From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jianlin Shi <jishi@redhat.com>,
Stefano Brivio <sbrivio@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 02/51] ipv6: Check available headroom in ip6_xmit() even without options
Date: Fri, 14 Dec 2018 13:00:04 +0100 [thread overview]
Message-ID: <20181214115713.647593482@linuxfoundation.org> (raw)
In-Reply-To: <20181214115713.244259772@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Brivio <sbrivio@redhat.com>
[ Upstream commit 66033f47ca60294a95fc85ec3a3cc909dab7b765 ]
Even if we send an IPv6 packet without options, MAX_HEADER might not be
enough to account for the additional headroom required by alignment of
hardware headers.
On a configuration without HYPERV_NET, WLAN, AX25, and with IPV6_TUNNEL,
sending short SCTP packets over IPv4 over L2TP over IPv6, we start with
100 bytes of allocated headroom in sctp_packet_transmit(), end up with 54
bytes after l2tp_xmit_skb(), and 14 bytes in ip6_finish_output2().
Those would be enough to append our 14 bytes header, but we're going to
align that to 16 bytes, and write 2 bytes out of the allocated slab in
neigh_hh_output().
KASan says:
[ 264.967848] ==================================================================
[ 264.967861] BUG: KASAN: slab-out-of-bounds in ip6_finish_output2+0x1aec/0x1c70
[ 264.967866] Write of size 16 at addr 000000006af1c7fe by task netperf/6201
[ 264.967870]
[ 264.967876] CPU: 0 PID: 6201 Comm: netperf Not tainted 4.20.0-rc4+ #1
[ 264.967881] Hardware name: IBM 2827 H43 400 (z/VM 6.4.0)
[ 264.967887] Call Trace:
[ 264.967896] ([<00000000001347d6>] show_stack+0x56/0xa0)
[ 264.967903] [<00000000017e379c>] dump_stack+0x23c/0x290
[ 264.967912] [<00000000007bc594>] print_address_description+0xf4/0x290
[ 264.967919] [<00000000007bc8fc>] kasan_report+0x13c/0x240
[ 264.967927] [<000000000162f5e4>] ip6_finish_output2+0x1aec/0x1c70
[ 264.967935] [<000000000163f890>] ip6_finish_output+0x430/0x7f0
[ 264.967943] [<000000000163fe44>] ip6_output+0x1f4/0x580
[ 264.967953] [<000000000163882a>] ip6_xmit+0xfea/0x1ce8
[ 264.967963] [<00000000017396e2>] inet6_csk_xmit+0x282/0x3f8
[ 264.968033] [<000003ff805fb0ba>] l2tp_xmit_skb+0xe02/0x13e0 [l2tp_core]
[ 264.968037] [<000003ff80631192>] l2tp_eth_dev_xmit+0xda/0x150 [l2tp_eth]
[ 264.968041] [<0000000001220020>] dev_hard_start_xmit+0x268/0x928
[ 264.968069] [<0000000001330e8e>] sch_direct_xmit+0x7ae/0x1350
[ 264.968071] [<000000000122359c>] __dev_queue_xmit+0x2b7c/0x3478
[ 264.968075] [<00000000013d2862>] ip_finish_output2+0xce2/0x11a0
[ 264.968078] [<00000000013d9b14>] ip_finish_output+0x56c/0x8c8
[ 264.968081] [<00000000013ddd1e>] ip_output+0x226/0x4c0
[ 264.968083] [<00000000013dbd6c>] __ip_queue_xmit+0x894/0x1938
[ 264.968100] [<000003ff80bc3a5c>] sctp_packet_transmit+0x29d4/0x3648 [sctp]
[ 264.968116] [<000003ff80b7bf68>] sctp_outq_flush_ctrl.constprop.5+0x8d0/0xe50 [sctp]
[ 264.968131] [<000003ff80b7c716>] sctp_outq_flush+0x22e/0x7d8 [sctp]
[ 264.968146] [<000003ff80b35c68>] sctp_cmd_interpreter.isra.16+0x530/0x6800 [sctp]
[ 264.968161] [<000003ff80b3410a>] sctp_do_sm+0x222/0x648 [sctp]
[ 264.968177] [<000003ff80bbddac>] sctp_primitive_ASSOCIATE+0xbc/0xf8 [sctp]
[ 264.968192] [<000003ff80b93328>] __sctp_connect+0x830/0xc20 [sctp]
[ 264.968208] [<000003ff80bb11ce>] sctp_inet_connect+0x2e6/0x378 [sctp]
[ 264.968212] [<0000000001197942>] __sys_connect+0x21a/0x450
[ 264.968215] [<000000000119aff8>] sys_socketcall+0x3d0/0xb08
[ 264.968218] [<000000000184ea7a>] system_call+0x2a2/0x2c0
[...]
