From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
Stephen Suryaputra <ssuryaextr@gmail.com>,
Willem de Bruijn <willemb@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 11/86] ipv4: add sanity checks in ipv4_link_failure()
Date: Wed, 15 May 2019 12:54:48 +0200 [thread overview]
Message-ID: <20190515090644.755957440@linuxfoundation.org> (raw)
In-Reply-To: <20190515090642.339346723@linuxfoundation.org>
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 20ff83f10f113c88d0bb74589389b05250994c16 ]
Before calling __ip_options_compile(), we need to ensure the network
header is a an IPv4 one, and that it is already pulled in skb->head.
RAW sockets going through a tunnel can end up calling ipv4_link_failure()
with total garbage in the skb, or arbitrary lengthes.
syzbot report :
BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:355 [inline]
BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123
Write of size 69 at addr ffff888096abf068 by task syz-executor.4/9204
CPU: 0 PID: 9204 Comm: syz-executor.4 Not tainted 5.1.0-rc5+ #77
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x123/0x190 mm/kasan/generic.c:191
memcpy+0x38/0x50 mm/kasan/common.c:133
memcpy include/linux/string.h:355 [inline]
__ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123
__icmp_send+0x725/0x1400 net/ipv4/icmp.c:695
ipv4_link_failure+0x29f/0x550 net/ipv4/route.c:1204
dst_link_failure include/net/dst.h:427 [inline]
vti6_xmit net/ipv6/ip6_vti.c:514 [inline]
vti6_tnl_xmit+0x10d4/0x1c0c net/ipv6/ip6_vti.c:553
__netdev_start_xmit include/linux/netdevice.h:4414 [inline]
netdev_start_xmit include/linux/netdevice.h:4423 [inline]
xmit_one net/core/dev.c:3292 [inline]
dev_hard_start_xmit+0x1b2/0x980 net/core/dev.c:3308
__dev_queue_xmit+0x271d/0x3060 net/core/dev.c:3878
dev_queue_xmit+0x18/0x20 net/core/dev.c:3911
neigh_direct_output+0x16/0x20 net/core/neighbour.c:1527
neigh_output include/net/neighbour.h:508 [inline]
ip_finish_output2+0x949/0x1740 net/ipv4/ip_output.c:229
ip_finish_output+0x73c/0xd50 net/ipv4/ip_output.c:317
NF_HOOK_COND include/linux/netfilter.h:278 [inline]
ip_output+0x21f/0x670 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:444 [inline]
NF_HOOK include/linux/netfilter.h:289 [inline]
raw_send_hdrinc net/ipv4/raw.c:432 [inline]
raw_sendmsg+0x1d2b/0x2f20 net/ipv4/raw.c:663
inet_sendmsg+0x147/0x5d0 net/ipv4/af_inet.c:798
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xdd/0x130 net/socket.c:661
sock_write_iter+0x27c/0x3e0 net/socket.c:988
call_write_iter include/linux/fs.h:1866 [inline]
new_sync_write+0x4c7/0x760 fs/read_write.c:474
__vfs_write+0xe4/0x110 fs/read_write.c:487
vfs_write+0x20c/0x580 fs/read_write.c:549
ksys_write+0x14f/0x2d0 fs/read_write.c:599
__do_sys_write fs/read_write.c:611 [inline]
__se_sys_write fs/read_write.c:608 [inline]
__x64_sys_write+0x73/0xb0 fs/read_write.c:608
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458c29
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f293b44bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458c29
RDX: 0000000000000014 RSI: 00000000200002c0 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f293b44c6d4
R13: 00000000004c8623 R14: 00000000004ded68 R15: 00000000ffffffff
The buggy address belongs to the page:
page:ffffea00025aafc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 ffffffff025a0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888096abef80: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2
ffff888096abf000: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888096abf080: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
^
ffff888096abf100: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00
ffff888096abf180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/route.c | 34 ++++++++++++++++++++++++----------
1 file changed, 24 insertions(+), 10 deletions(-)
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1148,25 +1148,39 @@ static struct dst_entry *ipv4_dst_check(
return dst;
}
-static void ipv4_link_failure(struct sk_buff *skb)
+static void ipv4_send_dest_unreach(struct sk_buff *skb)
{
struct ip_options opt;
- struct rtable *rt;
int res;
/* Recompile ip options since IPCB may not be valid anymore.
