From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Lorenzo Bianconi <lorenzo.bianconi@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.0 033/117] net: ip6_gre: fix possible use-after-free in ip6erspan_rcv
Date: Mon, 15 Apr 2019 21:00:03 +0200 [thread overview]
Message-ID: <20190415183746.663885941@linuxfoundation.org> (raw)
In-Reply-To: <20190415183744.887851196@linuxfoundation.org>
[ Upstream commit 2a3cabae4536edbcb21d344e7aa8be7a584d2afb ]
erspan_v6 tunnels run __iptunnel_pull_header on received skbs to remove
erspan header. This can determine a possible use-after-free accessing
pkt_md pointer in ip6erspan_rcv since the packet will be 'uncloned'
running pskb_expand_head if it is a cloned gso skb (e.g if the packet has
been sent though a veth device). Fix it resetting pkt_md pointer after
__iptunnel_pull_header
Fixes: 1d7e2ed22f8d ("net: erspan: refactor existing erspan code")
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_gre.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 26f25b6e2833..438f1a5fd19a 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -524,11 +524,10 @@ static int ip6gre_rcv(struct sk_buff *skb, const struct tnl_ptk_info *tpi)
return PACKET_REJECT;
}
-static int ip6erspan_rcv(struct sk_buff *skb, int gre_hdr_len,
- struct tnl_ptk_info *tpi)
+static int ip6erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
+ int gre_hdr_len)
{
struct erspan_base_hdr *ershdr;
- struct erspan_metadata *pkt_md;
const struct ipv6hdr *ipv6h;
struct erspan_md2 *md2;
struct ip6_tnl *tunnel;
@@ -547,18 +546,16 @@ static int ip6erspan_rcv(struct sk_buff *skb, int gre_hdr_len,
if (unlikely(!pskb_may_pull(skb, len)))
return PACKET_REJECT;
- ershdr = (struct erspan_base_hdr *)skb->data;
- pkt_md = (struct erspan_metadata *)(ershdr + 1);
-
if (__iptunnel_pull_header(skb, len,
htons(ETH_P_TEB),
false, false) < 0)
return PACKET_REJECT;
if (tunnel->parms.collect_md) {
+ struct erspan_metadata *pkt_md, *md;
struct metadata_dst *tun_dst;
struct ip_tunnel_info *info;
- struct erspan_metadata *md;
+ unsigned char *gh;
__be64 tun_id;
__be16 flags;
@@ -571,6 +568,14 @@ static int ip6erspan_rcv(struct sk_buff *skb, int gre_hdr_len,
if (!tun_dst)
return PACKET_REJECT;
+ /* skb can be uncloned in __iptunnel_pull_header, so
+ * old pkt_md is no longer valid and we need to reset
+ * it
+ */
+ gh = skb_network_header(skb) +
+ skb_network_header_len(skb);
+ pkt_md = (struct erspan_metadata *)(gh + gre_hdr_len +
+ sizeof(*ershdr));
info = &tun_dst->u.tun_info;
md = ip_tunnel_info_opts(info);
md->version = ver;
@@ -607,7 +612,7 @@ static int gre_rcv(struct sk_buff *skb)
if (unlikely(tpi.proto == htons(ETH_P_ERSPAN) ||
tpi.proto == htons(ETH_P_ERSPAN2))) {
- if (ip6erspan_rcv(skb, hdr_len, &tpi) == PACKET_RCVD)
+ if (ip6erspan_rcv(skb, &tpi, hdr_len) == PACKET_RCVD)
return 0;
goto out;
}
--
2.19.1
next prev parent reply other threads:[~2019-04-15 19:18 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-15 18:59 [PATCH 5.0 000/117] 5.0.8-stable review Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 001/117] drm/i915/gvt: do not let pin count of shadow mm go negative Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 002/117] kbuild: pkg: use -f $(srctree)/Makefile to recurse to top Makefile Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 003/117] netfilter: nft_compat: use .release_ops and remove list of extension Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 004/117] netfilter: nf_tables: use-after-free in dynamic operations Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 005/117] netfilter: nf_tables: add missing ->release_ops() in error path of newrule() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 006/117] hv_netvsc: Fix unwanted wakeup after tx_disable Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 007/117] ibmvnic: Fix completion structure initialization Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 008/117] ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 009/117] ipv6: Fix dangling pointer when ipv6 fragment Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 010/117] ipv6: sit: reset ip header pointer in ipip6_rcv Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 011/117] kcm: switch order of device registration to fix a crash Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 012/117] net: ethtool: not call vzalloc for zero sized memory request Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 013/117] net-gro: Fix GRO flush when receiving a GSO packet Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 014/117] net/mlx5: Decrease default mr cache size Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 015/117] netns: provide pure entropy for net_hash_mix() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 016/117] net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 017/117] net/sched: act_sample: fix divide by zero in the traffic path Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 018/117] net/sched: fix ->get helper of the matchall cls Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 019/117] openvswitch: fix flow actions reallocation Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 020/117] qmi_wwan: add Olicard 600 Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 021/117] r8169: disable ASPM again Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 022/117] sctp: initialize _pad of sockaddr_in before copying to user memory Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 023/117] tcp: Ensure DCTCP reacts to losses Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 024/117] tcp: fix a potential NULL pointer dereference in tcp_sk_exit Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 025/117] vrf: check accept_source_route on the original netdevice Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 026/117] net/mlx5e: Fix error handling when refreshing TIRs Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 027/117] net/mlx5e: Add a lock on tir list Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 028/117] nfp: validate the return code from dev_queue_xmit() Greg Kroah-Hartman
