[PATCH v1 net-next] ipv6: Restore fib6_config validation for SIOCADDRT.

[PATCH v1 net-next] ipv6: Restore fib6_config validation for SIOCADDRT.

[Kuniyuki Iwashima]

syzkaller reported out-of-bounds read in ipv6_addr_prefix(),
where the prefix length was over 128.

The cited commit accidentally removed some fib6_config
validation from the ioctl path.

Let's restore the validation.

[0]:
BUG: KASAN: slab-out-of-bounds in ip6_route_info_create (./include/net/ipv6.h:616 net/ipv6/route.c:3814)
Read of size 1 at addr ff11000138020ad4 by task repro/261

CPU: 3 UID: 0 PID: 261 Comm: repro Not tainted 6.15.0-rc3-00614-g0d15a26b247d #87 PREEMPT(voluntary)
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Call Trace:
 <TASK>
 dump_stack_lvl (lib/dump_stack.c:123)
 print_report (mm/kasan/report.c:409 mm/kasan/report.c:521)
 kasan_report (mm/kasan/report.c:636)
 ip6_route_info_create (./include/net/ipv6.h:616 net/ipv6/route.c:3814)
 ip6_route_add (net/ipv6/route.c:3902)
 ipv6_route_ioctl (net/ipv6/route.c:4523)
 inet6_ioctl (net/ipv6/af_inet6.c:577)
 sock_do_ioctl (net/socket.c:1190)
 sock_ioctl (net/socket.c:1314)
 __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:906 fs/ioctl.c:892 fs/ioctl.c:892)
 do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94)
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
RIP: 0033:0x7f518fb2de5d
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 73 9f 1b 00 f7 d8 64 89 01 48
RSP: 002b:00007fff14f38d18 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f518fb2de5d
RDX: 00000000200015c0 RSI: 000000000000890b RDI: 0000000000000003
RBP: 00007fff14f38d30 R08: 0000000000000800 R09: 0000000000000800
R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff14f38e48
R13: 0000000000401136 R14: 0000000000403df0 R15: 00007f518fd3c000
 </TASK>

Fixes: fa76c1674f2e ("ipv6: Move some validation from ip6_route_info_create() to rtm_to_fib6_config().")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Reported-by: Yi Lai <yi1.lai@linux.intel.com>
Closes: https://lore.kernel.org/netdev/aBAcKDEFoN%2FLntBF@ly-workstation/
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
---
 net/ipv6/route.c | 97 +++++++++++++++++++++++++++---------------------
 1 file changed, 55 insertions(+), 42 deletions(-)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index d0351e95d916..4c1e86e968f8 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -4496,6 +4496,53 @@ void rt6_purge_dflt_routers(struct net *net)
 	rcu_read_unlock();
 }
 
+static int fib6_config_validate(struct fib6_config *cfg,
+				struct netlink_ext_ack *extack)
+{
+	/* RTF_PCPU is an internal flag; can not be set by userspace */
+	if (cfg->fc_flags & RTF_PCPU) {
+		NL_SET_ERR_MSG(extack, "Userspace can not set RTF_PCPU");
+		goto errout;
+	}
+
+	/* RTF_CACHE is an internal flag; can not be set by userspace */
+	if (cfg->fc_flags & RTF_CACHE) {
+		NL_SET_ERR_MSG(extack, "Userspace can not set RTF_CACHE");
+		goto errout;
+	}
+
+	if (cfg->fc_type > RTN_MAX) {
+		NL_SET_ERR_MSG(extack, "Invalid route type");
+		goto errout;
+	}
+
+	if (cfg->fc_dst_len > 128) {
+		NL_SET_ERR_MSG(extack, "Invalid prefix length");
+		goto errout;
+	}
+
+#ifdef CONFIG_IPV6_SUBTREES
+	if (cfg->fc_src_len > 128) {
+		NL_SET_ERR_MSG(extack, "Invalid source address length");
+		goto errout;
+	}
+
+	if (cfg->fc_nh_id &&  cfg->fc_src_len) {
+		NL_SET_ERR_MSG(extack, "Nexthops can not be used with source routing");
+		goto errout;
+	}
+#else
+	if (cfg->fc_src_len) {
+		NL_SET_ERR_MSG(extack,
+			       "Specifying source address requires IPV6_SUBTREES to be enabled");
+		goto errout;
+	}
+#endif
+	return 0;
+errout:
+	return -EINVAL;
+}
+
 static void rtmsg_to_fib6_config(struct net *net,
 				 struct in6_rtmsg *rtmsg,
 				 struct fib6_config *cfg)
@@ -4533,6 +4580,10 @@ int ipv6_route_ioctl(struct net *net, unsigned int cmd, struct in6_rtmsg *rtmsg)
 
