All of lore.kernel.org
 help / color / mirror / Atom feed
From: <nobuhiro1.iwamatsu@toshiba.co.jp>
To: <nobuhiro1.iwamatsu@toshiba.co.jp>, <stable@vger.kernel.org>
Cc: <gregkh@linuxfoundation.org>, <dsa@cumulusnetworks.com>,
	<andreyknvl@google.com>, <davem@davemloft.net>
Subject: RE: [PATCH] net: handle no dst on skb in icmp6_send
Date: Wed, 13 May 2020 09:15:34 +0000	[thread overview]
Message-ID: <OSBPR01MB29839259893D8DD04E08B61F92BF0@OSBPR01MB2983.jpnprd01.prod.outlook.com> (raw)
In-Reply-To: <20200513090451.939095-1-nobuhiro1.iwamatsu@toshiba.co.jp>

Hi,

I forgot to add the version to the subject.
This is a patch to 4.4.y only. This is not needed for other kernels.

Best regards,
  Nobuhiro

> -----Original Message-----
> From: Nobuhiro Iwamatsu [mailto:nobuhiro1.iwamatsu@toshiba.co.jp]
> Sent: Wednesday, May 13, 2020 6:05 PM
> To: stable@vger.kernel.org
> Cc: gregkh@linuxfoundation.org; David Ahern <dsa@cumulusnetworks.com>; Andrey Konovalov <andreyknvl@google.com>;
> David S . Miller <davem@davemloft.net>; iwamatsu nobuhiro(岩松 信洋 □SWC◯ACT)
> <nobuhiro1.iwamatsu@toshiba.co.jp>
> Subject: [PATCH] net: handle no dst on skb in icmp6_send
> 
> From: David Ahern <dsa@cumulusnetworks.com>
> 
> commit 79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2 upstream.
> 
> Andrey reported the following while fuzzing the kernel with syzkaller:
> 
> kasan: CONFIG_KASAN_INLINE enabled
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP KASAN
> Modules linked in:
> CPU: 0 PID: 3859 Comm: a.out Not tainted 4.9.0-rc6+ #429
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff8800666d4200 task.stack: ffff880067348000
> RIP: 0010:[<ffffffff833617ec>]  [<ffffffff833617ec>]
> icmp6_send+0x5fc/0x1e30 net/ipv6/icmp.c:451
> RSP: 0018:ffff88006734f2c0  EFLAGS: 00010206
> RAX: ffff8800666d4200 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000018
> RBP: ffff88006734f630 R08: ffff880064138418 R09: 0000000000000003
> R10: dffffc0000000000 R11: 0000000000000005 R12: 0000000000000000
> R13: ffffffff84e7e200 R14: ffff880064138484 R15: ffff8800641383c0
> FS:  00007fb3887a07c0(0000) GS:ffff88006cc00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000020000000 CR3: 000000006b040000 CR4: 00000000000006f0
> Stack:
>  ffff8800666d4200 ffff8800666d49f8 ffff8800666d4200 ffffffff84c02460
>  ffff8800666d4a1a 1ffff1000ccdaa2f ffff88006734f498 0000000000000046
>  ffff88006734f440 ffffffff832f4269 ffff880064ba7456 0000000000000000
> Call Trace:
>  [<ffffffff83364ddc>] icmpv6_param_prob+0x2c/0x40 net/ipv6/icmp.c:557
>  [<     inline     >] ip6_tlvopt_unknown net/ipv6/exthdrs.c:88
>  [<ffffffff83394405>] ip6_parse_tlv+0x555/0x670 net/ipv6/exthdrs.c:157
>  [<ffffffff8339a759>] ipv6_parse_hopopts+0x199/0x460 net/ipv6/exthdrs.c:663
>  [<ffffffff832ee773>] ipv6_rcv+0xfa3/0x1dc0 net/ipv6/ip6_input.c:191
>  ...
> 
> icmp6_send / icmpv6_send is invoked for both rx and tx paths. In both
> cases the dst->dev should be preferred for determining the L3 domain
> if the dst has been set on the skb. Fallback to the skb->dev if it has
> not. This covers the case reported here where icmp6_send is invoked on
> Rx before the route lookup.
> 
> Fixes: 5d41ce29e ("net: icmp6_send should use dst dev to determine L3 domain")
> Reported-by: Andrey Konovalov <andreyknvl@google.com>
> Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Nobuhiro Iwamatsu (CIP) <nobuhiro1.iwamatsu@toshiba.co.jp>
> ---
>  net/ipv6/icmp.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
> index d21e81cd6120e..fa96e05cf22be 100644
> --- a/net/ipv6/icmp.c
> +++ b/net/ipv6/icmp.c
> @@ -445,8 +445,10 @@ static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info)
> 
>  	if (__ipv6_addr_needs_scope_id(addr_type))
>  		iif = skb->dev->ifindex;
> -	else
> -		iif = l3mdev_master_ifindex(skb_dst(skb)->dev);
> +	else {
> +		dst = skb_dst(skb);
> +		iif = l3mdev_master_ifindex(dst ? dst->dev : skb->dev);
> +	}
> 
>  	/*
>  	 *	Must not send error if the source does not uniquely
> --
> 2.26.0


  reply	other threads:[~2020-05-13  9:16 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-13  9:04 [PATCH] net: handle no dst on skb in icmp6_send Nobuhiro Iwamatsu
2020-05-13  9:15 ` nobuhiro1.iwamatsu [this message]
2020-05-13  9:23   ` Greg KH
  -- strict thread matches above, loose matches on Subject: below --
2016-11-28  2:52 David Ahern
2016-11-28 21:13 ` David Miller
2016-12-08 14:04   ` Hannes Frederic Sowa
2016-12-28  2:36     ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=OSBPR01MB29839259893D8DD04E08B61F92BF0@OSBPR01MB2983.jpnprd01.prod.outlook.com \
    --to=nobuhiro1.iwamatsu@toshiba.co.jp \
    --cc=andreyknvl@google.com \
    --cc=davem@davemloft.net \
    --cc=dsa@cumulusnetworks.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.