From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shards.monkeyblade.net ([23.128.96.9]:40036 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388455AbeGYAph (ORCPT ); Tue, 24 Jul 2018 20:45:37 -0400 Date: Tue, 24 Jul 2018 16:36:44 -0700 (PDT) Message-Id: <20180724.163644.1916200439521552708.davem@davemloft.net> To: willemdebruijn.kernel@gmail.com Cc: netdev@vger.kernel.org, eric.dumazet@gmail.com, willemb@google.com Subject: Re: [PATCH net v2] ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull From: David Miller In-Reply-To: <20180723233648.95739-1-willemdebruijn.kernel@gmail.com> References: <20180723233648.95739-1-willemdebruijn.kernel@gmail.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: netdev-owner@vger.kernel.org List-ID: From: Willem de Bruijn Date: Mon, 23 Jul 2018 19:36:48 -0400 > From: Willem de Bruijn > > Syzbot reported a read beyond the end of the skb head when returning > IPV6_ORIGDSTADDR: ... > This logic and its ipv4 counterpart read the destination port from > the packet at skb_transport_offset(skb) + 4. > > With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a > packet that stores headers exactly up to skb_transport_offset(skb) in > the head and the remainder in a frag. > > Call pskb_may_pull before accessing the pointer to ensure that it lies > in skb head. > > Link: http://lkml.kernel.org/r/CAF=yD-LEJwZj5a1-bAAj2Oy_hKmGygV6rsJ_WOrAYnv-fnayiQ@mail.gmail.com > Reported-by: syzbot+9adb4b567003cac781f0@syzkaller.appspotmail.com > Signed-off-by: Willem de Bruijn Applied and queued up for -stable, thanks!