[Patch net v2] ipv6: check for ip6_null_entry in __ip6_del_rt_siblings()

[Patch net v2] ipv6: check for ip6_null_entry in __ip6_del_rt_siblings()

[Cong Wang]

Andrey reported a NULL pointer deref bug in ipv6_route_ioctl()
-> ip6_route_del() -> __ip6_del_rt_siblings() code path. This is
because ip6_null_entry is returned in this path since ip6_null_entry
is kinda default for a ipv6 route table root node. Quote from
David Ahern:

 ip6_null_entry is the root of all ipv6 fib tables making it integrated
 into the table ...

We should ignore any attempt of trying to delete it, like we do in
__ip6_del_rt() path and several others.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Fixes: 0ae8133586ad ("net: ipv6: Allow shorthand delete of all nexthops in multipath route")
Cc: David Ahern <dsa@cumulusnetworks.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 net/ipv6/route.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index f54f426..78be2cb 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2169,10 +2169,13 @@ int ip6_del_rt(struct rt6_info *rt)
 static int __ip6_del_rt_siblings(struct rt6_info *rt, struct fib6_config *cfg)
 {
 	struct nl_info *info = &cfg->fc_nlinfo;
+	struct net *net = info->nl_net;
 	struct sk_buff *skb = NULL;
 	struct fib6_table *table;
 	int err;
 
+	if (rt == net->ipv6.ip6_null_entry)
+		goto out_put;
 	table = rt->rt6i_table;
 	write_lock_bh(&table->tb6_lock);
 
@@ -2184,7 +2187,7 @@ static int __ip6_del_rt_siblings(struct rt6_info *rt, struct fib6_config *cfg)
 		if (skb) {
 			u32 seq = info->nlh ? info->nlh->nlmsg_seq : 0;
 
-			if (rt6_fill_node(info->nl_net, skb, rt,
+			if (rt6_fill_node(net, skb, rt,
 					  NULL, NULL, 0, RTM_DELROUTE,
 					  info->portid, seq, 0) < 0) {
 				kfree_skb(skb);
@@ -2205,10 +2208,11 @@ static int __ip6_del_rt_siblings(struct rt6_info *rt, struct fib6_config *cfg)
 	err = fib6_del(rt, info);
 out:
 	write_unlock_bh(&table->tb6_lock);
+out_put:
 	ip6_rt_put(rt);
 
 	if (skb) {
-		rtnl_notify(skb, info->nl_net, info->portid, RTNLGRP_IPV6_ROUTE,
+		rtnl_notify(skb, net, info->portid, RTNLGRP_IPV6_ROUTE,
 			    info->nlh, gfp_any());
 	}
 	return err;
-- 
2.5.5

Re: [Patch net v2] ipv6: check for ip6_null_entry in __ip6_del_rt_siblings()

[Eric Dumazet]

On Mon, 2017-02-27 at 13:34 -0800, Cong Wang wrote:
> Andrey reported a NULL pointer deref bug in ipv6_route_ioctl()
> -> ip6_route_del() -> __ip6_del_rt_siblings() code path. This is
> because ip6_null_entry is returned in this path since ip6_null_entry
> is kinda default for a ipv6 route table root node. Quote from
> David Ahern:
> 
>  ip6_null_entry is the root of all ipv6 fib tables making it integrated
>  into the table ...
> 
> We should ignore any attempt of trying to delete it, like we do in
> __ip6_del_rt() path and several others.
> 
> Reported-by: Andrey Konovalov <andreyknvl@google.com>
> Fixes: 0ae8133586ad ("net: ipv6: Allow shorthand delete of all nexthops in multipath route")
> Cc: David Ahern <dsa@cumulusnetworks.com>
> Cc: Eric Dumazet <eric.dumazet@gmail.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
> ---
>  net/ipv6/route.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index f54f426..78be2cb 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -2169,10 +2169,13 @@ int ip6_del_rt(struct rt6_info *rt)
>  static int __ip6_del_rt_siblings(struct rt6_info *rt, struct fib6_config *cfg)
>  {
>  	struct nl_info *info = &cfg->fc_nlinfo;
> +	struct net *net = info->nl_net;
>  	struct sk_buff *skb = NULL;
>  	struct fib6_table *table;
>  	int err;
>  
> +	if (rt == net->ipv6.ip6_null_entry)
> +		goto out_put;

err is not initialized at this point.


