[PATCH] ipv6: Prevent overrun when parsing v6 header options

[PATCH] ipv6: Prevent overrun when parsing v6 header options

[Defang Bo]

Similar to commit<2423496af35>, the fragmentation code tries to parse the header options in order
to figure out where to insert the fragment option.  Since nexthdr points
to an invalid option, the calculation of the size of the network header
can made to be much larger than the linear section of the skb and data
is read outside of it.

Signed-off-by: Defang Bo <bodefang@126.com>
---
 net/ipv6/mip6.c | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
index 878fcec..adf984c 100644
--- a/net/ipv6/mip6.c
+++ b/net/ipv6/mip6.c
@@ -251,8 +251,7 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
 			       u8 **nexthdr)
 {
 	u16 offset = sizeof(struct ipv6hdr);
-	struct ipv6_opt_hdr *exthdr =
-				   (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
+
 	const unsigned char *nh = skb_network_header(skb);
 	unsigned int packet_len = skb_tail_pointer(skb) -
 		skb_network_header(skb);
@@ -261,6 +260,7 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
 	*nexthdr = &ipv6_hdr(skb)->nexthdr;
 
 	while (offset + 1 <= packet_len) {
+		struct ipv6_opt_hdr *exthdr;
 
 		switch (**nexthdr) {
 		case NEXTHDR_HOP:
@@ -287,12 +287,15 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
 			return offset;
 		}
 
+		if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
+			return -EINVAL;
+
+		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 		offset += ipv6_optlen(exthdr);
 		*nexthdr = &exthdr->nexthdr;
-		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 	}
 
-	return offset;
+	return -EINVAL;
 }
 
 static int mip6_destopt_init_state(struct xfrm_state *x)
@@ -387,8 +390,7 @@ static int mip6_rthdr_offset(struct xfrm_state *x, struct sk_buff *skb,
 			     u8 **nexthdr)
 {
 	u16 offset = sizeof(struct ipv6hdr);
-	struct ipv6_opt_hdr *exthdr =
-				   (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
+
 	const unsigned char *nh = skb_network_header(skb);
 	unsigned int packet_len = skb_tail_pointer(skb) -
 		skb_network_header(skb);
@@ -396,7 +398,8 @@ static int mip6_rthdr_offset(struct xfrm_state *x, struct sk_buff *skb,
 
 	*nexthdr = &ipv6_hdr(skb)->nexthdr;
 
-	while (offset + 1 <= packet_len) {
+	while (offset <= packet_len) {
+		struct ipv6_opt_hdr *exthdr;
 
 		switch (**nexthdr) {
 		case NEXTHDR_HOP:
@@ -422,12 +425,15 @@ static int mip6_rthdr_offset(struct xfrm_state *x, struct sk_buff *skb,
 			return offset;
 		}
 
+		if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
+			return -EINVAL;
+
+		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 		offset += ipv6_optlen(exthdr);
 		*nexthdr = &exthdr->nexthdr;
-		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 	}
 
-	return offset;
+	return -EINVAL;
 }
 
 static int mip6_rthdr_init_state(struct xfrm_state *x)
-- 
2.7.4

Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options

[David Miller]

From: Defang Bo <bodefang@126.com>
Date: Sun, 27 Dec 2020 22:11:35 +0800

> Similar to commit<2423496af35>, the fragmentation code tries to parse the header options in order
> to figure out where to insert the fragment option.  Since nexthdr points
> to an invalid option, the calculation of the size of the network header
> can made to be much larger than the linear section of the skb and data
> is read outside of it.
> 
> Signed-off-by: Defang Bo <bodefang@126.com>

Could you please repost this with a proper Fixes: tag, thank you.

Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options

[Eric Dumazet]

On 6/3/19 11:59 PM, Yang Xiao wrote:
> Sorry, I don't get your point. Why is xfrm6_transport_output() buggy?
> The point is that there would be out-of-bound access in
> mip6_destopt_offset() and mip6_destopt_offset(), since there is no
> sanity check for offset.
> 
> There is chance that offset + sizeof(struct ipv6_opt_hdr) > packet_len.
> 
> As described in CVE-2017-9074:  "The IPv6 fragmentation implementation
> in the Linux kernel through 4.11.1 does not consider that the nexthdr
> field may be associated with an invalid option, which allows local
> users to cause a denial of service (out-of-bounds read and BUG)".
> 
> At the same time, there are bugs in  mip6_destopt_offset() and
> mip6_destopt_offset(), which is similar to CVE-2017-7542.
> 

I suggest that you stop the nonsense.

