From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Taehee Yoo <ap420073@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.4 64/71] net: validate lwtstate->data before returning from skb_tunnel_info()
Date: Thu, 22 Jul 2021 18:31:39 +0200 [thread overview]
Message-ID: <20210722155620.038972771@linuxfoundation.org> (raw)
In-Reply-To: <20210722155617.865866034@linuxfoundation.org>
From: Taehee Yoo <ap420073@gmail.com>
commit 67a9c94317402b826fc3db32afc8f39336803d97 upstream.
skb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info
type without validation. lwtstate->data can have various types such as
mpls_iptunnel_encap, etc and these are not compatible.
So skb_tunnel_info() should validate before returning that pointer.
Splat looks like:
BUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan]
Read of size 2 at addr ffff888106ec2698 by task ping/811
CPU: 1 PID: 811 Comm: ping Not tainted 5.13.0+ #1195
Call Trace:
dump_stack_lvl+0x56/0x7b
print_address_description.constprop.8.cold.13+0x13/0x2ee
? vxlan_get_route+0x418/0x4b0 [vxlan]
? vxlan_get_route+0x418/0x4b0 [vxlan]
kasan_report.cold.14+0x83/0xdf
? vxlan_get_route+0x418/0x4b0 [vxlan]
vxlan_get_route+0x418/0x4b0 [vxlan]
[ ... ]
vxlan_xmit_one+0x148b/0x32b0 [vxlan]
[ ... ]
vxlan_xmit+0x25c5/0x4780 [vxlan]
[ ... ]
dev_hard_start_xmit+0x1ae/0x6e0
__dev_queue_xmit+0x1f39/0x31a0
[ ... ]
neigh_xmit+0x2f9/0x940
mpls_xmit+0x911/0x1600 [mpls_iptunnel]
lwtunnel_xmit+0x18f/0x450
ip_finish_output2+0x867/0x2040
[ ... ]
Fixes: 61adedf3e3f1 ("route: move lwtunnel state to dst_entry")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/dst_metadata.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/include/net/dst_metadata.h
+++ b/include/net/dst_metadata.h
@@ -45,7 +45,9 @@ skb_tunnel_info(const struct sk_buff *sk
return &md_dst->u.tun_info;
dst = skb_dst(skb);
- if (dst && dst->lwtstate)
+ if (dst && dst->lwtstate &&
+ (dst->lwtstate->type == LWTUNNEL_ENCAP_IP ||
+ dst->lwtstate->type == LWTUNNEL_ENCAP_IP6))
return lwt_tun_info(dst->lwtstate);
return NULL;
next prev parent reply other threads:[~2021-07-22 16:35 UTC|newest]
Thread overview: 79+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-22 16:30 [PATCH 5.4 00/71] 5.4.135-rc1 review Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 01/71] ARM: dts: gemini: rename mdio to the right name Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 02/71] ARM: dts: gemini: add device_type on pci Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 03/71] ARM: dts: rockchip: fix pinctrl sleep nodename for rk3036-kylin and rk3288 Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 04/71] arm64: dts: rockchip: fix pinctrl sleep nodename for rk3399.dtsi Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 05/71] ARM: dts: rockchip: Fix the timer clocks order Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 06/71] ARM: dts: rockchip: Fix IOMMU nodes properties on rk322x Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 07/71] ARM: dts: rockchip: Fix power-controller node names for rk3066a Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 08/71] ARM: dts: rockchip: Fix power-controller node names for rk3188 Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 09/71] ARM: dts: rockchip: Fix power-controller node names for rk3288 Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 10/71] arm64: dts: rockchip: Fix power-controller node names for px30 Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 11/71] arm64: dts: rockchip: Fix power-controller node names for rk3328 Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 12/71] reset: ti-syscon: fix to_ti_syscon_reset_data macro Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 13/71] ARM: brcmstb: dts: fix NAND nodes names Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 14/71] ARM: Cygnus: " Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 15/71] ARM: NSP: " Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 16/71] ARM: dts: BCM63xx: Fix " Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 17/71] ARM: dts: Hurricane 2: " Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 18/71] ARM: dts: imx6: phyFLEX: Fix UART hardware flow control Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 19/71] ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 20/71] rtc: mxc_v2: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 21/71] kbuild: sink stdout from cmd for silent build Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 22/71] ARM: dts: am57xx-cl-som-am57x: fix ti,no-reset-on-init flag for gpios Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 23/71] ARM: dts: am437x-gp-evm: " Greg Kroah-Hartman
