From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
syzbot <syzkaller@googlegroups.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 21/41] net/packet: refine check for priv area size
Date: Sat, 9 Jun 2018 17:29:53 +0200 [thread overview]
Message-ID: <20180609152927.572367458@linuxfoundation.org> (raw)
In-Reply-To: <20180609152926.389750182@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit eb73190f4fbeedf762394e92d6a4ec9ace684c88 ]
syzbot was able to trick af_packet again [1]
Various commits tried to address the problem in the past,
but failed to take into account V3 header size.
[1]
tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96
BUG: KASAN: use-after-free in prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
Write of size 2 at addr ffff8801cb62000e by task kworker/1:2/2106
CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436
prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
__packet_lookup_frame_in_block net/packet/af_packet.c:1094 [inline]
packet_current_rx_frame net/packet/af_packet.c:1117 [inline]
tpacket_rcv+0x1866/0x3340 net/packet/af_packet.c:2282
dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018
xmit_one net/core/dev.c:3049 [inline]
dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069
__dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584
dev_queue_xmit+0x17/0x20 net/core/dev.c:3617
neigh_resolve_output+0x679/0xad0 net/core/neighbour.c:1358
neigh_output include/net/neighbour.h:482 [inline]
ip6_finish_output2+0xc9c/0x2810 net/ipv6/ip6_output.c:120
ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154
NF_HOOK_COND include/linux/netfilter.h:277 [inline]
ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171
dst_output include/net/dst.h:444 [inline]
NF_HOOK include/linux/netfilter.h:288 [inline]
ndisc_send_skb+0x100d/0x1570 net/ipv6/ndisc.c:491
ndisc_send_ns+0x3c1/0x8d0 net/ipv6/ndisc.c:633
addrconf_dad_work+0xbef/0x1340 net/ipv6/addrconf.c:4033
process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
kthread+0x345/0x410 kernel/kthread.c:240
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
The buggy address belongs to the page:
page:ffffea00072d8800 count:0 mapcount:-127 mapping:0000000000000000 index:0xffff8801cb620e80
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 ffff8801cb620e80 00000000ffffff80
raw: ffffea00072e3820 ffffea0007132d20 0000000000000002 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801cb620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Fixes: 2b6867c2ce76 ("net/packet: fix overflow in check for priv area size")
Fixes: dc808110bb62 ("packet: handle too big packets for PACKET_V3")
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/packet/af_packet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4293,7 +4293,7 @@ static int packet_set_ring(struct sock *
goto out;
if (po->tp_version >= TPACKET_V3 &&
req->tp_block_size <=
- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr))
goto out;
if (unlikely(req->tp_frame_size < po->tp_hdrlen +
po->tp_reserve))
next prev parent reply other threads:[~2018-06-09 15:35 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-09 15:29 [PATCH 4.14 00/41] 4.14.49-stable review Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 01/41] scsi: sd_zbc: Fix potential memory leak Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 02/41] scsi: sd_zbc: Avoid that resetting a zone fails sporadically Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 03/41] mmap: introduce sane default mmap limits Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 04/41] mmap: relax file size limit for regular files Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 05/41] btrfs: define SUPER_FLAG_METADUMP_V2 Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 07/41] be2net: Fix error detection logic for BE3 Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 08/41] bnx2x: use the right constant Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 09/41] dccp: dont free ccid2_hc_tx_sock struct in dccp_disconnect() Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 10/41] enic: set DMA mask to 47 bit Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 11/41] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 12/41] ip6_tunnel: remove magic mtu value 0xFFF8 Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 13/41] ipmr: properly check rhltable_init() return value Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 14/41] ipv4: remove warning in ip_recv_error Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 15/41] ipv6: omit traffic class when calculating flow hash Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 16/41] isdn: eicon: fix a missing-check bug Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 17/41] kcm: Fix use-after-free caused by clonned sockets Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 18/41] netdev-FAQ: clarify DaveMs position for stable backports Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 19/41] net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 20/41] net: metrics: add proper netlink validation Greg Kroah-Hartman
2018-06-09 15:29 ` Greg Kroah-Hartman [this message]
2018-06-09 15:29 ` [PATCH 4.14 22/41] net: phy: broadcom: Fix bcm_write_exp() Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 24/41] packet: fix reserve calculation Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 25/41] qed: Fix mask for physical address in ILT entry Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 26/41] sctp: not allow transport timeout value less than HZ/5 for hb_timer Greg Kroah-Hartman
2018-06-09 15:29 ` [PATCH 4.14 27/41] team: use netdev_features_t instead of u32 Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 28/41] vhost: synchronize IOTLB message with dev cleanup Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 29/41] vrf: check the original netdevice for generating redirect Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 30/41] ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 31/41] net: phy: broadcom: Fix auxiliary control register reads Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 32/41] net-sysfs: Fix memory leak in XPS configuration Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 33/41] virtio-net: correctly transmit XDP buff after linearizing Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 34/41] net/mlx4: Fix irq-unsafe spinlock usage Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 35/41] tun: Fix NULL pointer dereference in XDP redirect Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 36/41] virtio-net: correctly check num_buf during err path Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 37/41] net/mlx5e: When RXFCS is set, add FCS data into checksum calculation Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 38/41] virtio-net: fix leaking page for gso packet during mergeable XDP Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 39/41] rtnetlink: validate attributes in do_setlink() Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 40/41] cls_flower: Fix incorrect idr release when failing to modify rule Greg Kroah-Hartman
2018-06-09 15:30 ` [PATCH 4.14 41/41] PCI: hv: Do not wait forever on a device that has disappeared Greg Kroah-Hartman
2018-06-10 9:06 ` [PATCH 4.14 00/41] 4.14.49-stable review Naresh Kamboju
2018-06-10 15:13 ` Guenter Roeck
2018-06-11 19:36 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180609152927.572367458@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox