From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9C2B9C4360F for ; Fri, 5 Apr 2019 10:00:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 6D16721738 for ; Fri, 5 Apr 2019 10:00:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730329AbfDEKAp (ORCPT ); Fri, 5 Apr 2019 06:00:45 -0400 Received: from mail-wm1-f66.google.com ([209.85.128.66]:53152 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729820AbfDEKAo (ORCPT ); Fri, 5 Apr 2019 06:00:44 -0400 Received: by mail-wm1-f66.google.com with SMTP id a184so6001329wma.2 for ; Fri, 05 Apr 2019 03:00:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=0IRKwCNOopvpoSV7LK1xLubDibS6iiTwmuYlRChvYKE=; b=OLMjUUlrOdETH978dSRgvwJEa+Mq5PENph7Rc2/JauwBPYVzF54IGVgmkPvKxMZKBh E9DXYGFi3XkFKSYm16GLDzjyniUo+Jdpyg3JEl7sPISr40Dw9zTY4LnHuhyGOihKd/lN ZV0N2mSuHL+F/C7Qywn16g3kRcGqqFZU9mUWpewuRD3bDByCTnM7wNotqiynC8r9h+EN 1BSlT3821PBeTO0szHHCIO8wTVQTHKcZoLRjcudch5U6r7YnLmph7eScnxnBqM//DIhI ixqGPYoIN6R7fi2csupWTxtgnLi+ylntsfAdODWQ7eTUZCs04EY00SXV6uGioLDeJ8Kf vzeQ== X-Gm-Message-State: APjAAAVTUryNoGnSBK/ZnI3DnTE+2Fa0VI2zhzFirBiNJbnUfT+y3msx MmoTh/83tEYk08i10Fxwzv22Zg== X-Google-Smtp-Source: APXvYqzvd4IZa5gGFH5WS79MlHOGSEiPs4bARb9mini1pSSwksyK/B7EeoV+TOCM2RY8vQ2O67huyw== X-Received: by 2002:a1c:c287:: with SMTP id s129mr7662123wmf.63.1554458443232; Fri, 05 Apr 2019 03:00:43 -0700 (PDT) Received: from localhost.localdomain (nat-pool-mxp-t.redhat.com. [149.6.153.186]) by smtp.gmail.com with ESMTPSA id g84sm2614248wmf.25.2019.04.05.03.00.42 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 05 Apr 2019 03:00:42 -0700 (PDT) Date: Fri, 5 Apr 2019 12:00:40 +0200 From: Lorenzo Bianconi To: David Miller Cc: netdev@vger.kernel.org, jesse@kernel.org Subject: Re: [PATCH net] ipv6: sit: reset ip header pointer in ipip6_rcv Message-ID: <20190405100039.GB5472@localhost.localdomain> References: <8aaf175761cb492fe484932053d5e4b2f3e0bb89.1554388480.git.lorenzo.bianconi@redhat.com> <20190404.183518.2166748054843899640.davem@davemloft.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="hQiwHBbRI9kgIhsi" Content-Disposition: inline In-Reply-To: <20190404.183518.2166748054843899640.davem@davemloft.net> User-Agent: Mutt/1.11.3 (2019-02-01) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org --hQiwHBbRI9kgIhsi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable > From: Lorenzo Bianconi > Date: Thu, 4 Apr 2019 16:37:53 +0200 >=20 > > ipip6 tunnels run iptunnel_pull_header on received skbs. This can > > determine the following use-after-free accessing iph pointer since > > the packet will be 'uncloned' running pskb_expand_head if it is a > > cloned gso skb (e.g if the packet has been sent though a veth device) > ... > > Fix it resetting iph pointer after iptunnel_pull_header > >=20 > > Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap") > > Tested-by: Jianlin Shi > > Signed-off-by: Lorenzo Bianconi >=20 > Good catch, applied, thanks. looking at the code it seems there is the same issue for erspan_v{4,6}. I will post a fix soon. Regards, Lorenzo --hQiwHBbRI9kgIhsi Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEABYIAB0WIQTquNwa3Txd3rGGn7Y6cBh0uS2trAUCXKcnRAAKCRA6cBh0uS2t rA7/AQCGK5Uu9fAagK1Cg/po2rFs3Il6VTXVscXBSzzmN9PbLQD/VQHvr5d0DOv7 y43aLxd+KdRS9klu41/Ma5BEiAacBgs= =SMF6 -----END PGP SIGNATURE----- --hQiwHBbRI9kgIhsi--