2019-04-15 18:59 ` [PATCH 5.0 029/117] nfp: disable netpoll on representors Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 030/117] bnxt_en: Improve RX consumer index validity check Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 031/117] bnxt_en: Reset device on RX buffer errors Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 032/117] net: ip_gre: fix possible use-after-free in erspan_rcv Greg Kroah-Hartman
2019-04-15 19:00 ` Greg Kroah-Hartman [this message]
2019-04-15 19:00 ` [PATCH 5.0 034/117] net: bridge: always clear mcast matching struct on reports and leaves Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 035/117] net: thunderx: fix NULL pointer dereference in nicvf_open/nicvf_stop Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 036/117] net: vrf: Fix ping failed when vrf mtu is set to 0 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 037/117] net: core: netif_receive_skb_list: unlist skb before passing to pt->func Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 038/117] r8169: disable default rx interrupt coalescing on RTL8168 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 039/117] net: mlx5: Add a missing check on idr_find, free buf Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 040/117] net/mlx5e: Update xoff formula Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 041/117] net/mlx5e: Update xon formula Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 042/117] kbuild: clang: choose GCC_TOOLCHAIN_DIR not on LD Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 043/117] lib/string.c: implement a basic bcmp Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 044/117] Revert "clk: meson: clean-up clock registration" Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 045/117] tty: mark Siemens R3964 line discipline as BROKEN Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 046/117] tty: ldisc: add sysctl to prevent autoloading of ldiscs Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 047/117] hwmon: (w83773g) Select REGMAP_I2C to fix build error Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 048/117] hwmon: (occ) Fix power sensor indexing Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 049/117] SMB3: Allow persistent handle timeout to be configurable on mount Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 050/117] HID: logitech: Handle 0 scroll events for the m560 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 051/117] ACPICA: Clear status of GPEs before enabling them Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 052/117] ACPICA: Namespace: remove address node from global list after method termination Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 053/117] ALSA: seq: Fix OOB-reads from strlcpy Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 054/117] ALSA: hda/realtek: Enable headset MIC of Acer TravelMate B114-21 with ALC233 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 055/117] ALSA: hda/realtek - Add quirk for Tuxedo XC 1509 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 056/117] ALSA: xen-front: Do not use stream buffer size before it is set Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 057/117] ALSA: hda - Add two more machines to the power_save_blacklist Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 058/117] mm/huge_memory.c: fix modifying of page protection by insert_pfn_pmd() Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 059/117] arm64: dts: rockchip: fix rk3328 sdmmc0 write errors Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 060/117] mmc: alcor: dont write data before command has completed Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 061/117] mmc: sdhci-omap: Dont finish_mrq() on a command error during tuning Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 062/117] parisc: Detect QEMU earlier in boot process Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 063/117] parisc: regs_return_value() should return gpr28 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 064/117] parisc: also set iaoq_b in instruction_pointer_set() Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 065/117] alarmtimer: Return correct remaining time Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 066/117] drm/i915/gvt: do not deliver a workload if its creation fails Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 067/117] drm/sun4i: DW HDMI: Lower max. supported rate for H6 Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 068/117] drm/udl: add a release method and delay modeset teardown Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 069/117] kvm: svm: fix potential get_num_contig_pages overflow Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 070/117] include/linux/bitrev.h: fix constant bitrev Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 071/117] mm: writeback: use exact memcg dirty counts Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 072/117] ASoC: intel: Fix crash at suspend/resume after failed codec registration Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 073/117] ASoC: fsl_esai: fix channel swap issue when stream