+ * Also check we have a reasonable ipv4 header.
*/
- memset(&opt, 0, sizeof(opt));
- opt.optlen = ip_hdr(skb)->ihl*4 - sizeof(struct iphdr);
-
- rcu_read_lock();
- res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
- rcu_read_unlock();
-
- if (res)
+ if (!pskb_network_may_pull(skb, sizeof(struct iphdr)) ||
+ ip_hdr(skb)->version != 4 || ip_hdr(skb)->ihl < 5)
return;
+ memset(&opt, 0, sizeof(opt));
+ if (ip_hdr(skb)->ihl > 5) {
+ if (!pskb_network_may_pull(skb, ip_hdr(skb)->ihl * 4))
+ return;
+ opt.optlen = ip_hdr(skb)->ihl * 4 - sizeof(struct iphdr);
+
+ rcu_read_lock();
+ res = __ip_options_compile(dev_net(skb->dev), &opt, skb, NULL);
+ rcu_read_unlock();
+
+ if (res)
+ return;
+ }
__icmp_send(skb, ICMP_DEST_UNREACH, ICMP_HOST_UNREACH, 0, &opt);
+}
+
+static void ipv4_link_failure(struct sk_buff *skb)
+{
+ struct rtable *rt;
+
+ ipv4_send_dest_unreach(skb);
rt = skb_rtable(skb);
if (rt)
next prev parent reply other threads:[~2019-05-15 12:22 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-15 10:54 [PATCH 3.18 00/86] 3.18.140-stable review Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 01/86] MIPS: scall64-o32: Fix indirect syscall number load Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 02/86] trace: Fix preempt_enable_no_resched() abuse Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 03/86] sched/numa: Fix a possible divide-by-zero Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 04/86] ceph: ensure d_name stability in ceph_dentry_hash() Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 05/86] sunrpc: dont mark uninitialised items as VALID Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 06/86] slip: make slhc_free() silently accept an error pointer Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 07/86] fs/proc/proc_sysctl.c: Fix a NULL pointer dereference Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 08/86] NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 09/86] netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 10/86] Revert "block/loop: Use global lock for ioctl() operation." Greg Kroah-Hartman
2019-05-15 10:54 ` Greg Kroah-Hartman [this message]
2019-05-15 10:54 ` [PATCH 3.18 12/86] team: fix possible recursive locking when add slaves Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 13/86] net: stmmac: move stmmac_check_ether_addr() to driver probe Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 14/86] qlcnic: Avoid potential NULL pointer dereference Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 15/86] usb: gadget: net2280: Fix overrun of OUT messages Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 16/86] usb: gadget: net2272: Fix net2272_dequeue() Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 17/86] net: ks8851: Dequeue RX packets explicitly Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 18/86] net: ks8851: Reassert reset pin if chip ID check fails Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 19/86] net: ks8851: Delay requesting IRQ until opened Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 20/86] net: ks8851: Set initial carrier state to down Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 21/86] net: ibm: fix possible object reference leak Greg Kroah-Hartman
2019-05-15 10:54 ` [PATCH 3.18 22/86] scsi: qla4xxx: fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 23/86] usb: u132-hcd: fix resource leak Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 24/86] ceph: fix use-after-free on symlink traversal Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 25/86] scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 26/86] libata: fix using DMA buffers on stack Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 27/86] kconfig/[mn]conf: handle backspace (^H) key Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 28/86] ipv4: ip_do_fragment: Preserve skb_iif during fragmentation Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 29/86] ipv6: invert flowlabel sharing check in process and user mode Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 30/86] packet: validate msg_namelen in send directly Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 31/86] ipv6/flowlabel: wait rcu grace period before put_pid() Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 32/86] USB: yurex: Fix protection fault after device removal Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 33/86] USB: w1 ds2490: Fix bug caused by improper use of altsetting array Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 34/86] USB: core: Fix unterminated string returned by usb_string() Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 35/86] USB: media: disable tlg2300 driver Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 36/86] USB: core: Fix bug caused by duplicate interface PM usage counter Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 37/86] HID: debug: fix race condition with between rdesc_show() and device removal Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 38/86] rtc: sh: Fix invalid alarm warning for non-enabled alarm Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 39/86] igb: Fix WARN_ONCE on runtime suspend Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 40/86] bonding: show full hw address in sysfs for slave entries Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 