acrn-kernel/net/ipv6
Eric Dumazet 864e2a1f8a ipv6: flowlabel: do not leave opt->tot_len with garbage
When syzkaller team brought us a C repro for the crash [1] that
had been reported many times in the past, I finally could find
the root cause.

If FlowLabel info is merged by fl6_merge_options(), we leave
part of the opt_space storage provided by udp/raw/l2tp with random value
in opt_space.tot_len, unless a control message was provided at sendmsg()
time.

Then ip6_setup_cork() would use this random value to perform a kzalloc()
call. Undefined behavior and crashes.

Fix is to properly set tot_len in fl6_merge_options()

At the same time, we can also avoid consuming memory and cpu cycles
to clear it, if every option is copied via a kmemdup(). This is the
change in ip6_setup_cork().

[1]
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 6613 Comm: syz-executor0 Not tainted 4.14.0-rc4+ #127
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801cb64a100 task.stack: ffff8801cc350000
RIP: 0010:ip6_setup_cork+0x274/0x15c0 net/ipv6/ip6_output.c:1168
RSP: 0018:ffff8801cc357550 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: ffff8801cc357748 RCX: 0000000000000010
RDX: 0000000000000002 RSI: ffffffff842bd1d9 RDI: 0000000000000014
RBP: ffff8801cc357620 R08: ffff8801cb17f380 R09: ffff8801cc357b10
R10: ffff8801cb64a100 R11: 0000000000000000 R12: ffff8801cc357ab0
R13: ffff8801cc357b10 R14: 0000000000000000 R15: ffff8801c3bbf0c0
FS:  00007f9c5c459700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020324000 CR3: 00000001d1cf2000 CR4: 00000000001406f0
DR0: 0000000020001010 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Call Trace:
 ip6_make_skb+0x282/0x530 net/ipv6/ip6_output.c:1729
 udpv6_sendmsg+0x2769/0x3380 net/ipv6/udp.c:1340
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:643
 SYSC_sendto+0x358/0x5a0 net/socket.c:1750
 SyS_sendto+0x40/0x50 net/socket.c:1718
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4520a9
RSP: 002b:00007f9c5c458c08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 00000000004520a9
RDX: 0000000000000001 RSI: 0000000020fd1000 RDI: 0000000000000016
RBP: 0000000000000086 R08: 0000000020e0afe4 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000216 R12: 00000000004bb1ee
R13: 00000000ffffffff R14: 0000000000000016 R15: 0000000000000029
Code: e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 ea 0f 00 00 48 8d 79 04 48 b8 00 00 00 00 00 fc ff df 45 8b 74 24 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RIP: ip6_setup_cork+0x274/0x15c0 net/ipv6/ip6_output.c:1168 RSP: ffff8801cc357550

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-22 03:22:24 +01:00
..
ila
netfilter netfilter: SYNPROXY: skip non-tcp packet in {ipv4, ipv6}_synproxy_hook 2017-10-09 13:08:39 +02:00
Kconfig ipv6: sr: add helper functions for seg6local 2017-08-25 17:10:24 -07:00
Makefile
addrconf.c ipv6: fix net.ipv6.conf.all.accept_dad behaviour for real 2017-10-07 23:10:05 +01:00
addrconf_core.c
addrlabel.c addrlabel: add/delete/get can run without rtnl 2017-08-29 09:41:56 -07:00
af_inet6.c ipv6: Add sysctl for per namespace flow label reflection 2017-08-24 18:05:43 -07:00
ah6.c
anycast.c
calipso.c
datagram.c
esp6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
esp6_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
exthdrs.c
exthdrs_core.c
exthdrs_offload.c
fib6_notifier.c net: Add module reference to FIB notifiers 2017-09-01 20:33:42 -07:00
fib6_rules.c
fou6.c
icmp.c ipv6: Use rt6i_idev index for echo replies to a local address 2017-08-29 15:32:25 -07:00
inet6_connection_sock.c
inet6_hashtables.c
ip6_checksum.c
ip6_fib.c ipv6: fix typo in fib6_net_exit() 2017-09-08 16:09:04 -07:00
ip6_flowlabel.c ipv6: flowlabel: do not leave opt->tot_len with garbage 2017-10-22 03:22:24 +01:00
ip6_gre.c ip6_gre: ip6gre_tap device should keep dst 2017-10-01 03:46:42 +01:00
ip6_icmp.c
ip6_input.c
ip6_offload.c gso: fix payload length when gso_size is zero 2017-10-08 10:12:15 -07:00
ip6_offload.h
ip6_output.c ipv6: flowlabel: do not leave opt->tot_len with garbage 2017-10-22 03:22:24 +01:00
ip6_tunnel.c ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path 2017-10-01 03:46:42 +01:00
ip6_udp_tunnel.c
ip6_vti.c vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit 2017-09-26 09:58:21 -07:00
ip6mr.c
ipcomp6.c
ipv6_sockglue.c ipv6: do not set sk_destruct in IPV6_ADDRFORM sockopt 2017-08-29 10:54:40 -07:00
mcast.c
mcast_snoop.c
mip6.c
ndisc.c neigh: increase queue_len_bytes to match wmem_default 2017-08-29 16:10:50 -07:00
netfilter.c
output_core.c ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() 2017-08-22 10:23:26 -07:00
ping.c
proc.c
protocol.c
raw.c
reassembly.c Revert "net: fix percpu memory leaks" 2017-09-03 11:01:05 -07:00
route.c ipv6: Fix traffic triggered IPsec connections. 2017-10-09 09:39:26 -07:00
seg6.c
seg6_hmac.c ipv6: sr: Use ARRAY_SIZE macro 2017-09-01 18:35:23 -07:00
seg6_iptunnel.c ipv6: sr: add support for encapsulation of L2 frames 2017-08-25 17:10:23 -07:00
seg6_local.c ipv6: sr: remove duplicate routing header type check 2017-09-11 14:34:10 -07:00
sit.c
syncookies.c
sysctl_net_ipv6.c ipv6: Add sysctl for per namespace flow label reflection 2017-08-24 18:05:43 -07:00
tcp_ipv6.c tcp: fix a request socket leak 2017-09-08 16:07:17 -07:00
tcpv6_offload.c
tunnel6.c
udp.c udpv6: Fix the checksum computation when HW checksum does not apply 2017-09-18 11:43:03 -07:00
udp_impl.h
udp_offload.c
udplite.c
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c net: xfrm: support setting an output mark. 2017-08-11 07:03:00 +02:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c