 	switch (cmd) {
 	case SIOCADDRT:
+		err = fib6_config_validate(&cfg, NULL);
+		if (err)
+			break;
+
 		/* Only do the default setting of fc_metric in route adding */
 		if (cfg.fc_metric == 0)
 			cfg.fc_metric = IP6_RT_PRIO_USER;
@@ -5267,48 +5318,6 @@ static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
 		}
 	}
 
-	if (newroute) {
-		/* RTF_PCPU is an internal flag; can not be set by userspace */
-		if (cfg->fc_flags & RTF_PCPU) {
-			NL_SET_ERR_MSG(extack, "Userspace can not set RTF_PCPU");
-			goto errout;
-		}
-
-		/* RTF_CACHE is an internal flag; can not be set by userspace */
-		if (cfg->fc_flags & RTF_CACHE) {
-			NL_SET_ERR_MSG(extack, "Userspace can not set RTF_CACHE");
-			goto errout;
-		}
-
-		if (cfg->fc_type > RTN_MAX) {
-			NL_SET_ERR_MSG(extack, "Invalid route type");
-			goto errout;
-		}
-
-		if (cfg->fc_dst_len > 128) {
-			NL_SET_ERR_MSG(extack, "Invalid prefix length");
-			goto errout;
-		}
-
-#ifdef CONFIG_IPV6_SUBTREES
-		if (cfg->fc_src_len > 128) {
-			NL_SET_ERR_MSG(extack, "Invalid source address length");
-			goto errout;
-		}
-
-		if (cfg->fc_nh_id &&  cfg->fc_src_len) {
-			NL_SET_ERR_MSG(extack, "Nexthops can not be used with source routing");
-			goto errout;
-		}
-#else
-		if (cfg->fc_src_len) {
-			NL_SET_ERR_MSG(extack,
-				       "Specifying source address requires IPV6_SUBTREES to be enabled");
-			goto errout;
-		}
-#endif
-	}
-
 	err = 0;
 errout:
 	return err;
@@ -5703,6 +5712,10 @@ static int inet6_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh,
 	if (err < 0)
 		return err;
 
+	err = fib6_config_validate(cfg, extack);
+	if (err)
+		return err;
+
 	if (cfg.fc_metric == 0)
 		cfg.fc_metric = IP6_RT_PRIO_USER;
 
-- 
2.49.0

Re: [PATCH v1 net-next] ipv6: Restore fib6_config validation for SIOCADDRT.

[David Ahern]

On 4/28/25 6:46 PM, Kuniyuki Iwashima wrote:
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index d0351e95d916..4c1e86e968f8 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -4496,6 +4496,53 @@ void rt6_purge_dflt_routers(struct net *net)
>  	rcu_read_unlock();
>  }
>  
> +static int fib6_config_validate(struct fib6_config *cfg,
> +				struct netlink_ext_ack *extack)
> +{
> +	/* RTF_PCPU is an internal flag; can not be set by userspace */
> +	if (cfg->fc_flags & RTF_PCPU) {
> +		NL_SET_ERR_MSG(extack, "Userspace can not set RTF_PCPU");
> +		goto errout;
> +	}
> +
> +	/* RTF_CACHE is an internal flag; can not be set by userspace */
> +	if (cfg->fc_flags & RTF_CACHE) {
> +		NL_SET_ERR_MSG(extack, "Userspace can not set RTF_CACHE");
> +		goto errout;
> +	}
> +
> +	if (cfg->fc_type > RTN_MAX) {
> +		NL_SET_ERR_MSG(extack, "Invalid route type");
> +		goto errout;
> +	}
> +
> +	if (cfg->fc_dst_len > 128) {
> +		NL_SET_ERR_MSG(extack, "Invalid prefix length");
> +		goto errout;
> +	}
> +
> +#ifdef CONFIG_IPV6_SUBTREES
> +	if (cfg->fc_src_len > 128) {
> +		NL_SET_ERR_MSG(extack, "Invalid source address length");
> +		goto errout;
> +	}
> +
> +	if (cfg->fc_nh_id &&  cfg->fc_src_len) {

