[thirdparty/kernel/stable-queue.git] / queue-5.10 / erspan-make-sure-erspan_base_hdr-is-present-in-skb-head.patch

From 17af420545a750f763025149fa7b833a4fc8b8f0 Mon Sep 17 00:00:00 2001
From: Eric Dumazet <edumazet@google.com>
Date: Thu, 28 Mar 2024 11:22:48 +0000
Subject: erspan: make sure erspan_base_hdr is present in skb->head

From: Eric Dumazet <edumazet@google.com>

commit 17af420545a750f763025149fa7b833a4fc8b8f0 upstream.

syzbot reported a problem in ip6erspan_rcv() [1]

Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make
sure erspan_base_hdr is present in skb linear part (skb->head)
before getting @ver field from it.

Add the missing pskb_may_pull() calls.

v2: Reload iph pointer in erspan_rcv() after pskb_may_pull()
    because skb->head might have changed.

[1]

 BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
 BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]
 BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
 BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
  pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
  pskb_may_pull include/linux/skbuff.h:2756 [inline]
  ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
  gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
  ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438
  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
  dst_input include/net/dst.h:460 [inline]
  ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310
  __netif_receive_skb_one_core net/core/dev.c:5538 [inline]
  __netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652
  netif_receive_skb_internal net/core/dev.c:5738 [inline]
  netif_receive_skb+0x58/0x660 net/core/dev.c:5798
  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
  tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002
  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
  call_write_iter include/linux/fs.h:2108 [inline]
  new_sync_write fs/read_write.c:497 [inline]
  vfs_write+0xb63/0x1520 fs/read_write.c:590
  ksys_write+0x20f/0x4c0 fs/read_write.c:643
  __do_sys_write fs/read_write.c:655 [inline]
  __se_sys_write fs/read_write.c:652 [inline]
  __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

Uninit was created at:
  slab_post_alloc_hook mm/slub.c:3804 [inline]
  slab_alloc_node mm/slub.c:3845 [inline]
  kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
  __alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
  alloc_skb include/linux/skbuff.h:1318 [inline]
  alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
  sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
  tun_alloc_skb drivers/net/tun.c:1525 [inline]
  tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846
  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
  call_write_iter include/linux/fs.h:2108 [inline]
  new_sync_write fs/read_write.c:497 [inline]
  vfs_write+0xb63/0x1520 fs/read_write.c:590
  ksys_write+0x20f/0x4c0 fs/read_write.c:643
  __do_sys_write fs/read_write.c:655 [inline]
  __se_sys_write fs/read_write.c:652 [inline]
  __x64_sys_write+0x93/0xe0 fs/read_write.c:652
 do_syscall_64+0xd5/0x1f0
 entry_SYSCALL_64_after_hwframe+0x6d/0x75

CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0

Fixes: cb73ee40b1b3 ("net: ip_gre: use erspan key field for tunnel lookup")
Reported-by: syzbot+1c1cf138518bf0c53d68@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/000000000000772f2c0614b66ef7@google.com/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://lore.kernel.org/r/20240328112248.1101491-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ip_gre.c  |    5 +++++
 net/ipv6/ip6_gre.c |    3 +++
 2 files changed, 8 insertions(+)

--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -278,8 +278,13 @@ static int erspan_rcv(struct sk_buff *sk
 					  tpi->flags | TUNNEL_NO_KEY,
 					  iph->saddr, iph->daddr, 0);
 	} else {
+		if (unlikely(!pskb_may_pull(skb,
+					    gre_hdr_len + sizeof(*ershdr))))
+			return PACKET_REJECT;
+
 		ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
 		ver = ershdr->ver;
+		iph = ip_hdr(skb);
 		tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
 					  tpi->flags | TUNNEL_KEY,
 					  iph->saddr, iph->daddr, tpi->key);
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -533,6 +533,9 @@ static int ip6erspan_rcv(struct sk_buff
 	struct ip6_tnl *tunnel;
 	u8 ver;
 
