* [PATCH net] dccp: Fix out of bounds access in DCCP error handler
@ 2023-08-25 13:32 Jann Horn
2023-08-25 18:35 ` Kuniyuki Iwashima
2023-08-28 9:20 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Jann Horn @ 2023-08-25 13:32 UTC (permalink / raw)
To: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni, dccp, netdev
There was a previous attempt to fix an out-of-bounds access in the DCCP
error handlers, but that fix assumed that the error handlers only want
to access the first 8 bytes of the DCCP header. Actually, they also look
at the DCCP sequence number, which is stored beyond 8 bytes, so an
explicit pskb_may_pull() is required.
Fixes: 6706a97fec96 ("dccp: fix out of bound access in dccp_v4_err()")
Fixes: 1aa9d1a0e7ee ("ipv6: dccp: fix out of bound access in dccp_v6_err()")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
---
net/dccp/ipv4.c | 13 +++++++++----
net/dccp/ipv6.c | 15 ++++++++++-----
2 files changed, 19 insertions(+), 9 deletions(-)
diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
index fa8079303cb0..dcd2fb774d82 100644
--- a/net/dccp/ipv4.c
+++ b/net/dccp/ipv4.c
@@ -255,12 +255,17 @@ static int dccp_v4_err(struct sk_buff *skb, u32 info)
int err;
struct net *net = dev_net(skb->dev);
- /* Only need dccph_dport & dccph_sport which are the first
- * 4 bytes in dccp header.
+ /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x,
+ * which is in byte 7 of the dccp header.
* Our caller (icmp_socket_deliver()) already pulled 8 bytes for us.
+ *
+ * Later on, we want to access the sequence number fields, which are
+ * beyond 8 bytes, so we have to pskb_may_pull() ourselves.
*/
- BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_sport) > 8);
- BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_dport) > 8);
+ dh = (struct dccp_hdr *)(skb->data + offset);
+ if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh)))
+ return -EINVAL;
+ iph = (struct iphdr *)skb->data;
dh = (struct dccp_hdr *)(skb->data + offset);
sk = __inet_lookup_established(net, &dccp_hashinfo,
diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index d29d1163203d..25816e790527 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -74,7 +74,7 @@ static inline __u64 dccp_v6_init_sequence(struct sk_buff *skb)
static int dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
u8 type, u8 code, int offset, __be32 info)
{
- const struct ipv6hdr *hdr = (const struct ipv6hdr *)skb->data;
+ const struct ipv6hdr *hdr;
const struct dccp_hdr *dh;
struct dccp_sock *dp;
struct ipv6_pinfo *np;
@@ -83,12 +83,17 @@ static int dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
__u64 seq;
struct net *net = dev_net(skb->dev);
- /* Only need dccph_dport & dccph_sport which are the first
- * 4 bytes in dccp header.
+ /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x,
+ * which is in byte 7 of the dccp header.
* Our caller (icmpv6_notify()) already pulled 8 bytes for us.
+ *
+ * Later on, we want to access the sequence number fields, which are
+ * beyond 8 bytes, so we have to pskb_may_pull() ourselves.
*/
- BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_sport) > 8);
- BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_dport) > 8);
+ dh = (struct dccp_hdr *)(skb->data + offset);
+ if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh)))
+ return -EINVAL;
+ hdr = (const struct ipv6hdr *)skb->data;
dh = (struct dccp_hdr *)(skb->data + offset);
sk = __inet6_lookup_established(net, &dccp_hashinfo,
base-commit: 93f5de5f648d2b1ce3540a4ac71756d4a852dc23
--
2.42.0.rc1.204.g551eb34607-goog
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] dccp: Fix out of bounds access in DCCP error handler
2023-08-25 13:32 [PATCH net] dccp: Fix out of bounds access in DCCP error handler Jann Horn
@ 2023-08-25 18:35 ` Kuniyuki Iwashima
2023-08-28 9:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Kuniyuki Iwashima @ 2023-08-25 18:35 UTC (permalink / raw)
To: jannh; +Cc: davem, dccp, edumazet, kuba, netdev, pabeni, Kuniyuki Iwashima
From: Jann Horn <jannh@google.com>
Date: Fri, 25 Aug 2023 15:32:41 +0200
> There was a previous attempt to fix an out-of-bounds access in the DCCP
> error handlers, but that fix assumed that the error handlers only want
> to access the first 8 bytes of the DCCP header. Actually, they also look
> at the DCCP sequence number, which is stored beyond 8 bytes, so an
> explicit pskb_may_pull() is required.