extra space after '&&'



Reviewed-by: David Ahern <dsahern@kernel.org>

Re: [PATCH v1 net-next] ipv6: Restore fib6_config validation for SIOCADDRT.

[Kuniyuki Iwashima]

From: David Ahern <dsahern@kernel.org>
Date: Tue, 29 Apr 2025 09:31:33 -0600
> On 4/28/25 6:46 PM, Kuniyuki Iwashima wrote:
> > diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> > index d0351e95d916..4c1e86e968f8 100644
> > --- a/net/ipv6/route.c
> > +++ b/net/ipv6/route.c
> > @@ -4496,6 +4496,53 @@ void rt6_purge_dflt_routers(struct net *net)
> >  	rcu_read_unlock();
> >  }
> >  
> > +static int fib6_config_validate(struct fib6_config *cfg,
> > +				struct netlink_ext_ack *extack)
> > +{
> > +	/* RTF_PCPU is an internal flag; can not be set by userspace */
> > +	if (cfg->fc_flags & RTF_PCPU) {
> > +		NL_SET_ERR_MSG(extack, "Userspace can not set RTF_PCPU");
> > +		goto errout;
> > +	}
> > +
> > +	/* RTF_CACHE is an internal flag; can not be set by userspace */
> > +	if (cfg->fc_flags & RTF_CACHE) {
> > +		NL_SET_ERR_MSG(extack, "Userspace can not set RTF_CACHE");
> > +		goto errout;
> > +	}
> > +
> > +	if (cfg->fc_type > RTN_MAX) {
> > +		NL_SET_ERR_MSG(extack, "Invalid route type");
> > +		goto errout;
> > +	}
> > +
> > +	if (cfg->fc_dst_len > 128) {
> > +		NL_SET_ERR_MSG(extack, "Invalid prefix length");
> > +		goto errout;
> > +	}
> > +
> > +#ifdef CONFIG_IPV6_SUBTREES
> > +	if (cfg->fc_src_len > 128) {
> > +		NL_SET_ERR_MSG(extack, "Invalid source address length");
> > +		goto errout;
> > +	}
> > +
> > +	if (cfg->fc_nh_id &&  cfg->fc_src_len) {
> 
> extra space after '&&'

I didn't notice I added it in fa76c1674f2e.

Will remove it in v2 and add the missing last-minute change
that caused build failure..

Thanks!

Re: [PATCH v1 net-next] ipv6: Restore fib6_config validation for SIOCADDRT.

[kernel test robot]

Hi Kuniyuki,

kernel test robot noticed the following build errors:

[auto build test ERROR on net-next/main]

url:    https://github.com/intel-lab-lkp/linux/commits/Kuniyuki-Iwashima/ipv6-Restore-fib6_config-validation-for-SIOCADDRT/20250429-094825
base:   net-next/main
patch link:    https://lore.kernel.org/r/20250429014624.61938-1-kuniyu%40amazon.com
patch subject: [PATCH v1 net-next] ipv6: Restore fib6_config validation for SIOCADDRT.
config: s390-randconfig-001-20250430 (https://download.01.org/0day-ci/archive/20250430/202504300946.ZH4g32Gw-lkp@intel.com/config)
compiler: clang version 20.1.2 (https://github.com/llvm/llvm-project 58df0ef89dd64126512e4ee27b4ac3fd8ddf6247)
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250430/202504300946.ZH4g32Gw-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202504300946.ZH4g32Gw-lkp@intel.com/

