From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1430437AbdDYMdA (ORCPT <rfc822;w@1wt.eu>);
        Tue, 25 Apr 2017 08:33:00 -0400
Received: from mail-yw0-f182.google.com ([209.85.161.182]:34425 "EHLO
        mail-yw0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1430395AbdDYMcu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 25 Apr 2017 08:32:50 -0400
MIME-Version: 1.0
In-Reply-To: <CAM_iQpWnPgn0+-y34nGTB0byonLWCdf3_VAKcH8tK5fdzF4CBg@mail.gmail.com>
References: <CAAeHK+w-EYicrLHhBR0LHMMTc22GjsB=PTmgswm44w4VpfQ_hA@mail.gmail.com>
 <CAM_iQpXLHx=NhSNYU_o4F_V6nNXUHGBSdV=QQnML0B+HD7MbBQ@mail.gmail.com> <CAM_iQpWnPgn0+-y34nGTB0byonLWCdf3_VAKcH8tK5fdzF4CBg@mail.gmail.com>
From: Andrey Konovalov <andreyknvl@google.com>
Date: Tue, 25 Apr 2017 14:32:47 +0200
Message-ID: <CAAeHK+z9B94iGJshTa7h++ZhS2BBqZD4GuyrNNp1awX=OKM5Tg@mail.gmail.com>
Subject: Re: net/ipv6: slab-out-of-bounds in ip6_tnl_xmit
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>,
        Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
        James Morris <jmorris@namei.org>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        Patrick McHardy <kaber@trash.net>, netdev <netdev@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Eric Dumazet <edumazet@google.com>, Dmitry Vyukov <dvyukov@google.com>,
        Kostya Serebryany <kcc@google.com>,
        syzkaller <syzkaller@googlegroups.com>
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Apr 25, 2017 at 7:04 AM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
> On Mon, Apr 24, 2017 at 9:47 AM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
>>
>> We use ipv4 dst in ip6_tunnel and cast an IPv4 neigh key as an
>> IPv6 address...
>>
>>
>>                 neigh = dst_neigh_lookup(skb_dst(skb),
>>                                          &ipv6_hdr(skb)->daddr);
>>                 if (!neigh)
>>                         goto tx_err_link_failure;
>>
>>                 addr6 = (struct in6_addr *)&neigh->primary_key; // <=== HERE
>>                 addr_type = ipv6_addr_type(addr6);
>>
>>                 if (addr_type == IPV6_ADDR_ANY)
>>                         addr6 = &ipv6_hdr(skb)->daddr;
>>
>>                 memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));
>>
>> Also the network header of the skb at this point should be still IPv4?
>
> Please try the attached patch.

I don't see these crashes with your patch.

Thanks!

Tested-by: Andrey Konovalov <andreyknvl@google.com>

>
> I am not sure how we could handle 4in6 case better than just relying on
> the config of ip6 tunnel.