From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Andrey Konovalov <andreyknvl@google.com>,
Willem de Bruijn <willemb@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 20/54] net-timestamp: avoid use-after-free in ip_recv_error
Date: Mon, 1 May 2017 14:31:27 -0700 [thread overview]
Message-ID: <20170501212632.602426209@linuxfoundation.org> (raw)
In-Reply-To: <20170501212631.798128131@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
[ Upstream commit 1862d6208db0aeca9c8ace44915b08d5ab2cd667 ]
Syzkaller reported a use-after-free in ip_recv_error at line
info->ipi_ifindex = skb->dev->ifindex;
This function is called on dequeue from the error queue, at which
point the device pointer may no longer be valid.
Save ifindex on enqueue in __skb_complete_tx_timestamp, when the
pointer is valid or NULL. Store it in temporary storage skb->cb.
It is safe to reference skb->dev here, as called from device drivers
or dev_queue_xmit. The exception is when called from tcp_ack_tstamp;
in that case it is NULL and ifindex is set to 0 (invalid).
Do not return a pktinfo cmsg if ifindex is 0. This maintains the
current behavior of not returning a cmsg if skb->dev was NULL.
On dequeue, the ipv4 path will cast from sock_exterr_skb to
in_pktinfo. Both have ifindex as their first element, so no explicit
conversion is needed. This is by design, introduced in commit
0b922b7a829c ("net: original ingress device index in PKTINFO"). For
ipv6 ip6_datagram_support_cmsg converts to in6_pktinfo.
Fixes: 829ae9d61165 ("net-timestamp: allow reading recv cmsg on errqueue with origin tstamp")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/skbuff.c | 1 +
net/ipv4/ip_sockglue.c | 9 ++++-----
net/ipv6/datagram.c | 10 +---------
3 files changed, 6 insertions(+), 14 deletions(-)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3779,6 +3779,7 @@ static void __skb_complete_tx_timestamp(
serr->ee.ee_errno = ENOMSG;
serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
serr->ee.ee_info = tstype;
+ serr->header.h4.iif = skb->dev ? skb->dev->ifindex : 0;
if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
serr->ee.ee_data = skb_shinfo(skb)->tskey;
if (sk->sk_protocol == IPPROTO_TCP &&
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -474,16 +474,15 @@ static bool ipv4_datagram_support_cmsg(c
return false;
/* Support IP_PKTINFO on tstamp packets if requested, to correlate
- * timestamp with egress dev. Not possible for packets without dev
+ * timestamp with egress dev. Not possible for packets without iif
* or without payload (SOF_TIMESTAMPING_OPT_TSONLY).
*/
- if ((!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_CMSG)) ||
- (!skb->dev))
+ info = PKTINFO_SKB_CB(skb);
+ if (!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_CMSG) ||
+ !info->ipi_ifindex)
return false;
- info = PKTINFO_SKB_CB(skb);
info->ipi_spec_dst.s_addr = ip_hdr(skb)->saddr;
- info->ipi_ifindex = skb->dev->ifindex;
return true;
}
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -400,9 +400,6 @@ static inline bool ipv6_datagram_support
* At one point, excluding local errors was a quick test to identify icmp/icmp6
* errors. This is no longer true, but the test remained, so the v6 stack,
* unlike v4, also honors cmsg requests on all wifi and timestamp errors.
- *
- * Timestamp code paths do not initialize the fields expected by cmsg:
- * the PKTINFO fields in skb->cb[]. Fill those in here.
