[PATCH net] ip: in cmsg IP(V6)_ORIGDSTADDR do not read beyond headlen

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net] ip: in cmsg IP(V6)_ORIGDSTADDR do not read beyond headlen
@ 2018-07-23  0:43 Willem de Bruijn
  2018-07-23  1:43 ` Eric Dumazet
  0 siblings, 1 reply; 3+ messages in thread
From: Willem de Bruijn @ 2018-07-23  0:43 UTC (permalink / raw)
  To: netdev; +Cc: davem, Willem de Bruijn

From: Willem de Bruijn <willemb@google.com>

Syzbot reported a read beyond the end of the skb head when returning
IPV6_ORIGDSTADDR:

  BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242
  CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
  Google 01/01/2011
  Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x185/0x1d0 lib/dump_stack.c:113
    kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125
    kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219
    kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261
    copy_to_user include/linux/uaccess.h:184 [inline]
    put_cmsg+0x5ef/0x860 net/core/scm.c:242
    ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719
    ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733
    rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521
    [..]

This logic and its ipv4 counterpart read the destination port from
the packet at skb_transport_offset(skb) + 4.

With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a
packet that stores headers exactly up to skb_transport_offset(skb) in
the head and the remainder in a frag.

Avoid reading beyond skb->tail by testing skb_headlen(skb) instead of
skb->len when trying to access this field.

Link: http://lkml.kernel.org/r/CAF=yD-LEJwZj5a1-bAAj2Oy_hKmGygV6rsJ_WOrAYnv-fnayiQ@mail.gmail.com
Reported-by: syzbot+9adb4b567003cac781f0@syzkaller.appspotmail.com
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
 net/ipv4/ip_sockglue.c | 2 +-
 net/ipv6/datagram.c    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 64c76dcf7386..5f228d641d9b 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -152,7 +152,7 @@ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
 	const struct iphdr *iph = ip_hdr(skb);
 	__be16 *ports = (__be16 *)skb_transport_header(skb);
 
-	if (skb_transport_offset(skb) + 4 > (int)skb->len)
+	if (skb_transport_offset(skb) + 4 > (int)skb_headlen(skb))
 		return;
 
 	/* All current transport protocols have the port numbers in the
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 2ee08b6a86a4..fd43810aacd2 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -702,7 +702,7 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg,
 		struct sockaddr_in6 sin6;
 		__be16 *ports = (__be16 *) skb_transport_header(skb);
 
-		if (skb_transport_offset(skb) + 4 <= (int)skb->len) {
+		if (skb_transport_offset(skb) + 4 <= (int)skb_headlen(skb)) {
 			/* All current transport protocols have the port numbers in the
 			 * first four bytes of the transport header and this function is
 			 * written with this assumption in mind.
-- 
2.18.0.233.g985f88cf7e-goog

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net] ip: in cmsg IP(V6)_ORIGDSTADDR do not read beyond headlen
  2018-07-23  0:43 [PATCH net] ip: in cmsg IP(V6)_ORIGDSTADDR do not read beyond headlen Willem de Bruijn
@ 2018-07-23  1:43 ` Eric Dumazet
  2018-07-23  2:01   ` Willem de Bruijn
  0 siblings, 1 reply; 3+ messages in thread
From: Eric Dumazet @ 2018-07-23  1:43 UTC (permalink / raw)
  To: Willem de Bruijn, netdev; +Cc: davem, Willem de Bruijn



On 07/22/2018 05:43 PM, Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@google.com>
> 
> Syzbot reported a read beyond the end of the skb head when returning
> IPV6_ORIGDSTADDR:
> 
>   BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242
>   CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9
>   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>   Google 01/01/2011
>   Call Trace:
>     __dump_stack lib/dump_stack.c:77 [inline]
>     dump_stack+0x185/0x1d0 lib/dump_stack.c:113
>     kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125
>     kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219
>     kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261
>     copy_to_user include/linux/uaccess.h:184 [inline]
>     put_cmsg+0x5ef/0x860 net/core/scm.c:242
>     ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719
>     ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733
>     rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521
>     [..]
> 
> This logic and its ipv4 counterpart read the destination port from
> the packet at skb_transport_offset(skb) + 4.
> 
> With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a
> packet that stores headers exactly up to skb_transport_offset(skb) in
> the head and the remainder in a frag.
> 
> Avoid reading beyond skb->tail by testing skb_headlen(skb) instead of
> skb->len when trying to access this field.
> 
> Link: http://lkml.kernel.org/r/CAF=yD-LEJwZj5a1-bAAj2Oy_hKmGygV6rsJ_WOrAYnv-fnayiQ@mail.gmail.com
> Reported-by: syzbot+9adb4b567003cac781f0@syzkaller.appspotmail.com
> Signed-off-by: Willem de Bruijn <willemb@google.com>
> ---
>  net/ipv4/ip_sockglue.c | 2 +-
>  net/ipv6/datagram.c    | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
> index 64c76dcf7386..5f228d641d9b 100644
> --- a/net/ipv4/ip_sockglue.c
> +++ b/net/ipv4/ip_sockglue.c
> @@ -152,7 +152,7 @@ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
>  	const struct iphdr *iph = ip_hdr(skb);
>  	__be16 *ports = (__be16 *)skb_transport_header(skb);
>  
> -	if (skb_transport_offset(skb) + 4 > (int)skb->len)
> +	if (skb_transport_offset(skb) + 4 > (int)skb_headlen(skb))
>  		return;
>