All errors (new ones prefixed by >>):

>> net/ipv6/route.c:5715:29: error: passing 'struct fib6_config' to parameter of incompatible type 'struct fib6_config *'; take the address with &
    5715 |         err = fib6_config_validate(cfg, extack);
         |                                    ^~~
         |                                    &
   net/ipv6/route.c:4499:53: note: passing argument to parameter 'cfg' here
    4499 | static int fib6_config_validate(struct fib6_config *cfg,
         |                                                     ^
   1 error generated.


vim +5715 net/ipv6/route.c

  5704	
  5705	static int inet6_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh,
  5706				      struct netlink_ext_ack *extack)
  5707	{
  5708		struct fib6_config cfg;
  5709		int err;
  5710	
  5711		err = rtm_to_fib6_config(skb, nlh, &cfg, extack);
  5712		if (err < 0)
  5713			return err;
  5714	
> 5715		err = fib6_config_validate(cfg, extack);
  5716		if (err)
  5717			return err;
  5718	
  5719		if (cfg.fc_metric == 0)
  5720			cfg.fc_metric = IP6_RT_PRIO_USER;
  5721	
  5722		if (cfg.fc_mp)
  5723			return ip6_route_multipath_add(&cfg, extack);
  5724		else
  5725			return ip6_route_add(&cfg, GFP_KERNEL, extack);
  5726	}
  5727	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH v1 net-next] ipv6: Restore fib6_config validation for SIOCADDRT.

[kernel test robot]

Hi Kuniyuki,

kernel test robot noticed the following build errors:

[auto build test ERROR on net-next/main]

url:    https://github.com/intel-lab-lkp/linux/commits/Kuniyuki-Iwashima/ipv6-Restore-fib6_config-validation-for-SIOCADDRT/20250429-094825
base:   net-next/main
patch link:    https://lore.kernel.org/r/20250429014624.61938-1-kuniyu%40amazon.com
patch subject: [PATCH v1 net-next] ipv6: Restore fib6_config validation for SIOCADDRT.
config: sparc-randconfig-002-20250430 (https://download.01.org/0day-ci/archive/20250430/202504301121.cFJmlUEg-lkp@intel.com/config)
compiler: sparc-linux-gcc (GCC) 14.2.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250430/202504301121.cFJmlUEg-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202504301121.cFJmlUEg-lkp@intel.com/

All errors (new ones prefixed by >>):

   net/ipv6/route.c: In function 'inet6_rtm_newroute':
>> net/ipv6/route.c:5715:36: error: incompatible type for argument 1 of 'fib6_config_validate'
    5715 |         err = fib6_config_validate(cfg, extack);
         |                                    ^~~
         |                                    |
         |                                    struct fib6_config
   net/ipv6/route.c:4499:53: note: expected 'struct fib6_config *' but argument is of type 'struct fib6_config'
    4499 | static int fib6_config_validate(struct fib6_config *cfg,
         |                                 ~~~~~~~~~~~~~~~~~~~~^~~


vim +/fib6_config_validate +5715 net/ipv6/route.c

  5704	
  5705	static int inet6_rtm_newroute(struct sk_buff *skb, struct nlmsghdr *nlh,
  5706				      struct netlink_ext_ack *extack)
  5707	{
  5708		struct fib6_config cfg;
  5709		int err;
  5710	
  5711		err = rtm_to_fib6_config(skb, nlh, &cfg, extack);
  5712		if (err < 0)
  5713			return err;
  5714	
> 5715		err = fib6_config_validate(cfg, extack);
  5716		if (err)
  5717			return err;
  5718	
  5719		if (cfg.fc_metric == 0)
  5720			cfg.fc_metric = IP6_RT_PRIO_USER;
  5721	
  5722		if (cfg.fc_mp)
  5723			return ip6_route_multipath_add(&cfg, extack);
  5724		else
  5725			return ip6_route_add(&cfg, GFP_KERNEL, extack);
  5726	}
  5727	

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki