From mboxrd@z Thu Jan  1 00:00:00 1970
From: Vladis Dronov <vdronov@redhat.com>
Subject: [PATCH] net: arp, ipv6: handle special case of tap device
Date: Wed, 26 Sep 2018 11:30:18 +0200
Message-ID: <20180926093018.6646-1-vdronov@redhat.com>
Cc: Vladis Dronov <vdronov@redhat.com>
To: "David S . Miller" <davem@davemloft.net>,
        Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        netdev@vger.kernel.org, syzkaller@googlegroups.com,
        linux-kernel@vger.kernel.org
Return-path: <linux-kernel-owner@vger.kernel.org>
Sender: linux-kernel-owner@vger.kernel.org
List-Id: netdev.vger.kernel.org

dev->type can be set to any value for tun/tap devices by TUNSETLINK ioctl.
Nevertheless, all other dev's fields related to the link level like addr_len
and broadcast remain the same as configured previously for ARPHRD_ETHER type,
making dev inconsistent. This can lead to read from uninitialized memory.
Fix this by checking for the case of tun/tap device and act according to the
real link level type of dev while mapping a multicast IP onto multicast MAC

Reported-by: syzbot+d3402c47f680ff24b29c@syzkaller.appspotmail.com
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
---
 net/ipv4/arp.c   | 9 ++++++++-
 net/ipv6/ndisc.c | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/arp.c b/net/ipv4/arp.c
index e90c89ef8c08..9ce472cf98a3 100644
--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -187,7 +187,14 @@ EXPORT_SYMBOL(arp_tbl);
 
 int arp_mc_map(__be32 addr, u8 *haddr, struct net_device *dev, int dir)
 {
-	switch (dev->type) {
+	unsigned short type = dev->type;
+
+#if IS_ENABLED(CONFIG_TAP)
+	if (dev->rtnl_link_ops && !strcmp(dev->rtnl_link_ops->kind, "tun"))
+		type = ARPHRD_ETHER;
+#endif /* CONFIG_TAP */
+
+	switch (type) {
 	case ARPHRD_ETHER:
 	case ARPHRD_FDDI:
 	case ARPHRD_IEEE802:
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
index 0ec273997d1d..9371ff4454f7 100644
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -283,7 +283,14 @@ struct ndisc_options *ndisc_parse_options(const struct net_device *dev,
 
 int ndisc_mc_map(const struct in6_addr *addr, char *buf, struct net_device *dev, int dir)
 {
-	switch (dev->type) {
+	unsigned short type = dev->type;
+
+#if IS_ENABLED(CONFIG_TAP)
+	if (dev->rtnl_link_ops && !strcmp(dev->rtnl_link_ops->kind, "tun"))
+		type = ARPHRD_ETHER;
+#endif /* CONFIG_TAP */
+
+	switch (type) {
 	case ARPHRD_ETHER:
 	case ARPHRD_IEEE802:	/* Not sure. Check it later. --ANK */
 	case ARPHRD_FDDI:
-- 
2.19.0