860149@linuxfoundation.org>

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Mike Maloney <maloney@google.com>


[ Upstream commit 749439bfac6e1a2932c582e2699f91d329658196 ]

The logic in __ip6_append_data() assumes that the MTU is at least large
enough for the headers.  A device's MTU may be adjusted after being
added while sendmsg() is processing data, resulting in
__ip6_append_data() seeing any MTU.  For an mtu smaller than the size of
the fragmentation header, the math results in a negative 'maxfraglen',
which causes problems when refragmenting any previous skb in the
skb_write_queue, leaving it possibly malformed.

Instead sendmsg returns EINVAL when the mtu is calculated to be less
than IPV6_MIN_MTU.

Found by syzkaller:
kernel BUG at ./include/linux/skbuff.h:2064!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 14216 Comm: syz-executor5 Not tainted 4.13.0-rc4+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d0b68580 task.stack: ffff8801ac6b8000
RIP: 0010:__skb_pull include/linux/skbuff.h:2064 [inline]
RIP: 0010:__ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617
RSP: 0018:ffff8801ac6bf570 EFLAGS: 00010216
RAX: 0000000000010000 RBX: 0000000000000028 RCX: ffffc90003cce000
RDX: 00000000000001b8 RSI: ffffffff839df06f RDI: ffff8801d9478ca0
RBP: ffff8801ac6bf780 R08: ffff8801cc3f1dbc R09: 0000000000000000
R10: ffff8801ac6bf7a0 R11: 43cb4b7b1948a9e7 R12: ffff8801cc3f1dc8
R13: ffff8801cc3f1d40 R14: 0000000000001036 R15: dffffc0000000000
FS:  00007f43d740c700(0000) GS:ffff8801dc100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7834984000 CR3: 00000001d79b9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ip6_finish_skb include/net/ipv6.h:911 [inline]
 udp_v6_push_pending_frames+0x255/0x390 net/ipv6/udp.c:1093
 udpv6_sendmsg+0x280d/0x31a0 net/ipv6/udp.c:1363
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:643
 SYSC_sendto+0x352/0x5a0 net/socket.c:1750
 SyS_sendto+0x40/0x50 net/socket.c:1718
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4512e9
RSP: 002b:00007f43d740bc08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000007180a8 RCX: 00000000004512e9
RDX: 000000000000002e RSI: 0000000020d08000 RDI: 0000000000000005
RBP: 0000000000000086 R08: 00000000209c1000 R09: 000000000000001c
R10: 0000000000040800 R11: 0000000000000216 R12: 00000000004b9c69
R13: 00000000ffffffff R14: 0000000000000005 R15: 00000000202c2000
Code: 9e 01 fe e9 c5 e8 ff ff e8 7f 9e 01 fe e9 4a ea ff ff 48 89 f7 e8 52 9e 01 fe e9 aa eb ff ff e8 a8 b6 cf fd 0f 0b e8 a1 b6 cf fd <0f> 0b 49 8d 45 78 4d 8d 45 7c 48 89 85 78 fe ff ff 49 8d 85 ba
RIP: __skb_pull include/linux/skbuff.h:2064 [inline] RSP: ffff8801ac6bf570
RIP: __ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: ffff8801ac6bf570

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Mike Maloney <maloney@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6_output.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1260,14 +1260,16 @@ static int ip6_setup_cork(struct sock *s
 	v6_cork->tclass = ipc6->tclass;
 	if (rt->dst.flags & DST_XFRM_TUNNEL)
 		mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
-		      rt->dst.dev->mtu : dst_mtu(&rt->dst);
+		      READ_ONCE(rt->dst.dev->mtu) : dst_mtu(&rt->dst);
 	else
 		mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
-		      rt->dst.dev->mtu : dst_mtu(rt->dst.path);
+		      READ_ONCE(rt->dst.dev->mtu) : dst_mtu(rt->dst.path);
 	if (np->frag_size < mtu) {
 		if (np->frag_size)
 			mtu = np->frag_size;
 	}
+	if (mtu < IPV6_MIN_MTU)
+		return -EINVAL;
 	cork->base.fragsize = mtu;
 	if (dst_allfrag(rt->dst.path))
 		cork->base.flags |= IPCORK_ALLFRAG;

next prev parent reply	other threads:[~2018-01-29 12:56 UTC|newest]