Just like ip_finish_output2() does for IPv4, check that we have enough
headroom in ip6_xmit(), and reallocate it if we don't.
This issue is older than git history.
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/ip6_output.c | 42 +++++++++++++++++++++---------------------
1 file changed, 21 insertions(+), 21 deletions(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -177,37 +177,37 @@ int ip6_xmit(const struct sock *sk, stru
const struct ipv6_pinfo *np = inet6_sk(sk);
struct in6_addr *first_hop = &fl6->daddr;
struct dst_entry *dst = skb_dst(skb);
+ unsigned int head_room;
struct ipv6hdr *hdr;
u8 proto = fl6->flowi6_proto;
int seg_len = skb->len;
int hlimit = -1;
u32 mtu;
- if (opt) {
- unsigned int head_room;
-
- /* First: exthdrs may take lots of space (~8K for now)
- MAX_HEADER is not enough.
- */
- head_room = opt->opt_nflen + opt->opt_flen;
- seg_len += head_room;
- head_room += sizeof(struct ipv6hdr) + LL_RESERVED_SPACE(dst->dev);
+ head_room = sizeof(struct ipv6hdr) + LL_RESERVED_SPACE(dst->dev);
+ if (opt)
+ head_room += opt->opt_nflen + opt->opt_flen;
- if (skb_headroom(skb) < head_room) {
- struct sk_buff *skb2 = skb_realloc_headroom(skb, head_room);
- if (!skb2) {
- IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
- IPSTATS_MIB_OUTDISCARDS);
- kfree_skb(skb);
- return -ENOBUFS;
- }
- if (skb->sk)
- skb_set_owner_w(skb2, skb->sk);
- consume_skb(skb);
- skb = skb2;
+ if (unlikely(skb_headroom(skb) < head_room)) {
+ struct sk_buff *skb2 = skb_realloc_headroom(skb, head_room);
+ if (!skb2) {
+ IP6_INC_STATS(net, ip6_dst_idev(skb_dst(skb)),
+ IPSTATS_MIB_OUTDISCARDS);
+ kfree_skb(skb);
+ return -ENOBUFS;
}
+ if (skb->sk)
+ skb_set_owner_w(skb2, skb->sk);
+ consume_skb(skb);
+ skb = skb2;
+ }
+
+ if (opt) {
+ seg_len += opt->opt_nflen + opt->opt_flen;
+
if (opt->opt_flen)
ipv6_push_frag_opts(skb, opt, &proto);
+
if (opt->opt_nflen)
ipv6_push_nfrag_opts(skb, opt, &proto, &first_hop);
}
next prev parent reply other threads:[~2018-12-14 12:11 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-14 12:00 [PATCH 4.9 00/51] 4.9.146-stable review Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 01/51] ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes Greg Kroah-Hartman
2018-12-16 9:56 ` jwiesner
2018-12-17 8:37 ` Greg Kroah-Hartman
2018-12-14 12:00 ` Greg Kroah-Hartman [this message]
2018-12-14 12:00 ` [PATCH 4.9 03/51] net: 8139cp: fix a BUG triggered by changing mtu with network traffic Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 04/51] net/mlx4_core: Correctly set PFC param if global pause is turned off Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 05/51] net: phy: dont allow __set_phy_supported to add unsupported modes Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 06/51] net: Prevent invalid access to skb->prev in __qdisc_drop_all Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 07/51] rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 08/51] tcp: fix NULL ref in tail loss probe Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 09/51] tun: forbid iface creation with rtnl ops Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 10/51] neighbour: Avoid writing before skb->head in neigh_hh_output() Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 11/51] ARM: OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 12/51] ARM: dts: logicpd-somlv: Fix interrupt on mmc3_dat1 Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 13/51] ARM: OMAP1: ams-delta: Fix possible use of uninitialized field Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 14/51] sysv: return err instead of 0 in __sysv_write_inode Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 15/51] selftests: add script to stress-test nft packet path vs. control plane Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 16/51] s390/cpum_cf: Reject request for sampling in event initialization Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 17/51] hwmon: (ina2xx) Fix current value calculation Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 18/51] ASoC: omap-abe-twl6040: Fix missing audio card caused by deferred