From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from imap1.codethink.co.uk ([176.9.8.82]:50334 "EHLO
        imap1.codethink.co.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753709AbeBSTqS (ORCPT
        <rfc822;stable@vger.kernel.org>); Mon, 19 Feb 2018 14:46:18 -0500
Message-ID: <1519069573.3422.63.camel@codethink.co.uk>
Subject: Re: [PATCH 4.4 60/74] ipv6: fix udpv6 sendmsg crash caused by too
 small MTU
From: Ben Hutchings <ben.hutchings@codethink.co.uk>
To: Mike Maloney <maloney@google.com>,
        Eric Dumazet <edumazet@google.com>
Cc: stable@vger.kernel.org, syzbot <syzkaller@googlegroups.com>,
        "David S. Miller" <davem@davemloft.net>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        LKML <linux-kernel@vger.kernel.org>
Date: Mon, 19 Feb 2018 20:46:13 +0100
In-Reply-To: <20180129123850.261403857@linuxfoundation.org>
References: <20180129123847.507563674@linuxfoundation.org>
         <20180129123850.261403857@linuxfoundation.org>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Mon, 2018-01-29 at 13:57 +0100, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Mike Maloney <maloney@google.com>
> 
> 
> [ Upstream commit 749439bfac6e1a2932c582e2699f91d329658196 ]
[...]
> --- a/net/ipv6/ip6_output.c
> +++ b/net/ipv6/ip6_output.c
> @@ -1246,14 +1246,16 @@ static int ip6_setup_cork(struct sock *s
>  	v6_cork->tclass = tclass;
>  	if (rt->dst.flags & DST_XFRM_TUNNEL)
>  		mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
> -		      rt->dst.dev->mtu : dst_mtu(&rt->dst);
> +		      READ_ONCE(rt->dst.dev->mtu) : dst_mtu(&rt->dst);
>  	else
>  		mtu = np->pmtudisc >= IPV6_PMTUDISC_PROBE ?
> -		      rt->dst.dev->mtu : dst_mtu(rt->dst.path);
> +		      READ_ONCE(rt->dst.dev->mtu) : dst_mtu(rt->dst.path);
>  	if (np->frag_size < mtu) {
>  		if (np->frag_size)
>  			mtu = np->frag_size;
>  	}
> +	if (mtu < IPV6_MIN_MTU)
> +		return -EINVAL;

This error path appears to leak a reference to rt->dst.

Ben.

>  	cork->base.fragsize = mtu;
>  	if (dst_allfrag(rt->dst.path))
>  		cork->base.flags |= IPCORK_ALLFRAG;
> 
> 
> 
-- 
Ben Hutchings
Software Developer, Codethink Ltd.