41/86] jffs2: fix use-after-free on symlink traversal Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 42/86] scsi: storvsc: Fix calculation of sub-channel count Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 43/86] hugetlbfs: fix memory leak for resv_map Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 44/86] xsysace: Fix error handling in ace_setup Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 45/86] ARM: orion: dont use using 64-bit DMA masks Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 46/86] ARM: iop: " Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 47/86] usb: usbip: fix isoc packet num validation in get_pipe Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 48/86] staging: iio: adt7316: allow adt751x to use internal vref for all dacs Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 49/86] staging: iio: adt7316: fix the dac read calculation Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 50/86] staging: iio: adt7316: fix the dac write calculation Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 51/86] media: v4l2: i2c: ov7670: Fix PLL bypass register values Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 52/86] scsi: libsas: fix a race condition when smp task timeout Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 53/86] ASoC:soc-pcm:fix a codec fixup issue in TDM case Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 54/86] ASoC: cs4270: Set auto-increment bit for register writes Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 55/86] ASoC: tlv320aic32x4: Fix Common Pins Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 56/86] scsi: csiostor: fix missing data copy in csio_scsi_err_handler() Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 57/86] iommu/amd: Set exclusion range correctly Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 58/86] genirq: Prevent use-after-free and work list corruption Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 59/86] scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 60/86] Bluetooth: hidp: fix buffer overflow Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 61/86] Bluetooth: Align minimum encryption key size for LE and BR/EDR connections Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 62/86] timer/debug: Change /proc/timer_stats from 0644 to 0600 Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 63/86] netfilter: compat: initialize all fields in xt_init Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 64/86] platform/x86: sony-laptop: Fix unintentional fall-through Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 65/86] iio: adc: xilinx: fix potential use-after-free on remove Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 66/86] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 67/86] s390/dasd: Fix capacity calculation for large volumes Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 68/86] s390/3270: fix lockdep false positive on view->lock Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 69/86] KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 70/86] tools lib traceevent: Fix missing equality check for strcmp Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 71/86] init: initialize jump labels before command line option parsing Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 72/86] s390: ctcm: fix ctcm_new_device error return code Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 73/86] selftests/net: correct the return value for run_netsocktests Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 74/86] gpu: ipu-v3: dp: fix CSC handling Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 75/86] Dont jump to compute_result state from check_result state Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 76/86] USB: serial: use variable for status Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 77/86] USB: serial: fix unthrottle races Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 78/86] bridge: Fix error path for kobject_init_and_add() Greg Kroah-Hartman
2019-05-15 20:48 ` Tobin C. Harding
2019-05-16 5:57 ` Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 79/86] net: ucc_geth - fix Oops when changing number of buffers in the ring Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 80/86] packet: Fix error path in packet_init Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 81/86] vlan: disable SIOCSHWTSTAMP in container Greg Kroah-Hartman
2019-05-15 10:55 ` [PATCH 3.18 82/86] ipv4: Fix raw socket lookup for local traffic Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 3.18 83/86] bonding: fix arp_validate toggling in active-backup mode Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 3.18 84/86] drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 3.18 85/86] drivers/virt/fsl_hypervisor.c: prevent integer overflow " Greg Kroah-Hartman
2019-05-15 10:56 ` [PATCH 3.18 86/86] powerpc/booke64: set RI in default MSR Greg Kroah-Hartman
2019-05-15 15:07 ` [PATCH 3.18 00/86] 3.18.140-stable review kernelci.org bot
2019-05-16 3:33 ` Guenter Roeck
2019-05-16 14:27 ` shuah
2019-05-16 14:59 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190515090644.755957440@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ssuryaextr@gmail.com \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).