probing Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 19/51] ASoC: dapm: Recalculate audio map forcely when card instantiated Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 20/51] hwmon: (w83795) temp4_type has writable permission Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 21/51] objtool: Fix double-free in .cold detection error path Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 22/51] objtool: Fix segfault in .cold detection with -ffunction-sections Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 23/51] Btrfs: send, fix infinite loop due to directory rename dependencies Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 24/51] RDMA/mlx5: Fix fence type for IB_WR_LOCAL_INV WR Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 25/51] ASoC: omap-mcpdm: Add pm_qos handling to avoid under/overruns with CPU_IDLE Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 26/51] ASoC: omap-dmic: Add pm_qos handling to avoid overruns " Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 27/51] exportfs: do not read dentry after free Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 28/51] bpf: fix check of allowed specifiers in bpf_trace_printk Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 29/51] ipvs: call ip_vs_dst_notifier earlier than ipv6_dev_notf Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 30/51] USB: omap_udc: use devm_request_irq() Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 31/51] USB: omap_udc: fix crashes on probe error and module removal Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 32/51] USB: omap_udc: fix omap_udc_start() on 15xx machines Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 33/51] USB: omap_udc: fix USB gadget functionality on Palm Tungsten E Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 34/51] KVM: x86: fix empty-body warnings Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 35/51] x86/kvm/vmx: fix old-style function declaration Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 36/51] net: thunderx: fix NULL pointer dereference in nic_remove Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 37/51] cachefiles: Fix page leak in cachefiles_read_backing_file while vmscan is active Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 38/51] igb: fix uninitialized variables Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 39/51] ixgbe: recognize 1000BaseLX SFP modules as 1Gbps Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 40/51] net: hisilicon: remove unexpected free_netdev Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 41/51] drm/ast: fixed reading monitor EDID not stable issue Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 42/51] xen: xlate_mmu: add missing header to fix W=1 warning Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 43/51] fscache: fix race between enablement and dropping of object Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 44/51] fscache, cachefiles: remove redundant variable cache Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 45/51] ocfs2: fix deadlock caused by ocfs2_defrag_extent() Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 46/51] hfs: do not free node before using Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 47/51] hfsplus: " Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 48/51] debugobjects: avoid recursive calls with kmemleak Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 49/51] ocfs2: fix potential use after free Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 50/51] pstore: Convert console write to use ->write_buf Greg Kroah-Hartman
2018-12-14 12:00 ` [PATCH 4.9 51/51] staging: speakup: Replace strncpy with memcpy Greg Kroah-Hartman
2018-12-14 15:53 ` [PATCH 4.9 00/51] 4.9.146-stable review kernelci.org bot
2018-12-14 20:13 ` shuah
2018-12-15 2:07 ` Guenter Roeck
2018-12-15 16:51 ` Dan Rue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181214115713.647593482@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=jishi@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sbrivio@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).