*/
static bool ip6_datagram_support_cmsg(struct sk_buff *skb,
struct sock_exterr_skb *serr)
@@ -414,14 +411,9 @@ static bool ip6_datagram_support_cmsg(st
if (serr->ee.ee_origin == SO_EE_ORIGIN_LOCAL)
return false;
- if (!skb->dev)
+ if (!IP6CB(skb)->iif)
return false;
- if (skb->protocol == htons(ETH_P_IPV6))
- IP6CB(skb)->iif = skb->dev->ifindex;
- else
- PKTINFO_SKB_CB(skb)->ipi_ifindex = skb->dev->ifindex;
-
return true;
}
next prev parent reply other threads:[~2017-05-01 21:57 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-01 21:31 [PATCH 4.9 00/54] 4.9.26-stable review Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 01/54] [PATCH] Revert "mmc: sdhci-msm: Enable few quirks" Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 02/54] ping: implement proper locking Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 03/54] sparc64: kern_addr_valid regression Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 04/54] sparc64: Fix kernel panic due to erroneous #ifdef surrounding pmd_write() Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 05/54] net: neigh: guard against NULL solicit() method Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 06/54] net: phy: handle state correctly in phy_stop_machine Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 07/54] kcm: return immediately after copy_from_user() failure Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 08/54] bpf: improve verifier packet range checks Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 09/54] net/mlx5: Avoid dereferencing uninitialized pointer Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 10/54] l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 11/54] l2tp: purge socket queues in the .destruct() callback Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 12/54] net/packet: fix overflow in check for tp_frame_nr Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 13/54] net/packet: fix overflow in check for tp_reserve Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 14/54] l2tp: take reference on sessions being dumped Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 15/54] l2tp: fix PPP pseudo-wire auto-loading Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 16/54] net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 17/54] sctp: listen on the sock only when its state is listening or closed Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 18/54] tcp: clear saved_syn in tcp_disconnect() Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 19/54] ipv6: Fix idev->addr_list corruption Greg Kroah-Hartman
2017-05-01 21:31 ` Greg Kroah-Hartman [this message]
2017-05-01 21:31 ` [PATCH 4.9 21/54] net: vrf: Fix setting NLM_F_EXCL flag when adding l3mdev rule Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 22/54] sh_eth: unmap DMA buffers when freeing rings Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 24/54] gso: Validate assumption of frag_list segementation Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 25/54] net: ipv6: RTF_PCPU should not be settable from userspace Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 26/54] netpoll: Check for skb->queue_mapping Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 27/54] ip6mr: fix notification device destruction Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 28/54] net/mlx5: Fix driver load bad flow when having fw initializing timeout Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 29/54] net/mlx5e: Fix small packet threshold Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 30/54] net/mlx5e: Fix ETHTOOL_GRXCLSRLALL handling Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 31/54] macvlan: Fix device ref leak when purging bc_queue Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 32/54] net: ipv6: regenerate host route if moved to gc list Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 33/54] net: phy: fix auto-negotiation stall due to unavailable interrupt Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 34/54] ipv6: check skb->protocol before lookup for nexthop Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 35/54] tcp: memset ca_priv data to 0 properly Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 36/54] ipv6: check raw payload size correctly in ioctl Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 37/54] ALSA: oxfw: fix regression to handle Stanton SCS.1m/1d Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 38/54] ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 39/54] ALSA: seq: Dont break snd_use_lock_sync() loop by timeout Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 40/54] ARC: [plat-eznps] Fix build error Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 41/54] MIPS: KGDB: Use kernel context for sleeping threads Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 42/54] MIPS: cevt-r4k: Fix out-of-bounds array access Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 43/54] MIPS: Avoid BUG warning in arch_check_elf Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 44/54] p9_client_readdir() fix Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 45/54] ASoC: intel: Fix PM and non-atomic crash in bytcr drivers Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 48/54] nfsd4: minor NFSv2/v3 write decoding cleanup Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 50/54] ceph: fix recursion between ceph_set_acl() and __ceph_setattr() Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 51/54] macsec: avoid heap overflow in skb_to_sgvec Greg Kroah-Hartman
2017-05-01 21:31 ` [PATCH 4.9 52/54] net: can: usb: gs_usb: Fix buffer on stack Greg Kroah-Hartman
2017-05-01 21:32 ` [PATCH 4.9 53/54] ARCv2: save r30 on kernel entry as gcc uses it for code-gen Greg Kroah-Hartman
2017-05-01 21:32 ` [PATCH 4.9 54/54] ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram Greg Kroah-Hartman
[not found] ` <590808bb.a121ed0a.b040f.045c@mx.google.com>
2017-05-02 13:53 ` [PATCH 4.9 00/54] 4.9.26-stable review Shuah Khan
2017-05-02 17:36 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170501212632.602426209@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@google.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).