>  	table = rt->rt6i_table;
>  	write_lock_bh(&table->tb6_lock);
>  
> @@ -2184,7 +2187,7 @@ static int __ip6_del_rt_siblings(struct rt6_info *rt, struct fib6_config *cfg)
>  		if (skb) {
>  			u32 seq = info->nlh ? info->nlh->nlmsg_seq : 0;
>  
> -			if (rt6_fill_node(info->nl_net, skb, rt,
> +			if (rt6_fill_node(net, skb, rt,
>  					  NULL, NULL, 0, RTM_DELROUTE,
>  					  info->portid, seq, 0) < 0) {
>  				kfree_skb(skb);
> @@ -2205,10 +2208,11 @@ static int __ip6_del_rt_siblings(struct rt6_info *rt, struct fib6_config *cfg)
>  	err = fib6_del(rt, info);
>  out:
>  	write_unlock_bh(&table->tb6_lock);
> +out_put:
>  	ip6_rt_put(rt);
>  
>  	if (skb) {
> -		rtnl_notify(skb, info->nl_net, info->portid, RTNLGRP_IPV6_ROUTE,
> +		rtnl_notify(skb, net, info->portid, RTNLGRP_IPV6_ROUTE,
>  			    info->nlh, gfp_any());
>  	}
>  	return err;

This returns garbage here.

Re: [Patch net v2] ipv6: check for ip6_null_entry in __ip6_del_rt_siblings()

[kbuild test robot]

[-- Attachment #1: Type: text/plain, Size: 9091 bytes --]

Hi Cong,

[auto build test WARNING on net/master]

url:    https://github.com/0day-ci/linux/commits/Cong-Wang/ipv6-check-for-ip6_null_entry-in-__ip6_del_rt_siblings/20170228-135206
config: x86_64-randconfig-x017-201709 (attached as .config)
compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901
reproduce:
        # save the attached .config to linux build tree
        make ARCH=x86_64 

Note: it may well be a FALSE warning. FWIW you are at least aware of it now.
http://gcc.gnu.org/wiki/Better_Uninitialized_Warnings

All warnings (new ones prefixed by >>):