2021-07-22 16:30 ` [PATCH 5.4 24/71] ARM: dts: stm32: fix gpio-keys node on STM32 MCU boards Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 25/71] ARM: dts: stm32: fix RCC node name on stm32f429 MCU Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 26/71] ARM: dts: stm32: fix timer nodes on STM32 MCU to prevent warnings Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 27/71] arm64: dts: juno: Update SCPI nodes as per the YAML schema Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 28/71] ARM: dts: rockchip: fix supply properties in io-domains nodes Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 29/71] ARM: dts: stm32: fix i2c node name on stm32f746 to prevent warnings Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 30/71] ARM: dts: stm32: move stmmac axi config in ethernet node on stm32mp15 Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 31/71] soc/tegra: fuse: Fix Tegra234-only builds Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 32/71] firmware: tegra: bpmp: " Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 33/71] arm64: dts: ls208xa: remove bus-num from dspi node Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 34/71] arm64: dts: imx8mq: assign PCIe clocks Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 35/71] thermal/core: Correct function name thermal_zone_device_unregister() Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 36/71] kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 37/71] rtc: max77686: Do not enforce (incorrect) interrupt trigger type Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 38/71] scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 39/71] scsi: libsas: Add LUN number check in .slave_alloc callback Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 40/71] scsi: libfc: Fix array index out of bound exception Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 41/71] scsi: qedf: Add check to synchronize abort and flush Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 42/71] sched/fair: Fix CFS bandwidth hrtimer expiry type Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 43/71] s390: introduce proper type handling call_on_stack() macro Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 44/71] cifs: prevent NULL deref in cifs_compose_mount_options() Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 45/71] arm64: dts: armada-3720-turris-mox: add firmware node Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 46/71] firmware: turris-mox-rwtm: add marvell,armada-3700-rwtm-firmware compatible string Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 47/71] arm64: dts: marvell: armada-37xx: move firmware node to generic dtsi file Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 48/71] f2fs: Show casefolding support only when supported Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 49/71] usb: cdns3: Enable TDL_CHK only for OUT ep Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 50/71] mm: slab: fix kmem_cache_create failed when sysfs node not destroyed Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 51/71] dm writecache: return the exact table values that were set Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 52/71] net: dsa: mv88e6xxx: enable .port_set_policy() on Topaz Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 53/71] net: dsa: mv88e6xxx: enable .rmu_disable() " Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 54/71] net: ipv6: fix return value of ip6_skb_dst_mtu Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 55/71] netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 56/71] net/sched: act_ct: fix err check for nf_conntrack_confirm Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 57/71] net: bridge: sync fdb to new unicast-filtering ports Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 58/71] net: bcmgenet: Ensure all TX/RX queues DMAs are disabled Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 59/71] net: ip_tunnel: fix mtu calculation for ETHER tunnel devices Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 60/71] net: moxa: fix UAF in moxart_mac_probe Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 61/71] net: qcom/emac: fix UAF in emac_remove Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 62/71] net: ti: fix UAF in tlan_remove_one Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 63/71] net: send SYNACK packet with accepted fwmark Greg Kroah-Hartman
2021-07-22 16:31 ` Greg Kroah-Hartman [this message]
2021-07-22 16:31 ` [PATCH 5.4 65/71] net: fddi: fix UAF in fza_probe Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 66/71] dma-buf/sync_file: Dont leak fences on merge failure Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 67/71] tcp: annotate data races around tp->mtu_info Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 68/71] ipv6: tcp: drop silly ICMPv6 packet too big messages Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 69/71] bpftool: Properly close va_list ap by va_end() on error Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 70/71] perf test bpf: Free obj_buf Greg Kroah-Hartman
2021-07-22 16:31 ` [PATCH 5.4 71/71] udp: annotate data races around unix_sk(sk)->gso_size Greg Kroah-Hartman
2021-07-23 6:36 ` [PATCH 5.4 00/71] 5.4.135-rc1 review Samuel Zou
2021-07-23 8:01 ` Jon Hunter
2021-07-23 11:28 ` Sudip Mukherjee
2021-07-23 12:54 ` Naresh Kamboju
2021-07-23 15:58 ` Shuah Khan
2021-07-23 16:16 ` Florian Fainelli
2021-07-23 21:07 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210722155620.038972771@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.