[PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

[PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

[Daniel Borkmann]

In tcp_v6_do_rcv() code, when processing pkt options, we soley work
on our skb clone opt_skb that we've created earlier before entering
tcp_rcv_established() on our way. However, only in condition ...

  if (np->rxopt.bits.rxtclass)
    np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));

... we work on skb itself. As we extract every other information out
of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
already be released by tcp_rcv_established() earlier on. When we try
to access it in ipv6_hdr(), we will dereference freed skb.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
---
 net/ipv6/tcp_ipv6.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 6e1649d..eeb4cb0 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1427,7 +1427,7 @@ ipv6_pktoptions:
 		if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
 			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
 		if (np->rxopt.bits.rxtclass)
-			np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
+			np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(opt_skb));
 		if (ipv6_opt_accepted(sk, opt_skb)) {
 			skb_set_owner_r(opt_skb, sk);
 			opt_skb = xchg(&np->pktoptions, opt_skb);
-- 
1.7.11.7

Re: [PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

[Eric Dumazet]

On Tue, 2013-09-03 at 19:29 +0200, Daniel Borkmann wrote:
> In tcp_v6_do_rcv() code, when processing pkt options, we soley work
> on our skb clone opt_skb that we've created earlier before entering
> tcp_rcv_established() on our way. However, only in condition ...
> 
>   if (np->rxopt.bits.rxtclass)
>     np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> 
> ... we work on skb itself. As we extract every other information out
> of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
> already be released by tcp_rcv_established() earlier on. When we try
> to access it in ipv6_hdr(), we will dereference freed skb.
> 
> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
> Cc: Eric Dumazet <eric.dumazet@gmail.com>
> ---
>  net/ipv6/tcp_ipv6.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> index 6e1649d..eeb4cb0 100644
> --- a/net/ipv6/tcp_ipv6.c
> +++ b/net/ipv6/tcp_ipv6.c
> @@ -1427,7 +1427,7 @@ ipv6_pktoptions:
>  		if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
>  			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
>  		if (np->rxopt.bits.rxtclass)
> -			np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> +			np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(opt_skb));
>  		if (ipv6_opt_accepted(sk, opt_skb)) {
>  			skb_set_owner_r(opt_skb, sk);
>  			opt_skb = xchg(&np->pktoptions, opt_skb);

Bug added in commit 4c507d2897bd9b
("net: implement IP_RECVTOS for IP_PKTOPTIONS")

CC Jiri

Acked-by: Eric Dumazet <edumazet@google.com>

Re: [PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

[Jean Sacren]

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue, 03 Sep 2013 10:48:33 -0700
>
> On Tue, 2013-09-03 at 19:29 +0200, Daniel Borkmann wrote:
> > In tcp_v6_do_rcv() code, when processing pkt options, we soley work
> > on our skb clone opt_skb that we've created earlier before entering
> > tcp_rcv_established() on our way. However, only in condition ...
> > 
> >   if (np->rxopt.bits.rxtclass)
> >     np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> > 
> > ... we work on skb itself. As we extract every other information out
> > of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
> > already be released by tcp_rcv_established() earlier on. When we try
> > to access it in ipv6_hdr(), we will dereference freed skb.
> > 
> > Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
> > Cc: Eric Dumazet <eric.dumazet@gmail.com>
> > ---
> >  net/ipv6/tcp_ipv6.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> > index 6e1649d..eeb4cb0 100644
> > --- a/net/ipv6/tcp_ipv6.c
> > +++ b/net/ipv6/tcp_ipv6.c
> > @@ -1427,7 +1427,7 @@ ipv6_pktoptions:
> >  		if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
> >  			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
> >  		if (np->rxopt.bits.rxtclass)
> > -			np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> > +			np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(opt_skb));
> >  		if (ipv6_opt_accepted(sk, opt_skb)) {
> >  			skb_set_owner_r(opt_skb, sk);
> >  			opt_skb = xchg(&np->pktoptions, opt_skb);
> 
> Bug added in commit 4c507d2897bd9b
> ("net: implement IP_RECVTOS for IP_PKTOPTIONS")
> 
> CC Jiri
> 
> Acked-by: Eric Dumazet <edumazet@google.com>

You made a mistake.

It was introduced in commit e7219858a ("ipv6: Use ipv6_get_dsfield()
instead of ipv6_tclass()").

Cc the right party.

-- 
Jean Sacren

Re: [PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

[Eric Dumazet]

On Tue, 2013-09-03 at 13:46 -0600, Jean Sacren wrote:
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Tue, 03 Sep 2013 10:48:33 -0700
> >
> > On Tue, 2013-09-03 at 19:29 +0200, Daniel Borkmann wrote:
> > > In tcp_v6_do_rcv() code, when processing pkt options, we soley work
> > > on our skb clone opt_skb that we've created earlier before entering
> > > tcp_rcv_established() on our way. However, only in condition ...
> > > 
> > >   if (np->rxopt.bits.rxtclass)
> > >     np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> > > 
> > > ... we work on skb itself. As we extract every other information out
> > > of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
> > > already be released by tcp_rcv_established() earlier on. When we try
> > > to access it in ipv6_hdr(), we will dereference freed skb.
> > > 
> > > Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
> > > Cc: Eric Dumazet <eric.dumazet@gmail.com>
> > > ---
> > >  net/ipv6/tcp_ipv6.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
> > > index 6e1649d..eeb4cb0 100644
> > > --- a/net/ipv6/tcp_ipv6.c
> > > +++ b/net/ipv6/tcp_ipv6.c
> > > @@ -1427,7 +1427,7 @@ ipv6_pktoptions:
> > >  		if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
> > >  			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
> > >  		if (np->rxopt.bits.rxtclass)
> > > -			np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> > > +			np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(opt_skb));
> > >  		if (ipv6_opt_accepted(sk, opt_skb)) {
> > >  			skb_set_owner_r(opt_skb, sk);
> > >  			opt_skb = xchg(&np->pktoptions, opt_skb);
> > 
> > Bug added in commit 4c507d2897bd9b
> > ("net: implement IP_RECVTOS for IP_PKTOPTIONS")
> > 
> > CC Jiri
> > 
> > Acked-by: Eric Dumazet <edumazet@google.com>
> 
> You made a mistake.

Really ?

> 
> It was introduced in commit e7219858a ("ipv6: Use ipv6_get_dsfield()
> instead of ipv6_tclass()").
> 
> Cc the right party.
> 


Nope, I did no mistake.

The bug was really added in commit 4c507d2897bd9b as I said.

Then commit e7219858a just did no change : skb was used before and after
the patch

-                       np->rcv_tclass = ipv6_tclass(ipv6_hdr(skb));
+                       np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));

How did you get your conclusion ?

Re: [PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

[Jean Sacren]

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue, 03 Sep 2013 13:35:17 -0700
>
> How did you get your conclusion ?

If one changes one line of code, doesn't one own that line?

-- 
Jean Sacren

Re: [PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

[Daniel Borkmann]

On 09/03/2013 11:59 PM, Jean Sacren wrote:
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Tue, 03 Sep 2013 13:35:17 -0700
>>
>> How did you get your conclusion ?
>
> If one changes one line of code, doesn't one own that line?

The question is not about who currently "owns" the line, but who
first *introduced* an error.

Re: [PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

[Eric Dumazet]

On Tue, 2013-09-03 at 15:59 -0600, Jean Sacren wrote:
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Tue, 03 Sep 2013 13:35:17 -0700
> >
> > How did you get your conclusion ?
> 
> If one changes one line of code, doesn't one own that line?
> 

'Owning' like he is the guy who can sell it ? OK I understand now
so many people send 'cleanups' ;)

Someone adding a space is not responsible for the real bug.

You'll have to be very careful to do proper attributions.

This is _critical_ for proper stable submissions.

In this case we want the fix to reach linux-3.4 and further versions.

The commit you pointed out was for linux-3.9, and added no bug.

Re: [PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

[Jean Sacren]

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue, 03 Sep 2013 15:29:12 -0700
>
> On Tue, 2013-09-03 at 15:59 -0600, Jean Sacren wrote:
> > From: Eric Dumazet <eric.dumazet@gmail.com>
> > Date: Tue, 03 Sep 2013 13:35:17 -0700
> > >
> > > How did you get your conclusion ?
> > 
> > If one changes one line of code, doesn't one own that line?
> > 
> 
> 'Owning' like he is the guy who can sell it ? OK I understand now
> so many people send 'cleanups' ;)

'Owning' like he is the guy who is responsible for the change. Whether
you understand it or not, that's your own business.

The idea was by taking one example to determine who is really to blame
for: Is the one passing on the bug responsible? Thanks to Daniel
Borkmann for the answer.

-- 
Jean Sacren

Re: [PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

[Jiri Benc]

On Tue, 3 Sep 2013 18:51:57 -0600, Jean Sacren wrote:
> From: Eric Dumazet <eric.dumazet@gmail.com>
> Date: Tue, 03 Sep 2013 15:29:12 -0700
> >
> > On Tue, 2013-09-03 at 15:59 -0600, Jean Sacren wrote:
> > > From: Eric Dumazet <eric.dumazet@gmail.com>
> > > Date: Tue, 03 Sep 2013 13:35:17 -0700
> > > >
> > > > How did you get your conclusion ?
> > > 
> > > If one changes one line of code, doesn't one own that line?
> > > 
> > 
> > 'Owning' like he is the guy who can sell it ? OK I understand now
> > so many people send 'cleanups' ;)
> 
> 'Owning' like he is the guy who is responsible for the change. Whether
> you understand it or not, that's your own business.
> 
> The idea was by taking one example to determine who is really to blame
> for: Is the one passing on the bug responsible? Thanks to Daniel
> Borkmann for the answer.

Eric is correct, the bug was introduced by me.

Sorry for it. Daniel, thanks for fixing it.

Acked-by: Jiri Benc <jbenc@redhat.com>

-- 
Jiri Benc

Re: [PATCH net] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv

[David Miller]

From: Daniel Borkmann <dborkman@redhat.com>
Date: Tue,  3 Sep 2013 19:29:12 +0200

> In tcp_v6_do_rcv() code, when processing pkt options, we soley work
> on our skb clone opt_skb that we've created earlier before entering
> tcp_rcv_established() on our way. However, only in condition ...
> 
>   if (np->rxopt.bits.rxtclass)
>     np->rcv_tclass = ipv6_get_dsfield(ipv6_hdr(skb));
> 
> ... we work on skb itself. As we extract every other information out
> of opt_skb in ipv6_pktoptions path, this seems wrong, since skb can
> already be released by tcp_rcv_established() earlier on. When we try
> to access it in ipv6_hdr(), we will dereference freed skb.
> 
> Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
> Cc: Eric Dumazet <eric.dumazet@gmail.com>

Applied.