Thread overview: 72+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-01-29 12:56 [PATCH 4.9 00/66] 4.9.79-stable review Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 01/66] x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 02/66] orangefs: use list_for_each_entry_safe in purge_waiting_ops Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 03/66] orangefs: initialize op on loop restart in orangefs_devreq_read Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 04/66] usbip: prevent vhci_hcd driver from leaking a socket pointer address Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 05/66] usbip: Fix implicit fallthrough warning Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 06/66] usbip: Fix potential format overflow in userspace tools Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 07/66] can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 08/66] can: af_can: canfd_rcv(): " Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 09/66] KVM: arm/arm64: Check pagesize when allocating a hugepage at Stage 2 Greg Kroah-Hartman
2018-02-28 15:33   ` Ioana Ciornei
2018-02-28 15:46     ` Punit Agrawal
2018-01-29 12:56 ` [PATCH 4.9 10/66] Prevent timer value 0 for MWAITX Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 11/66] drivers: base: cacheinfo: fix x86 with CONFIG_OF enabled Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 12/66] drivers: base: cacheinfo: fix boot error message when acpi is enabled Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 13/66] mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 14/66] hwpoison, memcg: forcibly uncharge LRU pages Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 15/66] cma: fix calculation of aligned offset Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 16/66] mm, page_alloc: fix potential false positive in __zone_watermark_ok Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 17/66] ipc: msg, make msgrcv work with LONG_MIN Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 18/66] ACPI / scan: Prefer devices without _HID/_CID for _ADR matching Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 19/66] ACPICA: Namespace: fix operand cache leak Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 20/66] netfilter: nfnetlink_cthelper: Add missing permission checks Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 21/66] netfilter: xt_osf: " Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 22/66] reiserfs: fix race in prealloc discard Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 23/66] reiserfs: dont preallocate blocks for extended attributes Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 24/66] fs/fcntl: f_setown, avoid undefined behaviour Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 25/66] scsi: libiscsi: fix shifting of DID_REQUEUE host byte Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 26/66] Revert "module: Add retpoline tag to VERMAGIC" Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 27/66] mm: fix 100% CPU kswapd busyloop on unreclaimable nodes Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 28/66] Input: trackpoint - force 3 buttons if 0 button is reported Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 29/66] orangefs: fix deadlock; do not write i_size in read_iter Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 30/66] um: link vmlinux with -no-pie Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 31/66] vsyscall: Fix permissions for emulate mode with KAISER/PTI Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 32/66] eventpoll.h: add missing epoll event masks Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 33/66] dccp: dont restart ccid2_hc_tx_rto_expire() if sk in closed state Greg Kroah-Hartman
2018-01-29 12:56 ` [PATCH 4.9 34/66] ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL Greg Kroah-Hartman
2018-01-29 12:56 ` Greg Kroah-Hartman [this message]
2018-01-29 12:57 ` [PATCH 4.9 36/66] ipv6: ip6_make_skb() needs to clear cork.base.dst Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 37/66] lan78xx: Fix failure in USB Full Speed Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 38/66] net: igmp: fix source address check for IGMPv3 reports Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 39/66] net: qdisc_pkt_len_init() should be more robust Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 40/66] net: tcp: close sock if net namespace is exiting Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 41/66] pppoe: take ->needed_headroom of lower device into account on xmit Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 42/66] r8169: fix memory corruption on retrieval of hardware statistics Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 43/66] sctp: do not allow the v4 socket to bind a v4mapped v6 address Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 44/66] sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 45/66] tipc: fix a memory leak in tipc_nl_node_get_link() Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 46/66] vmxnet3: repair memory leak Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 47/66] net: Allow neigh contructor functions ability to modify the primary_key Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 48/66] ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 49/66] ppp: unlock all_ppp_mutex before registering device Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 50/66] be2net: restore properly promisc mode after queues reconfiguration Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 51/66] ip6_gre: init dev->mtu and dev->hard_header_len correctly Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 52/66] gso: validate gso_type in GSO handlers Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 53/66] mlxsw: spectrum_router: Dont log an error on missing neighbor Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 54/66] tun: fix a memory leak for tfile->tx_array Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 55/66] flow_dissector: properly cap thoff field Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 56/66] perf/x86/amd/power: Do not load AMD power module on !AMD platforms Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 57/66] x86/microcode/intel: Extend BDW late-loading further with LLC size check Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 58/66] hrtimer: Reset hrtimer cpu base proper on CPU hotplug Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 59/66] x86: bpf_jit: small optimization in emit_bpf_tail_call() Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 60/66] bpf: fix bpf_tail_call() x64 JIT Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 61/66] bpf: introduce BPF_JIT_ALWAYS_ON config Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 62/66] bpf: arsh is not supported in 32 bit alu thus reject it Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 63/66] bpf: avoid false sharing of map refcount with max_entries Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 64/66] bpf: fix divides by zero Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 65/66] bpf: fix 32-bit divide " Greg Kroah-Hartman
2018-01-29 12:57 ` [PATCH 4.9 66/66] bpf: reject stores into ctx via st and xadd Greg Kroah-Hartman
2018-01-29 23:58 ` [PATCH 4.9 00/66] 4.9.79-stable review Shuah Khan
2018-01-30 10:06 ` Naresh Kamboju
2018-01-30 14:21 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180129123841.735178656@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=maloney@google.com \
    --cc=stable@vger.kernel.org \
    --cc=syzkaller@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).