As explained by Herbert, your patch is not needed at all.

If this was needed, then we would have to fix the callers, which you did not.

Citing arbitrary CVE is of no use, we do not copy/paste patches or CVE.



> On Sat, Jun 1, 2019 at 1:35 AM Eric Dumazet <eric.dumazet@gmail.com> wrote:
>>
>>
>>
>> On 5/30/19 8:04 PM, Yang Xiao wrote:
>>> On Fri, May 31, 2019 at 1:17 AM Eric Dumazet <eric.dumazet@gmail.com> wrote:
>>>>
>>>>
>>>>
>>>> On 5/30/19 8:28 AM, Young Xiao wrote:
>>>>> The fragmentation code tries to parse the header options in order
>>>>> to figure out where to insert the fragment option.  Since nexthdr points
>>>>> to an invalid option, the calculation of the size of the network header
>>>>> can made to be much larger than the linear section of the skb and data
>>>>> is read outside of it.
>>>>>
>>>>> This vulnerability is similar to CVE-2017-9074.
>>>>>
>>>>> Signed-off-by: Young Xiao <92siuyang@gmail.com>
>>>>> ---
>>>>>  net/ipv6/mip6.c | 24 ++++++++++++++----------
>>>>>  1 file changed, 14 insertions(+), 10 deletions(-)
>>>>>
>>>>> diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
>>>>> index 64f0f7b..30ed1c5 100644
>>>>> --- a/net/ipv6/mip6.c
>>>>> +++ b/net/ipv6/mip6.c
>>>>> @@ -263,8 +263,6 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
>>>>>                              u8 **nexthdr)
>>>>>  {
>>>>>       u16 offset = sizeof(struct ipv6hdr);
>>>>> -     struct ipv6_opt_hdr *exthdr =
>>>>> -                                (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
>>>>>       const unsigned char *nh = skb_network_header(skb);
>>>>>       unsigned int packet_len = skb_tail_pointer(skb) -
>>>>>               skb_network_header(skb);
>>>>> @@ -272,7 +270,8 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
>>>>>
>>>>>       *nexthdr = &ipv6_hdr(skb)->nexthdr;
>>>>>
>>>>> -     while (offset + 1 <= packet_len) {
>>>>> +     while (offset <= packet_len) {
>>>>> +             struct ipv6_opt_hdr *exthdr;
>>>>>
>>>>>               switch (**nexthdr) {
>>>>>               case NEXTHDR_HOP:
>>>>> @@ -299,12 +298,15 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
>>>>>                       return offset;
>>>>>               }
>>>>>
>>>>> +             if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
>>>>> +                     return -EINVAL;
>>>>> +
>>>>> +             exthdr = (struct ipv6_opt_hdr *)(nh + offset);
>>>>>               offset += ipv6_optlen(exthdr);
>>>>>               *nexthdr = &exthdr->nexthdr;
>>>>> -             exthdr = (struct ipv6_opt_hdr *)(nh + offset);
>>>>>       }
>>>>>
>>>>> -     return offset;
>>>>> +     return -EINVAL;
>>>>>  }
>>>>>
>>>>
>>>>
>>>> Ok, but have you checked that callers have been fixed ?
>>>
>>> I've checked the callers. There are two callers:
>>> xfrm6_transport_output() and xfrm6_ro_output(). There are checks in
>>> both function.
>>>
>>> ------------------------------------------------------------------------------
>>>         hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
>>>         if (hdr_len < 0)
>>>                 return hdr_len;
>>> ------------------------------------------------------------------------------
>>>>
>>>> xfrm6_transport_output() seems buggy as well,
>>>> unless the skbs are linearized before entering these functions ?
>>> I can not understand what you mean about this comment.
>>> Could you explain it in more detail.
>>
>>
>> If we had a problem, then the memmove(ipv6_hdr(skb), iph, hdr_len);
>>  in xfrm6_transport_output() would be buggy, since iph could also point to freed memory.
>>
>>
>>
> 
> 

Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options

[Yang Xiao]

Sorry, I don't get your point. Why is xfrm6_transport_output() buggy?
The point is that there would be out-of-bound access in
mip6_destopt_offset() and mip6_destopt_offset(), since there is no
sanity check for offset.