>
> Fixes: 6706a97fec96 ("dccp: fix out of bound access in dccp_v4_err()")
> Fixes: 1aa9d1a0e7ee ("ipv6: dccp: fix out of bound access in dccp_v6_err()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
> ---
> net/dccp/ipv4.c | 13 +++++++++----
> net/dccp/ipv6.c | 15 ++++++++++-----
> 2 files changed, 19 insertions(+), 9 deletions(-)
>
> diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c
> index fa8079303cb0..dcd2fb774d82 100644
> --- a/net/dccp/ipv4.c
> +++ b/net/dccp/ipv4.c
> @@ -255,12 +255,17 @@ static int dccp_v4_err(struct sk_buff *skb, u32 info)
> int err;
> struct net *net = dev_net(skb->dev);
>
> - /* Only need dccph_dport & dccph_sport which are the first
> - * 4 bytes in dccp header.
> + /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x,
> + * which is in byte 7 of the dccp header.
> * Our caller (icmp_socket_deliver()) already pulled 8 bytes for us.
> + *
> + * Later on, we want to access the sequence number fields, which are
> + * beyond 8 bytes, so we have to pskb_may_pull() ourselves.
> */
> - BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_sport) > 8);
> - BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_dport) > 8);
> + dh = (struct dccp_hdr *)(skb->data + offset);
> + if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh)))
> + return -EINVAL;
> + iph = (struct iphdr *)skb->data;
> dh = (struct dccp_hdr *)(skb->data + offset);
>
> sk = __inet_lookup_established(net, &dccp_hashinfo,
> diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
> index d29d1163203d..25816e790527 100644
> --- a/net/dccp/ipv6.c
> +++ b/net/dccp/ipv6.c
> @@ -74,7 +74,7 @@ static inline __u64 dccp_v6_init_sequence(struct sk_buff *skb)
> static int dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
> u8 type, u8 code, int offset, __be32 info)
> {
> - const struct ipv6hdr *hdr = (const struct ipv6hdr *)skb->data;
> + const struct ipv6hdr *hdr;
> const struct dccp_hdr *dh;
> struct dccp_sock *dp;
> struct ipv6_pinfo *np;
> @@ -83,12 +83,17 @@ static int dccp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
> __u64 seq;
> struct net *net = dev_net(skb->dev);
>
> - /* Only need dccph_dport & dccph_sport which are the first
> - * 4 bytes in dccp header.
> + /* For the first __dccp_basic_hdr_len() check, we only need dh->dccph_x,
> + * which is in byte 7 of the dccp header.
> * Our caller (icmpv6_notify()) already pulled 8 bytes for us.
> + *
> + * Later on, we want to access the sequence number fields, which are
> + * beyond 8 bytes, so we have to pskb_may_pull() ourselves.
> */
> - BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_sport) > 8);
> - BUILD_BUG_ON(offsetofend(struct dccp_hdr, dccph_dport) > 8);
> + dh = (struct dccp_hdr *)(skb->data + offset);
> + if (!pskb_may_pull(skb, offset + __dccp_basic_hdr_len(dh)))
> + return -EINVAL;
> + hdr = (const struct ipv6hdr *)skb->data;
> dh = (struct dccp_hdr *)(skb->data + offset);
>
> sk = __inet6_lookup_established(net, &dccp_hashinfo,
>
> base-commit: 93f5de5f648d2b1ce3540a4ac71756d4a852dc23
> --
> 2.42.0.rc1.204.g551eb34607-goog
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] dccp: Fix out of bounds access in DCCP error handler
2023-08-25 13:32 [PATCH net] dccp: Fix out of bounds access in DCCP error handler Jann Horn
2023-08-25 18:35 ` Kuniyuki Iwashima
@ 2023-08-28 9:20 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-08-28 9:20 UTC (permalink / raw)
To: Jann Horn; +Cc: davem, edumazet, kuba, pabeni, dccp, netdev
Hello:
This patch was applied to netdev/net.git (main)
by David S. Miller <davem@davemloft.net>:
On Fri, 25 Aug 2023 15:32:41 +0200 you wrote:
> There was a previous attempt to fix an out-of-bounds access in the DCCP
> error handlers, but that fix assumed that the error handlers only want
> to access the first 8 bytes of the DCCP header. Actually, they also look
> at the DCCP sequence number, which is stored beyond 8 bytes, so an
> explicit pskb_may_pull() is required.
>
> Fixes: 6706a97fec96 ("dccp: fix out of bound access in dccp_v4_err()")
> Fixes: 1aa9d1a0e7ee ("ipv6: dccp: fix out of bound access in dccp_v6_err()")
> Cc: stable@vger.kernel.org
> Signed-off-by: Jann Horn <jannh@google.com>
>
> [...]
Here is the summary with links:
- [net] dccp: Fix out of bounds access in DCCP error handler
https://git.kernel.org/netdev/net/c/977ad86c2a1b
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-08-28 9:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-25 13:32 [PATCH net] dccp: Fix out of bounds access in DCCP error handler Jann Horn
2023-08-25 18:35 ` Kuniyuki Iwashima
2023-08-28 9:20 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).