starts Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 074/117] Btrfs: do not allow trimming when a fs is mounted with the nologreplay option Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 075/117] btrfs: prop: fix zstd compression parameter validation Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 076/117] btrfs: prop: fix vanished compression property after failed set Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 077/117] riscv: Fix syscall_get_arguments() and syscall_set_arguments() Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 078/117] block: Revert v5.0 blk_mq_request_issue_directly() changes Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 079/117] block: do not leak memory in bio_copy_user_iov() Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 080/117] block: fix the return errno for direct IO Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 081/117] genirq: Respect IRQCHIP_SKIP_SET_WAKE in irq_chip_set_wake_parent() Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 082/117] genirq: Initialize request_mutex if CONFIG_SPARSE_IRQ=n Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 083/117] virtio: Honour may_reduce_num in vring_create_virtqueue Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 084/117] drm/i915/dp: revert back to max link rate and lane count on eDP Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 085/117] ARM: OMAP1: ams-delta: Fix broken GPIO ID allocation Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 086/117] ARM: dts: rockchip: fix rk3288 cpu opp node reference Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 087/117] ARM: dts: am335x-evmsk: Correct the regulators for the audio codec Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 088/117] ARM: dts: am335x-evm: " Greg Kroah-Hartman
2019-04-15 19:00 ` [PATCH 5.0 089/117] ARM: dts: rockchip: Fix SD card detection on rk3288-tinker Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 090/117] ARM: dts: at91: Fix typo in ISC_D0 on PC9 Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 091/117] arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 092/117] arm64: dts: rockchip: Fix vcc_host1_5v GPIO polarity on rk3328-rock64 Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 093/117] arm64: dts: rockchip: fix rk3328 rgmii high tx error rate Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 094/117] arm64: backtrace: Dont bother trying to unwind the userspace stack Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 095/117] arm64/ftrace: fix inadvertent BUG() in trampoline check Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 096/117] IB/mlx5: Reset access mask when looping inside page fault handler Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 097/117] xen: Prevent buffer overflow in privcmd ioctl Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 098/117] sched/fair: Do not re-read ->h_load_next during hierarchical load calculation Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 099/117] xtensa: fix return_address Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 100/117] csky: Fix syscall_get_arguments() and syscall_set_arguments() Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 101/117] x86/asm: Remove dead __GNUC__ conditionals Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 102/117] x86/asm: Use stricter assembly constraints in bitops Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 103/117] x86/perf/amd: Resolve race condition when disabling PMC Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 104/117] x86/perf/amd: Resolve NMI latency issues for active PMCs Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 105/117] x86/perf/amd: Remove need to check "running" bit in NMI handler Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 106/117] PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 107/117] PCI: pciehp: Ignore Link State Changes after powering off a slot Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 108/117] xprtrdma: Fix helper that drains the transport Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 109/117] powerpc/64s/radix: Fix radix segment exception handling Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 110/117] dm integrity: change memcmp to strncmp in dm_integrity_ctr Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 111/117] dm: revert 8f50e358153d ("dm: limit the max bio size as BIO_MAX_PAGES * PAGE_SIZE") Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 112/117] dm table: propagate BDI_CAP_STABLE_WRITES to fix sporadic checksum errors Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 113/117] dm: disable DISCARD if the underlying storage no longer supports it Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 114/117] dm integrity: fix deadlock with overlapping I/O Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 115/117] KVM: x86: nVMX: close leak of L0s x2APIC MSRs (CVE-2019-3887) Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 116/117] KVM: x86: nVMX: fix x2APIC VTPR read intercept Greg Kroah-Hartman
2019-04-15 19:01 ` [PATCH 5.0 117/117] drm/virtio: do NOT reuse resource ids Greg Kroah-Hartman
2019-04-16 10:34 ` [PATCH 5.0 000/117] 5.0.8-stable review Jon Hunter
2019-04-17 11:03 ` Greg Kroah-Hartman
2019-04-16 11:27 ` Naresh Kamboju
2019-04-17 11:04 ` Greg Kroah-Hartman
2019-04-16 16:31 ` Guenter Roeck
2019-04-16 21:41 ` shuah
2019-04-17 6:15 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190415183746.663885941@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lorenzo.bianconi@redhat.com \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).