There is chance that offset + sizeof(struct ipv6_opt_hdr) > packet_len.

As described in CVE-2017-9074:  "The IPv6 fragmentation implementation
in the Linux kernel through 4.11.1 does not consider that the nexthdr
field may be associated with an invalid option, which allows local
users to cause a denial of service (out-of-bounds read and BUG)".

At the same time, there are bugs in  mip6_destopt_offset() and
mip6_destopt_offset(), which is similar to CVE-2017-7542.

On Sat, Jun 1, 2019 at 1:35 AM Eric Dumazet <eric.dumazet@gmail.com> wrote:
>
>
>
> On 5/30/19 8:04 PM, Yang Xiao wrote:
> > On Fri, May 31, 2019 at 1:17 AM Eric Dumazet <eric.dumazet@gmail.com> wrote:
> >>
> >>
> >>
> >> On 5/30/19 8:28 AM, Young Xiao wrote:
> >>> The fragmentation code tries to parse the header options in order
> >>> to figure out where to insert the fragment option.  Since nexthdr points
> >>> to an invalid option, the calculation of the size of the network header
> >>> can made to be much larger than the linear section of the skb and data
> >>> is read outside of it.
> >>>
> >>> This vulnerability is similar to CVE-2017-9074.
> >>>
> >>> Signed-off-by: Young Xiao <92siuyang@gmail.com>
> >>> ---
> >>>  net/ipv6/mip6.c | 24 ++++++++++++++----------
> >>>  1 file changed, 14 insertions(+), 10 deletions(-)
> >>>
> >>> diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
> >>> index 64f0f7b..30ed1c5 100644
> >>> --- a/net/ipv6/mip6.c
> >>> +++ b/net/ipv6/mip6.c
> >>> @@ -263,8 +263,6 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
> >>>                              u8 **nexthdr)
> >>>  {
> >>>       u16 offset = sizeof(struct ipv6hdr);
> >>> -     struct ipv6_opt_hdr *exthdr =
> >>> -                                (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
> >>>       const unsigned char *nh = skb_network_header(skb);
> >>>       unsigned int packet_len = skb_tail_pointer(skb) -
> >>>               skb_network_header(skb);
> >>> @@ -272,7 +270,8 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
> >>>
> >>>       *nexthdr = &ipv6_hdr(skb)->nexthdr;
> >>>
> >>> -     while (offset + 1 <= packet_len) {
> >>> +     while (offset <= packet_len) {
> >>> +             struct ipv6_opt_hdr *exthdr;
> >>>
> >>>               switch (**nexthdr) {
> >>>               case NEXTHDR_HOP:
> >>> @@ -299,12 +298,15 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
> >>>                       return offset;
> >>>               }
> >>>
> >>> +             if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
> >>> +                     return -EINVAL;
> >>> +
> >>> +             exthdr = (struct ipv6_opt_hdr *)(nh + offset);
> >>>               offset += ipv6_optlen(exthdr);
> >>>               *nexthdr = &exthdr->nexthdr;
> >>> -             exthdr = (struct ipv6_opt_hdr *)(nh + offset);
> >>>       }
> >>>
> >>> -     return offset;
> >>> +     return -EINVAL;
> >>>  }
> >>>
> >>
> >>
> >> Ok, but have you checked that callers have been fixed ?
> >
> > I've checked the callers. There are two callers:
> > xfrm6_transport_output() and xfrm6_ro_output(). There are checks in
> > both function.
> >
> > ------------------------------------------------------------------------------
> >         hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
> >         if (hdr_len < 0)
> >                 return hdr_len;
> > ------------------------------------------------------------------------------
> >>
> >> xfrm6_transport_output() seems buggy as well,
> >> unless the skbs are linearized before entering these functions ?
> > I can not understand what you mean about this comment.
> > Could you explain it in more detail.
>
>
> If we had a problem, then the memmove(ipv6_hdr(skb), iph, hdr_len);
>  in xfrm6_transport_output() would be buggy, since iph could also point to freed memory.
>
>
>


-- 
Best regards!