   Cyclomatic Complexity 3 include/net/sock.h:lockdep_sock_is_held
   Cyclomatic Complexity 5 include/net/sock.h:__sk_dst_get
   Cyclomatic Complexity 6 include/net/sock.h:sock_owned_by_me
   Cyclomatic Complexity 1 include/net/sock.h:sock_owned_by_user
   Cyclomatic Complexity 5 include/net/addrconf.h:__in6_dev_get
   Cyclomatic Complexity 11 net/ipv6/route.c:rt6_mtu_change_route
   Cyclomatic Complexity 4 net/ipv6/route.c:ip6_mtu
   Cyclomatic Complexity 3 include/net/neighbour.h:__neigh_lookup
   Cyclomatic Complexity 2 include/net/neighbour.h:neigh_release
   Cyclomatic Complexity 2 net/ipv6/route.c:ip6_print_replace_route_err
   Cyclomatic Complexity 6 net/ipv6/route.c:ip6_pkt_drop
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_pkt_discard
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_pkt_discard_out
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_pkt_prohibit
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_pkt_prohibit_out
   Cyclomatic Complexity 12 net/ipv6/route.c:ip6_convert_metrics
   Cyclomatic Complexity 7 net/ipv6/route.c:ip6_route_info_append
   Cyclomatic Complexity 3 net/ipv6/route.c:__ip6_del_rt
   Cyclomatic Complexity 2 arch/x86/include/asm/uaccess.h:copy_user_overflow
   Cyclomatic Complexity 2 net/ipv6/route.c:rt6_nlmsg_size
   Cyclomatic Complexity 1 include/linux/skbuff.h:alloc_skb
   Cyclomatic Complexity 1 include/net/netlink.h:nlmsg_new
   Cyclomatic Complexity 2 include/net/netlink.h:nlmsg_put
   Cyclomatic Complexity 5 include/net/ip6_route.h:ip6_route_get_saddr
   Cyclomatic Complexity 1 include/net/netlink.h:nla_put_in6_addr
   Cyclomatic Complexity 1 include/net/netlink.h:nla_put_u32
   Cyclomatic Complexity 2 include/net/netlink.h:nla_nest_start
   Cyclomatic Complexity 1 include/net/netlink.h:nla_put_u8
   Cyclomatic Complexity 10 net/ipv6/route.c:rt6_nexthop_info
   Cyclomatic Complexity 4 net/ipv6/route.c:rt6_add_nexthop
   Cyclomatic Complexity 3 include/net/netlink.h:nlmsg_trim
   Cyclomatic Complexity 1 include/net/netlink.h:nlmsg_cancel
   Cyclomatic Complexity 38 net/ipv6/route.c:rt6_fill_node
   Cyclomatic Complexity 10 net/ipv6/route.c:__ip6_del_rt_siblings
   Cyclomatic Complexity 16 net/ipv6/route.c:ip6_route_del
   Cyclomatic Complexity 6 net/ipv6/route.c:ip6_dst_gc
   Cyclomatic Complexity 2 net/ipv6/route.c:ipv6_sysctl_rtcache_flush
   Cyclomatic Complexity 5 net/ipv6/route.c:ip6_route_net_init
   Cyclomatic Complexity 2 include/net/netlink.h:nlmsg_parse
   Cyclomatic Complexity 1 include/net/netlink.h:nla_get_in6_addr
   Cyclomatic Complexity 24 net/ipv6/route.c:rtm_to_fib6_config
   Cyclomatic Complexity 6 net/ipv6/route.c:ip6_route_multipath_del
   Cyclomatic Complexity 3 net/ipv6/route.c:inet6_rtm_delroute
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_route_net_exit_late
   Cyclomatic Complexity 1 net/ipv6/route.c:rt6_stats_seq_open
   Cyclomatic Complexity 1 net/ipv6/route.c:rt6_stats_seq_show
   Cyclomatic Complexity 1 include/linux/proc_fs.h:proc_create
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_route_net_init_late
   Cyclomatic Complexity 1 net/ipv6/route.c:ipv6_inetpeer_exit
   Cyclomatic Complexity 2 net/ipv6/route.c:ipv6_inetpeer_init
   Cyclomatic Complexity 4 net/ipv6/route.c:ip6_dst_alloc
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_route_lookup
   Cyclomatic Complexity 3 net/ipv6/route.c:rt6_lookup
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_ins_rt
   Cyclomatic Complexity 9 net/ipv6/route.c:__ip6_rt_update_pmtu
   Cyclomatic Complexity 2 net/ipv6/route.c:ip6_rt_update_pmtu
   Cyclomatic Complexity 13 net/ipv6/route.c:ip6_pol_route
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_pol_route_input
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_pol_route_output
   Cyclomatic Complexity 4 net/ipv6/route.c:ip6_nh_lookup_table
   Cyclomatic Complexity 59 net/ipv6/route.c:ip6_route_info_create
   Cyclomatic Complexity 3 net/ipv6/route.c:ip6_route_input_lookup
   Cyclomatic Complexity 3 net/ipv6/route.c:ip6_route_input
   Cyclomatic Complexity 10 net/ipv6/route.c:ip6_route_output_flags
   Cyclomatic Complexity 1 include/net/ip6_route.h:ip6_route_output
   Cyclomatic Complexity 18 net/ipv6/route.c:inet6_rtm_getroute
   Cyclomatic Complexity 4 net/ipv6/route.c:ip6_blackhole_route
   Cyclomatic Complexity 4 net/ipv6/route.c:ip6_update_pmtu
   Cyclomatic Complexity 6 net/ipv6/route.c:ip6_sk_update_pmtu
   Cyclomatic Complexity 3 net/ipv6/route.c:icmp6_dst_alloc
   Cyclomatic Complexity 3 net/ipv6/route.c:icmp6_dst_gc
   Cyclomatic Complexity 4 net/ipv6/route.c:ip6_route_add
   Cyclomatic Complexity 3 net/ipv6/route.c:rt6_add_route_info
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_del_rt
   Cyclomatic Complexity 30 net/ipv6/route.c:rt6_do_redirect
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_redirect
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_sk_redirect
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_redirect_no_header
   Cyclomatic Complexity 5 net/ipv6/route.c:__rt6_purge_dflt_routers
   Cyclomatic Complexity 5 net/ipv6/route.c:ip6_link_failure
   Cyclomatic Complexity 4 net/ipv6/route.c:ip6_negative_advice
   Cyclomatic Complexity 8 net/ipv6/route.c:rt6_get_dflt_router
   Cyclomatic Complexity 16 net/ipv6/route.c:rt6_route_rcv
   Cyclomatic Complexity 4 net/ipv6/route.c:rt6_add_dflt_router
   Cyclomatic Complexity 6 net/ipv6/route.c:rt6_purge_dflt_routers
   Cyclomatic Complexity 6 net/ipv6/route.c:ipv6_route_ioctl
   Cyclomatic Complexity 6 net/ipv6/route.c:addrconf_dst_alloc
   Cyclomatic Complexity 1 net/ipv6/route.c:rt6_remove_prefsrc
   Cyclomatic Complexity 1 net/ipv6/route.c:rt6_clean_tohost
   Cyclomatic Complexity 2 net/ipv6/route.c:rt6_ifdown
   Cyclomatic Complexity 1 net/ipv6/route.c:rt6_mtu_change
   Cyclomatic Complexity 5 net/ipv6/route.c:rt6_dump_route
   Cyclomatic Complexity 6 net/ipv6/route.c:inet6_rt_notify
   Cyclomatic Complexity 5 net/ipv6/route.c:ip6_route_mpath_notify
   Cyclomatic Complexity 22 net/ipv6/route.c:ip6_route_multipath_add
   Cyclomatic Complexity 3 net/ipv6/route.c:inet6_rtm_newroute
   Cyclomatic Complexity 3 net/ipv6/route.c:ipv6_route_sysctl_init
   Cyclomatic Complexity 14 net/ipv6/route.c:ip6_route_init
   Cyclomatic Complexity 1 net/ipv6/route.c:ip6_route_cleanup
   net/ipv6/route.c: In function 'ip6_route_del':
>> net/ipv6/route.c:2175:6: warning: 'err' may be used uninitialized in this function [-Wmaybe-uninitialized]
     int err;
         ^~~

