* [PATCH net] net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels
@ 2020-10-20 22:02 Davide Caratti
2020-10-21 0:33 ` Cong Wang
0 siblings, 1 reply; 3+ messages in thread
From: Davide Caratti @ 2020-10-20 22:02 UTC (permalink / raw)
To: Jakub Kicinski, David S. Miller, Jiri Pirko, Cong Wang, Jamal Hadi Salim
Cc: Simon Horman, Shuang Li, netdev
the following command
# tc action add action tunnel_key \
> set src_ip 2001:db8::1 dst_ip 2001:db8::2 id 10 erspan_opts 1:6789:0:0
generates the following splat:
BUG: KASAN: slab-out-of-bounds in tunnel_key_copy_opts+0xcc9/0x1010 [act_tunnel_key]
Write of size 4 at addr ffff88813f5f1cc8 by task tc/873
CPU: 2 PID: 873 Comm: tc Not tainted 5.9.0+ #282
Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014
Call Trace:
dump_stack+0x99/0xcb
print_address_description.constprop.7+0x1e/0x230
kasan_report.cold.13+0x37/0x7c
tunnel_key_copy_opts+0xcc9/0x1010 [act_tunnel_key]
tunnel_key_init+0x160c/0x1f40 [act_tunnel_key]
tcf_action_init_1+0x5b5/0x850
tcf_action_init+0x15d/0x370
tcf_action_add+0xd9/0x2f0
tc_ctl_action+0x29b/0x3a0
rtnetlink_rcv_msg+0x341/0x8d0
netlink_rcv_skb+0x120/0x380
netlink_unicast+0x439/0x630
netlink_sendmsg+0x719/0xbf0
sock_sendmsg+0xe2/0x110
____sys_sendmsg+0x5ba/0x890
___sys_sendmsg+0xe9/0x160
__sys_sendmsg+0xd3/0x170
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f872a96b338
Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55
RSP: 002b:00007ffffe367518 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000005f8f5aed RCX: 00007f872a96b338
RDX: 0000000000000000 RSI: 00007ffffe367580 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000001c
R10: 000000000000000b R11: 0000000000000246 R12: 0000000000000001
R13: 0000000000686760 R14: 0000000000000601 R15: 0000000000000000
Allocated by task 873:
kasan_save_stack+0x19/0x40
__kasan_kmalloc.constprop.7+0xc1/0xd0
__kmalloc+0x151/0x310
metadata_dst_alloc+0x20/0x40
tunnel_key_init+0xfff/0x1f40 [act_tunnel_key]
tcf_action_init_1+0x5b5/0x850
tcf_action_init+0x15d/0x370
tcf_action_add+0xd9/0x2f0
tc_ctl_action+0x29b/0x3a0
rtnetlink_rcv_msg+0x341/0x8d0
netlink_rcv_skb+0x120/0x380
netlink_unicast+0x439/0x630
netlink_sendmsg+0x719/0xbf0
sock_sendmsg+0xe2/0x110
____sys_sendmsg+0x5ba/0x890
___sys_sendmsg+0xe9/0x160
__sys_sendmsg+0xd3/0x170
do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff88813f5f1c00
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 200 bytes inside of
256-byte region [ffff88813f5f1c00, ffff88813f5f1d00)
The buggy address belongs to the page:
page:0000000011b48a19 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13f5f0
head:0000000011b48a19 order:1 compound_mapcount:0
flags: 0x17ffffc0010200(slab|head)
raw: 0017ffffc0010200 0000000000000000 0000000d00000001 ffff888107c43400
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88813f5f1b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88813f5f1c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88813f5f1c80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
^
ffff88813f5f1d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88813f5f1d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
using IPv6 tunnels, act_tunnel_key allocates a fixed amount of memory for
the tunnel metadata, but then it expects additional bytes to store tunnel
specific metadata with tunnel_key_copy_opts().
Fix the arguments of __ipv6_tun_set_dst(), so that 'md_size' contains the
size previously computed by tunnel_key_get_opts_len(), like it's done for
IPv4 tunnels.
Fixes: 0ed5269f9e41 ("net/sched: add tunnel option support to act_tunnel_key")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
net/sched/act_tunnel_key.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sched/act_tunnel_key.c b/net/sched/act_tunnel_key.c
index a229751ee8c4..85c0d0d5b9da 100644
--- a/net/sched/act_tunnel_key.c
+++ b/net/sched/act_tunnel_key.c
@@ -459,7 +459,7 @@ static int tunnel_key_init(struct net *net, struct nlattr *nla,
metadata = __ipv6_tun_set_dst(&saddr, &daddr, tos, ttl, dst_port,
0, flags,
- key_id, 0);
+ key_id, opts_len);
} else {
NL_SET_ERR_MSG(extack, "Missing either ipv4 or ipv6 src and dst");
ret = -EINVAL;
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels
2020-10-20 22:02 [PATCH net] net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels Davide Caratti
@ 2020-10-21 0:33 ` Cong Wang
2020-10-21 4:12 ` Jakub Kicinski
0 siblings, 1 reply; 3+ messages in thread
From: Cong Wang @ 2020-10-21 0:33 UTC (permalink / raw)
To: Davide Caratti
Cc: Jakub Kicinski, David S. Miller, Jiri Pirko, Jamal Hadi Salim,
Simon Horman, Shuang Li, Linux Kernel Network Developers
On Tue, Oct 20, 2020 at 3:03 PM Davide Caratti <dcaratti@redhat.com> wrote:
>
> the following command
>
> # tc action add action tunnel_key \
> > set src_ip 2001:db8::1 dst_ip 2001:db8::2 id 10 erspan_opts 1:6789:0:0
>
> generates the following splat:
...
> using IPv6 tunnels, act_tunnel_key allocates a fixed amount of memory for
> the tunnel metadata, but then it expects additional bytes to store tunnel
> specific metadata with tunnel_key_copy_opts().
>
> Fix the arguments of __ipv6_tun_set_dst(), so that 'md_size' contains the
> size previously computed by tunnel_key_get_opts_len(), like it's done for
> IPv4 tunnels.
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels
2020-10-21 0:33 ` Cong Wang
@ 2020-10-21 4:12 ` Jakub Kicinski
0 siblings, 0 replies; 3+ messages in thread
From: Jakub Kicinski @ 2020-10-21 4:12 UTC (permalink / raw)
To: Cong Wang
Cc: Davide Caratti, David S. Miller, Jiri Pirko, Jamal Hadi Salim,
Simon Horman, Shuang Li, Linux Kernel Network Developers
On Tue, 20 Oct 2020 17:33:22 -0700 Cong Wang wrote:
> On Tue, Oct 20, 2020 at 3:03 PM Davide Caratti <dcaratti@redhat.com> wrote:
> >
> > the following command
> >
> > # tc action add action tunnel_key \
> > > set src_ip 2001:db8::1 dst_ip 2001:db8::2 id 10 erspan_opts 1:6789:0:0
> >
> > generates the following splat:
> ...
> > using IPv6 tunnels, act_tunnel_key allocates a fixed amount of memory for
> > the tunnel metadata, but then it expects additional bytes to store tunnel
> > specific metadata with tunnel_key_copy_opts().
> >
> > Fix the arguments of __ipv6_tun_set_dst(), so that 'md_size' contains the
> > size previously computed by tunnel_key_get_opts_len(), like it's done for
> > IPv4 tunnels.
>
> Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Applied, thank you!
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-10-21 4:12 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-20 22:02 [PATCH net] net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels Davide Caratti
2020-10-21 0:33 ` Cong Wang
2020-10-21 4:12 ` Jakub Kicinski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).