Young
-----------------------------------------------------------

Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options

[Eric Dumazet]

On 5/30/19 8:04 PM, Yang Xiao wrote:
> On Fri, May 31, 2019 at 1:17 AM Eric Dumazet <eric.dumazet@gmail.com> wrote:
>>
>>
>>
>> On 5/30/19 8:28 AM, Young Xiao wrote:
>>> The fragmentation code tries to parse the header options in order
>>> to figure out where to insert the fragment option.  Since nexthdr points
>>> to an invalid option, the calculation of the size of the network header
>>> can made to be much larger than the linear section of the skb and data
>>> is read outside of it.
>>>
>>> This vulnerability is similar to CVE-2017-9074.
>>>
>>> Signed-off-by: Young Xiao <92siuyang@gmail.com>
>>> ---
>>>  net/ipv6/mip6.c | 24 ++++++++++++++----------
>>>  1 file changed, 14 insertions(+), 10 deletions(-)
>>>
>>> diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
>>> index 64f0f7b..30ed1c5 100644
>>> --- a/net/ipv6/mip6.c
>>> +++ b/net/ipv6/mip6.c
>>> @@ -263,8 +263,6 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
>>>                              u8 **nexthdr)
>>>  {
>>>       u16 offset = sizeof(struct ipv6hdr);
>>> -     struct ipv6_opt_hdr *exthdr =
>>> -                                (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
>>>       const unsigned char *nh = skb_network_header(skb);
>>>       unsigned int packet_len = skb_tail_pointer(skb) -
>>>               skb_network_header(skb);
>>> @@ -272,7 +270,8 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
>>>
>>>       *nexthdr = &ipv6_hdr(skb)->nexthdr;
>>>
>>> -     while (offset + 1 <= packet_len) {
>>> +     while (offset <= packet_len) {
>>> +             struct ipv6_opt_hdr *exthdr;
>>>
>>>               switch (**nexthdr) {
>>>               case NEXTHDR_HOP:
>>> @@ -299,12 +298,15 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
>>>                       return offset;
>>>               }
>>>
>>> +             if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
>>> +                     return -EINVAL;
>>> +
>>> +             exthdr = (struct ipv6_opt_hdr *)(nh + offset);
>>>               offset += ipv6_optlen(exthdr);
>>>               *nexthdr = &exthdr->nexthdr;
>>> -             exthdr = (struct ipv6_opt_hdr *)(nh + offset);
>>>       }
>>>
>>> -     return offset;
>>> +     return -EINVAL;
>>>  }
>>>
>>
>>
>> Ok, but have you checked that callers have been fixed ?
> 
> I've checked the callers. There are two callers:
> xfrm6_transport_output() and xfrm6_ro_output(). There are checks in
> both function.
> 
> ------------------------------------------------------------------------------
>         hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
>         if (hdr_len < 0)
>                 return hdr_len;
> ------------------------------------------------------------------------------
>>
>> xfrm6_transport_output() seems buggy as well,
>> unless the skbs are linearized before entering these functions ?
> I can not understand what you mean about this comment.
> Could you explain it in more detail.


If we had a problem, then the memmove(ipv6_hdr(skb), iph, hdr_len);
 in xfrm6_transport_output() would be buggy, since iph could also point to freed memory.

Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options

[Yang Xiao]

On Fri, May 31, 2019 at 11:57 PM Eric Dumazet <eric.dumazet@gmail.com> wrote:
>
>
>
> On 5/31/19 7:54 AM, Herbert Xu wrote:
> > On Fri, May 31, 2019 at 07:50:06AM -0700, Eric Dumazet wrote:
> >>
> >> What do you mean by should ?
> >>
> >> Are they currently already linearized before the function is called,
> >> or is it missing and a bug needs to be fixed ?
> >
> > AFAICS this is the code-path for locally generated outbound packets.
> > Under what circumstances can the IPv6 header be not in the head?
> >
> >
>
> I guess this means we had yet another random submission from Young Xiao :/

Excuse me, what do you mean about random submission from Young?
A month ago, I submitted the patch, and I was told that the format
should be correct.
Then, I resubmitted again.


>
> Thanks.
>

Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options

[Eric Dumazet]

On 5/31/19 7:54 AM, Herbert Xu wrote:
> On Fri, May 31, 2019 at 07:50:06AM -0700, Eric Dumazet wrote:
>>
>> What do you mean by should ?
>>
>> Are they currently already linearized before the function is called,
>> or is it missing and a bug needs to be fixed ?
> 
> AFAICS this is the code-path for locally generated outbound packets.
> Under what circumstances can the IPv6 header be not in the head?
> 
>

I guess this means we had yet another random submission from Young Xiao :/

Thanks.

Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options

[Herbert Xu]

On Fri, May 31, 2019 at 07:50:06AM -0700, Eric Dumazet wrote:
>
> What do you mean by should ?
> 
> Are they currently already linearized before the function is called,
> or is it missing and a bug needs to be fixed ?

AFAICS this is the code-path for locally generated outbound packets.
Under what circumstances can the IPv6 header be not in the head?

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options

[Eric Dumazet]

On 5/30/19 11:29 PM, Herbert Xu wrote:
> On Thu, May 30, 2019 at 10:17:04AM -0700, Eric Dumazet wrote:
>>
>> xfrm6_transport_output() seems buggy as well,
>> unless the skbs are linearized before entering these functions ?
> 
> The headers that it's moving should be linearised.  Is there
> something else I'm missing?
> 

What do you mean by should ?

Are they currently already linearized before the function is called,
or is it missing and a bug needs to be fixed ?

Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options

[Herbert Xu]

On Thu, May 30, 2019 at 10:17:04AM -0700, Eric Dumazet wrote:
>
> xfrm6_transport_output() seems buggy as well,
> unless the skbs are linearized before entering these functions ?

The headers that it's moving should be linearised.  Is there
something else I'm missing?

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options

[Yang Xiao]

On Fri, May 31, 2019 at 1:17 AM Eric Dumazet <eric.dumazet@gmail.com> wrote:
>
>
>
> On 5/30/19 8:28 AM, Young Xiao wrote:
> > The fragmentation code tries to parse the header options in order
> > to figure out where to insert the fragment option.  Since nexthdr points
> > to an invalid option, the calculation of the size of the network header
> > can made to be much larger than the linear section of the skb and data
> > is read outside of it.
> >
> > This vulnerability is similar to CVE-2017-9074.
> >
> > Signed-off-by: Young Xiao <92siuyang@gmail.com>
> > ---
> >  net/ipv6/mip6.c | 24 ++++++++++++++----------
> >  1 file changed, 14 insertions(+), 10 deletions(-)
> >
> > diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
> > index 64f0f7b..30ed1c5 100644
> > --- a/net/ipv6/mip6.c
> > +++ b/net/ipv6/mip6.c
> > @@ -263,8 +263,6 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
> >                              u8 **nexthdr)
> >  {
> >       u16 offset = sizeof(struct ipv6hdr);
> > -     struct ipv6_opt_hdr *exthdr =
> > -                                (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
> >       const unsigned char *nh = skb_network_header(skb);
> >       unsigned int packet_len = skb_tail_pointer(skb) -
> >               skb_network_header(skb);
> > @@ -272,7 +270,8 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
> >
> >       *nexthdr = &ipv6_hdr(skb)->nexthdr;
> >
> > -     while (offset + 1 <= packet_len) {
> > +     while (offset <= packet_len) {
> > +             struct ipv6_opt_hdr *exthdr;
> >
> >               switch (**nexthdr) {
> >               case NEXTHDR_HOP:
> > @@ -299,12 +298,15 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
> >                       return offset;
> >               }
> >
> > +             if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
> > +                     return -EINVAL;
> > +
> > +             exthdr = (struct ipv6_opt_hdr *)(nh + offset);
> >               offset += ipv6_optlen(exthdr);
> >               *nexthdr = &exthdr->nexthdr;
> > -             exthdr = (struct ipv6_opt_hdr *)(nh + offset);
> >       }
> >
> > -     return offset;
> > +     return -EINVAL;
> >  }
> >
>
>
> Ok, but have you checked that callers have been fixed ?

I've checked the callers. There are two callers:
xfrm6_transport_output() and xfrm6_ro_output(). There are checks in
both function.

------------------------------------------------------------------------------
        hdr_len = x->type->hdr_offset(x, skb, &prevhdr);
        if (hdr_len < 0)
                return hdr_len;
------------------------------------------------------------------------------
>
> xfrm6_transport_output() seems buggy as well,
> unless the skbs are linearized before entering these functions ?
I can not understand what you mean about this comment.
Could you explain it in more detail.