vim +/err +2175 net/ipv6/route.c

^1da177e4 Linus Torvalds  2005-04-16  2159  }
^1da177e4 Linus Torvalds  2005-04-16  2160  
e0a1ad73d Thomas Graf     2006-08-22  2161  int ip6_del_rt(struct rt6_info *rt)
e0a1ad73d Thomas Graf     2006-08-22  2162  {
4d1169c1e Denis V. Lunev  2008-01-10  2163  	struct nl_info info = {
d19185428 David S. Miller 2011-12-28  2164  		.nl_net = dev_net(rt->dst.dev),
4d1169c1e Denis V. Lunev  2008-01-10  2165  	};
528c4ceb4 Denis V. Lunev  2007-12-13  2166  	return __ip6_del_rt(rt, &info);
e0a1ad73d Thomas Graf     2006-08-22  2167  }
e0a1ad73d Thomas Graf     2006-08-22  2168  
0ae813358 David Ahern     2017-02-02  2169  static int __ip6_del_rt_siblings(struct rt6_info *rt, struct fib6_config *cfg)
0ae813358 David Ahern     2017-02-02  2170  {
0ae813358 David Ahern     2017-02-02  2171  	struct nl_info *info = &cfg->fc_nlinfo;
f0c30f4c1 Cong Wang       2017-02-27  2172  	struct net *net = info->nl_net;
16a16cd35 David Ahern     2017-02-02  2173  	struct sk_buff *skb = NULL;
0ae813358 David Ahern     2017-02-02  2174  	struct fib6_table *table;
0ae813358 David Ahern     2017-02-02 @2175  	int err;
0ae813358 David Ahern     2017-02-02  2176  
f0c30f4c1 Cong Wang       2017-02-27  2177  	if (rt == net->ipv6.ip6_null_entry)
f0c30f4c1 Cong Wang       2017-02-27  2178  		goto out_put;
0ae813358 David Ahern     2017-02-02  2179  	table = rt->rt6i_table;
0ae813358 David Ahern     2017-02-02  2180  	write_lock_bh(&table->tb6_lock);
0ae813358 David Ahern     2017-02-02  2181  
0ae813358 David Ahern     2017-02-02  2182  	if (rt->rt6i_nsiblings && cfg->fc_delete_all_nh) {
0ae813358 David Ahern     2017-02-02  2183  		struct rt6_info *sibling, *next_sibling;

:::::: The code at line 2175 was first introduced by commit
:::::: 0ae8133586ad1c9be894411aaf8b17bb58c8efe5 net: ipv6: Allow shorthand delete of all nexthops in multipath route

:::::: TO: David Ahern <dsa@cumulusnetworks.com>
:::::: CC: David S. Miller <davem@davemloft.net>

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 32345 bytes --]