Netdev Archive on lore.kernel.org
 help / color / Atom feed
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Network Development <netdev@vger.kernel.org>,
	SinYu <liuxyon@gmail.com>,
	David L Stevens <david.stevens@oracle.com>,
	"David S . Miller" <davem@davemloft.net>
Subject: Re: [PATCH net v4] net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending
Date: Fri, 19 Feb 2021 10:16:38 -0500
Message-ID: <CA+FuTSfGNLQXfbXcmfXgei3cxWUANk7ooQjJEnDrpdubpzwWPg@mail.gmail.com> (raw)
In-Reply-To: <20210219022532.2446968-1-Jason@zx2c4.com>

On Thu, Feb 18, 2021 at 9:25 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> The icmp{,v6}_send functions make all sorts of use of skb->cb, casting
> it with IPCB or IP6CB, assuming the skb to have come directly from the
> inet layer. But when the packet comes from the ndo layer, especially
> when forwarded, there's no telling what might be in skb->cb at that
> point. As a result, the icmp sending code risks reading bogus memory
> contents, which can result in nasty stack overflows such as this one
> reported by a user:
>
>     panic+0x108/0x2ea
>     __stack_chk_fail+0x14/0x20
>     __icmp_send+0x5bd/0x5c0
>     icmp_ndo_send+0x148/0x160
>
> In icmp_send, skb->cb is cast with IPCB and an ip_options struct is read
> from it. The optlen parameter there is of particular note, as it can
> induce writes beyond bounds. There are quite a few ways that can happen
> in __ip_options_echo. For example:
>
>     // sptr/skb are attacker-controlled skb bytes
>     sptr = skb_network_header(skb);
>     // dptr/dopt points to stack memory allocated by __icmp_send
>     dptr = dopt->__data;
>     // sopt is the corrupt skb->cb in question
>     if (sopt->rr) {
>         optlen  = sptr[sopt->rr+1]; // corrupt skb->cb + skb->data
>         soffset = sptr[sopt->rr+2]; // corrupt skb->cb + skb->data
>         // this now writes potentially attacker-controlled data, over
>         // flowing the stack:
>         memcpy(dptr, sptr+sopt->rr, optlen);
>     }
>
> In the icmpv6_send case, the story is similar, but not as dire, as only
> IP6CB(skb)->iif and IP6CB(skb)->dsthao are used. The dsthao case is
> worse than the iif case, but it is passed to ipv6_find_tlv, which does
> a bit of bounds checking on the value.
>
> This is easy to simulate by doing a `memset(skb->cb, 0x41,
> sizeof(skb->cb));` before calling icmp{,v6}_ndo_send, and it's only by
> good fortune and the rarity of icmp sending from that context that we've
> avoided reports like this until now. For example, in KASAN:
>
>     BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0xa0e/0x12b0
>     Write of size 38 at addr ffff888006f1f80e by task ping/89
>     CPU: 2 PID: 89 Comm: ping Not tainted 5.10.0-rc7-debug+ #5
>     Call Trace:
>      dump_stack+0x9a/0xcc
>      print_address_description.constprop.0+0x1a/0x160
>      __kasan_report.cold+0x20/0x38
>      kasan_report+0x32/0x40
>      check_memory_region+0x145/0x1a0
>      memcpy+0x39/0x60
>      __ip_options_echo+0xa0e/0x12b0
>      __icmp_send+0x744/0x1700
>
> Actually, out of the 4 drivers that do this, only gtp zeroed the cb for
> the v4 case, while the rest did not. So this commit actually removes the
> gtp-specific zeroing, while putting the code where it belongs in the
> shared infrastructure of icmp{,v6}_ndo_send.
>
> This commit fixes the issue by passing an empty IPCB or IP6CB along to
> the functions that actually do the work. For the icmp_send, this was
> already trivial, thanks to __icmp_send providing the plumbing function.
> For icmpv6_send, this required a tiny bit of refactoring to make it
> behave like the v4 case, after which it was straight forward.
>
> Fixes: a2b78e9b2cac ("sunvnet: generate ICMP PTMUD messages for smaller port MTUs")
> Reported-by: SinYu <liuxyon@gmail.com>
> Cc: Willem de Bruijn <willemb@google.com>
> Cc: David L Stevens <david.stevens@oracle.com>
> Cc: David S. Miller <davem@davemloft.net>
> Link: https://lore.kernel.org/netdev/CAF=yD-LOF116aHub6RMe8vB8ZpnrrnoTdqhobEx+bvoA8AsP0w@mail.gmail.com/T/
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

Reviewed-by: Willem de Bruijn <willemb@google.com>

Thanks adding more context, Jason.

  reply index

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-19  2:25 Jason A. Donenfeld
2021-02-19 15:16 ` Willem de Bruijn [this message]
2021-02-23  2:44 ` Jakub Kicinski
2021-02-23 13:18   ` [PATCH net v5] " Jason A. Donenfeld

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CA+FuTSfGNLQXfbXcmfXgei3cxWUANk7ooQjJEnDrpdubpzwWPg@mail.gmail.com \
    --to=willemdebruijn.kernel@gmail.com \
    --cc=Jason@zx2c4.com \
    --cc=davem@davemloft.net \
    --cc=david.stevens@oracle.com \
    --cc=liuxyon@gmail.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Netdev Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netdev/0 netdev/git/0.git
	git clone --mirror https://lore.kernel.org/netdev/1 netdev/git/1.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netdev netdev/ https://lore.kernel.org/netdev \
		netdev@vger.kernel.org
	public-inbox-index netdev

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netdev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git