>
> Thanks.
>
>
>

Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options

[Eric Dumazet]

On 5/30/19 8:28 AM, Young Xiao wrote:
> The fragmentation code tries to parse the header options in order
> to figure out where to insert the fragment option.  Since nexthdr points
> to an invalid option, the calculation of the size of the network header
> can made to be much larger than the linear section of the skb and data
> is read outside of it.
> 
> This vulnerability is similar to CVE-2017-9074.
> 
> Signed-off-by: Young Xiao <92siuyang@gmail.com>
> ---
>  net/ipv6/mip6.c | 24 ++++++++++++++----------
>  1 file changed, 14 insertions(+), 10 deletions(-)
> 
> diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
> index 64f0f7b..30ed1c5 100644
> --- a/net/ipv6/mip6.c
> +++ b/net/ipv6/mip6.c
> @@ -263,8 +263,6 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
>  			       u8 **nexthdr)
>  {
>  	u16 offset = sizeof(struct ipv6hdr);
> -	struct ipv6_opt_hdr *exthdr =
> -				   (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
>  	const unsigned char *nh = skb_network_header(skb);
>  	unsigned int packet_len = skb_tail_pointer(skb) -
>  		skb_network_header(skb);
> @@ -272,7 +270,8 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
>  
>  	*nexthdr = &ipv6_hdr(skb)->nexthdr;
>  
> -	while (offset + 1 <= packet_len) {
> +	while (offset <= packet_len) {
> +		struct ipv6_opt_hdr *exthdr;
>  
>  		switch (**nexthdr) {
>  		case NEXTHDR_HOP:
> @@ -299,12 +298,15 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
>  			return offset;
>  		}
>  
> +		if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
> +			return -EINVAL;
> +
> +		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
>  		offset += ipv6_optlen(exthdr);
>  		*nexthdr = &exthdr->nexthdr;
> -		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
>  	}
>  
> -	return offset;
> +	return -EINVAL;
>  }
>


Ok, but have you checked that callers have been fixed ?

xfrm6_transport_output() seems buggy as well,
unless the skbs are linearized before entering these functions ?

Thanks.

[PATCH] ipv6: Prevent overrun when parsing v6 header options

[Young Xiao]

The fragmentation code tries to parse the header options in order
to figure out where to insert the fragment option.  Since nexthdr points
to an invalid option, the calculation of the size of the network header
can made to be much larger than the linear section of the skb and data
is read outside of it.

This vulnerability is similar to CVE-2017-9074.

Signed-off-by: Young Xiao <92siuyang@gmail.com>
---
 net/ipv6/mip6.c | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
index 64f0f7b..30ed1c5 100644
--- a/net/ipv6/mip6.c
+++ b/net/ipv6/mip6.c
@@ -263,8 +263,6 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
 			       u8 **nexthdr)
 {
 	u16 offset = sizeof(struct ipv6hdr);
-	struct ipv6_opt_hdr *exthdr =
-				   (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
 	const unsigned char *nh = skb_network_header(skb);
 	unsigned int packet_len = skb_tail_pointer(skb) -
 		skb_network_header(skb);
@@ -272,7 +270,8 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
 
 	*nexthdr = &ipv6_hdr(skb)->nexthdr;
 
-	while (offset + 1 <= packet_len) {
+	while (offset <= packet_len) {
+		struct ipv6_opt_hdr *exthdr;
 
 		switch (**nexthdr) {
 		case NEXTHDR_HOP:
@@ -299,12 +298,15 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
 			return offset;
 		}
 
+		if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
+			return -EINVAL;
+
+		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 		offset += ipv6_optlen(exthdr);
 		*nexthdr = &exthdr->nexthdr;
-		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 	}
 
-	return offset;
+	return -EINVAL;
 }
 
 static int mip6_destopt_init_state(struct xfrm_state *x)
@@ -399,8 +401,6 @@ static int mip6_rthdr_offset(struct xfrm_state *x, struct sk_buff *skb,
 			     u8 **nexthdr)
 {
 	u16 offset = sizeof(struct ipv6hdr);
-	struct ipv6_opt_hdr *exthdr =
-				   (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
 	const unsigned char *nh = skb_network_header(skb);
 	unsigned int packet_len = skb_tail_pointer(skb) -
 		skb_network_header(skb);
@@ -408,7 +408,8 @@ static int mip6_rthdr_offset(struct xfrm_state *x, struct sk_buff *skb,
 
 	*nexthdr = &ipv6_hdr(skb)->nexthdr;
 
-	while (offset + 1 <= packet_len) {
+	while (offset <= packet_len) {
+		struct ipv6_opt_hdr *exthdr;
 
 		switch (**nexthdr) {
 		case NEXTHDR_HOP:
@@ -434,12 +435,15 @@ static int mip6_rthdr_offset(struct xfrm_state *x, struct sk_buff *skb,
 			return offset;
 		}
 
+		if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
+			return -EINVAL;
+
+		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 		offset += ipv6_optlen(exthdr);
 		*nexthdr = &exthdr->nexthdr;
-		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 	}
 
-	return offset;
+	return -EINVAL;
 }
 
 static int mip6_rthdr_init_state(struct xfrm_state *x)
-- 
2.7.4

Re: [PATCH] ipv6: Prevent overrun when parsing v6 header options

[David Miller]

From: Young Xiao <92siuyang@gmail.com>
Date: Fri, 12 Apr 2019 11:34:08 +0800

> -		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
> +
>  	}

Please just completely delete this line, and do not add an empty line before
the closing braces.

Thank you very much.

[PATCH] ipv6: Prevent overrun when parsing v6 header options

[Young Xiao]

From: Young Xiao <YangX92@hotmail.com>

The fragmentation code tries to parse the header options in order
to figure out where to insert the fragment option.  Since nexthdr points
to an invalid option, the calculation of the size of the network header
can made to be much larger than the linear section of the skb and data
is read outside of it.

This vulnerability is similar to CVE-2017-9074.

Signed-off-by: Young Xiao <YangX92@hotmail.com>
---
 net/ipv6/mip6.c | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
index 64f0f7b..1b3a6e4 100644
--- a/net/ipv6/mip6.c
+++ b/net/ipv6/mip6.c
@@ -263,8 +263,6 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
 			       u8 **nexthdr)
 {
 	u16 offset = sizeof(struct ipv6hdr);
-	struct ipv6_opt_hdr *exthdr =
-				   (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
 	const unsigned char *nh = skb_network_header(skb);
 	unsigned int packet_len = skb_tail_pointer(skb) -
 		skb_network_header(skb);
@@ -272,7 +270,8 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
 
 	*nexthdr = &ipv6_hdr(skb)->nexthdr;
 
-	while (offset + 1 <= packet_len) {
+	while (offset <= packet_len) {
+		struct ipv6_opt_hdr *exthdr;
 
 		switch (**nexthdr) {
 		case NEXTHDR_HOP:
@@ -299,12 +298,16 @@ static int mip6_destopt_offset(struct xfrm_state *x, struct sk_buff *skb,
 			return offset;
 		}
 
+		if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
+			return -EINVAL;
+
+		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 		offset += ipv6_optlen(exthdr);
 		*nexthdr = &exthdr->nexthdr;
-		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
+
 	}
 
-	return offset;
+	return -EINVAL;
 }
 
 static int mip6_destopt_init_state(struct xfrm_state *x)
@@ -399,8 +402,6 @@ static int mip6_rthdr_offset(struct xfrm_state *x, struct sk_buff *skb,
 			     u8 **nexthdr)
 {
 	u16 offset = sizeof(struct ipv6hdr);
-	struct ipv6_opt_hdr *exthdr =
-				   (struct ipv6_opt_hdr *)(ipv6_hdr(skb) + 1);
 	const unsigned char *nh = skb_network_header(skb);
 	unsigned int packet_len = skb_tail_pointer(skb) -
 		skb_network_header(skb);
@@ -408,7 +409,8 @@ static int mip6_rthdr_offset(struct xfrm_state *x, struct sk_buff *skb,
 
 	*nexthdr = &ipv6_hdr(skb)->nexthdr;
 
-	while (offset + 1 <= packet_len) {
+	while (offset <= packet_len) {
+		struct ipv6_opt_hdr *exthdr;
 
 		switch (**nexthdr) {
 		case NEXTHDR_HOP:
@@ -434,12 +436,16 @@ static int mip6_rthdr_offset(struct xfrm_state *x, struct sk_buff *skb,
 			return offset;
 		}
 
+		if (offset + sizeof(struct ipv6_opt_hdr) > packet_len)
+			return -EINVAL;
+
+		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
+
 		offset += ipv6_optlen(exthdr);
 		*nexthdr = &exthdr->nexthdr;
-		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 	}
 
-	return offset;
+	return -EINVAL;
 }
 
 static int mip6_rthdr_init_state(struct xfrm_state *x)
-- 
1.9.1