+	if (unlikely(!pskb_may_pull(skb, sizeof(*ershdr))))
+		return PACKET_REJECT;
+
 	ipv6h = ipv6_hdr(skb);
 	ershdr = (struct erspan_base_hdr *)skb->data;
 	ver = ershdr->ver;
Commit	Line	Data
b9b8764a GKH	1	From 17af420545a750f763025149fa7b833a4fc8b8f0 Mon Sep 17 00:00:00 2001
	2	From: Eric Dumazet <edumazet@google.com>
	3	Date: Thu, 28 Mar 2024 11:22:48 +0000
	4	Subject: erspan: make sure erspan_base_hdr is present in skb->head
	5
	6	From: Eric Dumazet <edumazet@google.com>
	7
	8	commit 17af420545a750f763025149fa7b833a4fc8b8f0 upstream.
	9
	10	syzbot reported a problem in ip6erspan_rcv() [1]
	11
	12	Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make
	13	sure erspan_base_hdr is present in skb linear part (skb->head)
	14	before getting @ver field from it.
	15
	16	Add the missing pskb_may_pull() calls.
	17
	18	v2: Reload iph pointer in erspan_rcv() after pskb_may_pull()
	19	because skb->head might have changed.
	20
	21	[1]
	22
	23	BUG: KMSAN: uninit-value in pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
	24	BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2756 [inline]
	25	BUG: KMSAN: uninit-value in ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
	26	BUG: KMSAN: uninit-value in gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
	27	pskb_may_pull_reason include/linux/skbuff.h:2742 [inline]
	28	pskb_may_pull include/linux/skbuff.h:2756 [inline]
	29	ip6erspan_rcv net/ipv6/ip6_gre.c:541 [inline]
	30	gre_rcv+0x11f8/0x1930 net/ipv6/ip6_gre.c:610
	31	ip6_protocol_deliver_rcu+0x1d4c/0x2ca0 net/ipv6/ip6_input.c:438
	32	ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
	33	NF_HOOK include/linux/netfilter.h:314 [inline]
	34	ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
	35	ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
	36	dst_input include/net/dst.h:460 [inline]
	37	ip6_rcv_finish+0x955/0x970 net/ipv6/ip6_input.c:79
	38	NF_HOOK include/linux/netfilter.h:314 [inline]
	39	ipv6_rcv+0xde/0x390 net/ipv6/ip6_input.c:310
	40	__netif_receive_skb_one_core net/core/dev.c:5538 [inline]
	41	__netif_receive_skb+0x1da/0xa00 net/core/dev.c:5652
	42	netif_receive_skb_internal net/core/dev.c:5738 [inline]
	43	netif_receive_skb+0x58/0x660 net/core/dev.c:5798
	44	tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1549
	45	tun_get_user+0x5566/0x69e0 drivers/net/tun.c:2002
	46	tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
	47	call_write_iter include/linux/fs.h:2108 [inline]
	48	new_sync_write fs/read_write.c:497 [inline]
	49	vfs_write+0xb63/0x1520 fs/read_write.c:590
	50	ksys_write+0x20f/0x4c0 fs/read_write.c:643
	51	__do_sys_write fs/read_write.c:655 [inline]
	52	__se_sys_write fs/read_write.c:652 [inline]
	53	__x64_sys_write+0x93/0xe0 fs/read_write.c:652
	54	do_syscall_64+0xd5/0x1f0
	55	entry_SYSCALL_64_after_hwframe+0x6d/0x75
	56
	57	Uninit was created at:
	58	slab_post_alloc_hook mm/slub.c:3804 [inline]
	59	slab_alloc_node mm/slub.c:3845 [inline]
	60	kmem_cache_alloc_node+0x613/0xc50 mm/slub.c:3888
	61	kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:577
	62	__alloc_skb+0x35b/0x7a0 net/core/skbuff.c:668
	63	alloc_skb include/linux/skbuff.h:1318 [inline]
	64	alloc_skb_with_frags+0xc8/0xbf0 net/core/skbuff.c:6504
65	sock_alloc_send_pskb+0xa81/0xbf0 net/core/sock.c:2795
66	tun_alloc_skb drivers/net/tun.c:1525 [inline]
67	tun_get_user+0x209a/0x69e0 drivers/net/tun.c:1846
68	tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
69	call_write_iter include/linux/fs.h:2108 [inline]
70	new_sync_write fs/read_write.c:497 [inline]
71	vfs_write+0xb63/0x1520 fs/read_write.c:590
72	ksys_write+0x20f/0x4c0 fs/read_write.c:643
73	__do_sys_write fs/read_write.c:655 [inline]
74	__se_sys_write fs/read_write.c:652 [inline]
75	__x64_sys_write+0x93/0xe0 fs/read_write.c:652
76	do_syscall_64+0xd5/0x1f0
77	entry_SYSCALL_64_after_hwframe+0x6d/0x75
78
79	CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0
80
81	Fixes: cb73ee40b1b3 ("net: ip_gre: use erspan key field for tunnel lookup")
82	Reported-by: syzbot+1c1cf138518bf0c53d68@syzkaller.appspotmail.com
83	Closes: https://lore.kernel.org/netdev/000000000000772f2c0614b66ef7@google.com/
84	Signed-off-by: Eric Dumazet <edumazet@google.com>
85	Cc: Lorenzo Bianconi <lorenzo@kernel.org>
86	Link: https://lore.kernel.org/r/20240328112248.1101491-1-edumazet@google.com
87	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
88	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
89	---
90	net/ipv4/ip_gre.c \| 5 +++++
91	net/ipv6/ip6_gre.c \| 3 +++
92	2 files changed, 8 insertions(+)
93
94	--- a/net/ipv4/ip_gre.c
95	+++ b/net/ipv4/ip_gre.c
96	@@ -278,8 +278,13 @@ static int erspan_rcv(struct sk_buff *sk
97	tpi->flags \| TUNNEL_NO_KEY,
98	iph->saddr, iph->daddr, 0);
99	} else {
100	+ if (unlikely(!pskb_may_pull(skb,
101	+ gre_hdr_len + sizeof(*ershdr))))
102	+ return PACKET_REJECT;
103	+
104	ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
105	ver = ershdr->ver;
106	+ iph = ip_hdr(skb);
107	tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
108	tpi->flags \| TUNNEL_KEY,
109	iph->saddr, iph->daddr, tpi->key);
110	--- a/net/ipv6/ip6_gre.c
111	+++ b/net/ipv6/ip6_gre.c
112	@@ -533,6 +533,9 @@ static int ip6erspan_rcv(struct sk_buff
113	struct ip6_tnl *tunnel;
114	u8 ver;
115
116	+ if (unlikely(!pskb_may_pull(skb, sizeof(*ershdr))))
117	+ return PACKET_REJECT;
118	+
119	ipv6h = ipv6_hdr(skb);
120	ershdr = (struct erspan_base_hdr *)skb->data;
121	ver = ershdr->ver;