This really should call pskb_may_pull() or skb_header_pointer().

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net] ip: in cmsg IP(V6)_ORIGDSTADDR do not read beyond headlen
  2018-07-23  1:43 ` Eric Dumazet
@ 2018-07-23  2:01   ` Willem de Bruijn
  0 siblings, 0 replies; 3+ messages in thread
From: Willem de Bruijn @ 2018-07-23  2:01 UTC (permalink / raw)
  To: Eric Dumazet; +Cc: Network Development, David Miller, Willem de Bruijn

On Sun, Jul 22, 2018 at 9:43 PM Eric Dumazet <eric.dumazet@gmail.com> wrote:
>
>
>
> On 07/22/2018 05:43 PM, Willem de Bruijn wrote:
> > From: Willem de Bruijn <willemb@google.com>
> >
> > Syzbot reported a read beyond the end of the skb head when returning
> > IPV6_ORIGDSTADDR:
> >
> >   BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242
> >   CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9
> >   Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> >   Google 01/01/2011
> >   Call Trace:
> >     __dump_stack lib/dump_stack.c:77 [inline]
> >     dump_stack+0x185/0x1d0 lib/dump_stack.c:113
> >     kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125
> >     kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219
> >     kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261
> >     copy_to_user include/linux/uaccess.h:184 [inline]
> >     put_cmsg+0x5ef/0x860 net/core/scm.c:242
> >     ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719
> >     ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733
> >     rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521
> >     [..]
> >
> > This logic and its ipv4 counterpart read the destination port from
> > the packet at skb_transport_offset(skb) + 4.
> >
> > With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a
> > packet that stores headers exactly up to skb_transport_offset(skb) in
> > the head and the remainder in a frag.
> >
> > Avoid reading beyond skb->tail by testing skb_headlen(skb) instead of
> > skb->len when trying to access this field.
> >
> > Link: http://lkml.kernel.org/r/CAF=yD-LEJwZj5a1-bAAj2Oy_hKmGygV6rsJ_WOrAYnv-fnayiQ@mail.gmail.com
> > Reported-by: syzbot+9adb4b567003cac781f0@syzkaller.appspotmail.com
> > Signed-off-by: Willem de Bruijn <willemb@google.com>
> > ---
> >  net/ipv4/ip_sockglue.c | 2 +-
> >  net/ipv6/datagram.c    | 2 +-
> >  2 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
> > index 64c76dcf7386..5f228d641d9b 100644
> > --- a/net/ipv4/ip_sockglue.c
> > +++ b/net/ipv4/ip_sockglue.c
> > @@ -152,7 +152,7 @@ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
> >       const struct iphdr *iph = ip_hdr(skb);
> >       __be16 *ports = (__be16 *)skb_transport_header(skb);
> >
> > -     if (skb_transport_offset(skb) + 4 > (int)skb->len)
> > +     if (skb_transport_offset(skb) + 4 > (int)skb_headlen(skb))
> >               return;
> >
>
> This really should call pskb_may_pull() or skb_header_pointer().

Okay. Since in all common cases these bytes do lie in the skb head,
pskb_may_pull is pretty cheap. I'll use that. The linked discussion
already outlines a rough patch.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-07-23  3:00 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-07-23  0:43 [PATCH net] ip: in cmsg IP(V6)_ORIGDSTADDR do not read beyond headlen Willem de Bruijn
2018-07-23  1:43 ` Eric Dumazet
2018-07-23  2:01   ` Willem de Bruijn

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox