From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com>,
David Ahern <dsa@cumulusnetworks.com>,
Martin KaFai Lau <kafai@fb.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.10 29/62] net: ipv6: RTF_PCPU should not be settable from userspace
Date: Mon, 1 May 2017 14:34:42 -0700 [thread overview]
Message-ID: <20170501212731.903795971@linuxfoundation.org> (raw)
In-Reply-To: <20170501212730.774855694@linuxfoundation.org>
4.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Ahern <dsa@cumulusnetworks.com>
[ Upstream commit 557c44be917c322860665be3d28376afa84aa936 ]
Andrey reported a fault in the IPv6 route code:
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 1 PID: 4035 Comm: a.out Not tainted 4.11.0-rc7+ #250
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880069809600 task.stack: ffff880062dc8000
RIP: 0010:ip6_rt_cache_alloc+0xa6/0x560 net/ipv6/route.c:975
RSP: 0018:ffff880062dced30 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8800670561c0 RCX: 0000000000000006
RDX: 0000000000000003 RSI: ffff880062dcfb28 RDI: 0000000000000018
RBP: ffff880062dced68 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff880062dcfb28 R14: dffffc0000000000 R15: 0000000000000000
FS: 00007feebe37e7c0(0000) GS:ffff88006cb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000205a0fe4 CR3: 000000006b5c9000 CR4: 00000000000006e0
Call Trace:
ip6_pol_route+0x1512/0x1f20 net/ipv6/route.c:1128
ip6_pol_route_output+0x4c/0x60 net/ipv6/route.c:1212
...
Andrey's syzkaller program passes rtmsg.rtmsg_flags with the RTF_PCPU bit
set. Flags passed to the kernel are blindly copied to the allocated
rt6_info by ip6_route_info_create making a newly inserted route appear
as though it is a per-cpu route. ip6_rt_cache_alloc sees the flag set
and expects rt->dst.from to be set - which it is not since it is not
really a per-cpu copy. The subsequent call to __ip6_dst_alloc then
generates the fault.
Fix by checking for the flag and failing with EINVAL.
Fixes: d52d3997f843f ("ipv6: Create percpu rt6_info")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/ipv6_route.h | 2 +-
net/ipv6/route.c | 4 ++++
2 files changed, 5 insertions(+), 1 deletion(-)
--- a/include/uapi/linux/ipv6_route.h
+++ b/include/uapi/linux/ipv6_route.h
@@ -34,7 +34,7 @@
#define RTF_PREF(pref) ((pref) << 27)
#define RTF_PREF_MASK 0x18000000
-#define RTF_PCPU 0x40000000
+#define RTF_PCPU 0x40000000 /* read-only: can not be set by user */
#define RTF_LOCAL 0x80000000
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1831,6 +1831,10 @@ static struct rt6_info *ip6_route_info_c
int addr_type;
int err = -EINVAL;
+ /* RTF_PCPU is an internal flag; can not be set by userspace */
+ if (cfg->fc_flags & RTF_PCPU)
+ goto out;
+
if (cfg->fc_dst_len > 128 || cfg->fc_src_len > 128)
goto out;
#ifndef CONFIG_IPV6_SUBTREES
next prev parent reply other threads:[~2017-05-01 21:43 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-01 21:34 [PATCH 4.10 00/62] 4.10.14-stable review Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 01/62] ping: implement proper locking Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 02/62] sparc64: kern_addr_valid regression Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 03/62] sparc64: Fix kernel panic due to erroneous #ifdef surrounding pmd_write() Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 04/62] net: neigh: guard against NULL solicit() method Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 05/62] net: phy: handle state correctly in phy_stop_machine Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 06/62] kcm: return immediately after copy_from_user() failure Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 07/62] secure_seq: downgrade to per-host timestamp offsets Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 08/62] bpf: improve verifier packet range checks Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 09/62] net/mlx5: Avoid dereferencing uninitialized pointer Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 10/62] l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 11/62] l2tp: purge socket queues in the .destruct() callback Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 12/62] net/packet: fix overflow in check for tp_frame_nr Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 13/62] net/packet: fix overflow in check for tp_reserve Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 14/62] openvswitch: Fix ovs_flow_key_update() Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 15/62] l2tp: take reference on sessions being dumped Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 16/62] l2tp: fix PPP pseudo-wire auto-loading Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 17/62] net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 18/62] sctp: listen on the sock only when its state is listening or closed Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 19/62] tcp: clear saved_syn in tcp_disconnect() Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 20/62] ipv6: Fix idev->addr_list corruption Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 21/62] net-timestamp: avoid use-after-free in ip_recv_error Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 22/62] net: vrf: Fix setting NLM_F_EXCL flag when adding l3mdev rule Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 23/62] sh_eth: unmap DMA buffers when freeing rings Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 24/62] ipv6: sr: fix out-of-bounds access in SRH validation Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 26/62] ipv6: sr: fix double free of skb after handling invalid SRH Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 27/62] ipv6: fix source routing Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 28/62] gso: Validate assumption of frag_list segementation Greg Kroah-Hartman
2017-05-01 21:34 ` Greg Kroah-Hartman [this message]
2017-05-01 21:34 ` [PATCH 4.10 30/62] netpoll: Check for skb->queue_mapping Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 31/62] ip6mr: fix notification device destruction Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 32/62] net/mlx5: Fix driver load bad flow when having fw initializing timeout Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 33/62] net/mlx5: E-Switch, Correctly deal with inline mode on ConnectX-5 Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 34/62] net/mlx5e: Fix small packet threshold Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 35/62] net/mlx5e: Fix ETHTOOL_GRXCLSRLALL handling Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 36/62] tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 37/62] tcp: mark skbs with SCM_TIMESTAMPING_OPT_STATS Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 38/62] macvlan: Fix device ref leak when purging bc_queue Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 39/62] net: ipv6: regenerate host route if moved to gc list Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 40/62] net: phy: fix auto-negotiation stall due to unavailable interrupt Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 41/62] ipv6: check skb->protocol before lookup for nexthop Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 42/62] tcp: memset ca_priv data to 0 properly Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 43/62] ipv6: check raw payload size correctly in ioctl Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 44/62] ALSA: oxfw: fix regression to handle Stanton SCS.1m/1d Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 45/62] ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type Greg Kroah-Hartman
2017-05-01 21:34 ` [PATCH 4.10 46/62] ALSA: seq: Dont break snd_use_lock_sync() loop by timeout Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 47/62] scsi: return correct blkprep status code in case scsi_init_io() fails Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 48/62] ARC: [plat-eznps] Fix build error Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 49/62] MIPS: KGDB: Use kernel context for sleeping threads Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 50/62] MIPS: cevt-r4k: Fix out-of-bounds array access Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 51/62] MIPS: Avoid BUG warning in arch_check_elf Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 52/62] p9_client_readdir() fix Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 53/62] ASoC: intel: Fix PM and non-atomic crash in bytcr drivers Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 56/62] nfsd4: minor NFSv2/v3 write decoding cleanup Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 58/62] ceph: fix recursion between ceph_set_acl() and __ceph_setattr() Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 59/62] macsec: avoid heap overflow in skb_to_sgvec Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 60/62] net: can: usb: gs_usb: Fix buffer on stack Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 61/62] cpu/hotplug: Serialize callback invocations proper Greg Kroah-Hartman
2017-05-01 21:35 ` [PATCH 4.10 62/62] ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram Greg Kroah-Hartman
[not found] ` <20170501212732.861897612@linuxfoundation.org>
2017-05-02 1:14 ` [PATCH 4.10 54/62] Input: i8042 - add Clevo P650RS to the i8042 reset list Ed Bordin
2017-05-02 1:22 ` Dmitry Torokhov
2017-05-02 2:16 ` Ed Bordin
[not found] ` <5908121b.4778370a.18c89.ea22@mx.google.com>
2017-05-02 13:54 ` [PATCH 4.10 00/62] 4.10.14-stable review Shuah Khan
2017-05-02 17:05 ` Greg Kroah-Hartman
2017-05-02 17:05 ` Greg Kroah-Hartman
2017-05-02 17:36 ` Guenter Roeck
2017-05-02 18:33 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170501212731.903795971@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=davem@davemloft.net \
--cc=dsa@cumulusnetworks.com \
--cc=kafai@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).