From: Eric Dumazet <eric.dumazet@gmail.com>
To: Young Xiao <92siuyang@gmail.com>,
davem@davemloft.net, kuznet@ms2.inr.ac.ru,
yoshfuji@linux-ipv6.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org,
Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options
Date: Thu, 30 May 2019 10:17:04 -0700 [thread overview]
Message-ID: <c83f8777-f6be-029b-980d-9f974b4e28ce@gmail.com> (raw)
In-Reply-To: <1559230098-1543-1-git-send-email-92siuyang@gmail.com>
On 5/30/19 8:28 AM, Young Xiao wrote:
> The fragmentation code tries to parse the header options in order
> to figure out where to insert the fragment option. Since nexthdr points
> to an invalid option, the calculation of the size of the network header
> can made to be much larger than the linear section of the skb and data
> is read outside of it.
>
> This vulnerability is similar to CVE-2017-9074.
>
> Signed-off-by: Young Xiao <92siuyang@gmail.com>
> ---
> net/ipv6/mip6.c | 24 ++++++++++++++----------
> 1 file changed, 14 insertions(+), 10 deletions(-)
>
> diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
> index 64f0f7b..30ed1c5 100644
> --- a/net/ipv6/mip6.c
> +++ b/net/ipv6/mip6.c
> @@ -263,8 +263,6 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
> u8 **nexthdr)
> {
> u16 offset = sizeof(struct ipv6hdr);
> - struct ipv6_opt_hdr *exthdr =
> - (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
> const unsigned char *nh = skb_network_header(skb);
> unsigned int packet_len = skb_tail_pointer(skb) -
> skb_network_header(skb);
> @@ -272,7 +270,8 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
>
> *nexthdr = &ipv6_hdr(skb)->nexthdr;
>
> - while (offset + 1 <= packet_len) {
> + while (offset <= packet_len) {
> + struct ipv6_opt_hdr *exthdr;
>
> switch (**nexthdr) {
> case NEXTHDR_HOP:
> @@ -299,12 +298,15 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
> return offset;
> }
>
> + if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
> + return -EINVAL;
> +
> + exthdr = (struct ipv6_opt_hdr *)(nh + offset);
> offset += ipv6_optlen(exthdr);
> *nexthdr = &exthdr->nexthdr;
> - exthdr = (struct ipv6_opt_hdr *)(nh + offset);
> }
>
> - return offset;
> + return -EINVAL;
> }
>
Ok, but have you checked that callers have been fixed ?
xfrm6_transport_output() seems buggy as well,
unless the skbs are linearized before entering these functions ?
Thanks.
next prev parent reply other threads:[~2019-05-30 17:17 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-30 15:28 [PATCH] ipv6: Prevent overrun when parsing v6 header options Young Xiao
2019-05-30 17:17 ` Eric Dumazet [this message]
2019-05-31 3:04 ` Yang Xiao
2019-05-31 17:35 ` Eric Dumazet
2019-06-04 6:59 ` Yang Xiao
2019-06-04 13:29 ` Eric Dumazet
2019-05-31 6:29 ` Herbert Xu
2019-05-31 14:50 ` Eric Dumazet
2019-05-31 14:54 ` Herbert Xu
2019-05-31 15:57 ` Eric Dumazet
2019-05-31 16:12 ` Yang Xiao
-- strict thread matches above, loose matches on Subject: below --
2020-12-27 14:11 Defang Bo
2020-12-28 23:03 ` David Miller
2019-04-12 3:34 Young Xiao
2019-04-17 3:45 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c83f8777-f6be-029b-980d-9f974b4e28ce@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=92siuyang@gmail.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.