From: Greg Kroah-Hartman Date: Mon, 21 Jan 2019 08:15:11 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.20.4~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5b4e72ed7ca546e126a21682abdb7d904c98e08b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ip-on-queued-skb-use-skb_header_pointer-instead-of-pskb_may_pull.patch ipv6-fix-kernel-infoleak-in-ipv6_local_error.patch net-bridge-fix-a-bug-on-using-a-neighbour-cache-entry-without-checking-its-state.patch packet-do-not-leak-dev-refcounts-on-error-exit.patch --- diff --git a/queue-4.4/ip-on-queued-skb-use-skb_header_pointer-instead-of-pskb_may_pull.patch b/queue-4.4/ip-on-queued-skb-use-skb_header_pointer-instead-of-pskb_may_pull.patch new file mode 100644 index 00000000000..fd44c72172c --- /dev/null +++ b/queue-4.4/ip-on-queued-skb-use-skb_header_pointer-instead-of-pskb_may_pull.patch @@ -0,0 +1,80 @@ +From foo@baz Mon Jan 21 09:11:03 CET 2019 +From: Willem de Bruijn +Date: Mon, 7 Jan 2019 16:47:33 -0500 +Subject: ip: on queued skb use skb_header_pointer instead of pskb_may_pull + +From: Willem de Bruijn + +[ Upstream commit 4a06fa67c4da20148803525151845276cdb995c1 ] + +Commit 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call +pskb_may_pull") avoided a read beyond the end of the skb linear +segment by calling pskb_may_pull. + +That function can trigger a BUG_ON in pskb_expand_head if the skb is +shared, which it is when when peeking. It can also return ENOMEM. + +Avoid both by switching to safer skb_header_pointer. + +Fixes: 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull") +Reported-by: syzbot +Suggested-by: Eric Dumazet +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_sockglue.c | 12 +++++------- + net/ipv6/datagram.c | 10 ++++------ + 2 files changed, 9 insertions(+), 13 deletions(-) + +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -133,19 +133,17 @@ static void ip_cmsg_recv_security(struct + + static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) + { ++ __be16 _ports[2], *ports; + struct sockaddr_in sin; +- __be16 *ports; +- int end; +- +- end = skb_transport_offset(skb) + 4; +- if (end > 0 && !pskb_may_pull(skb, end)) +- return; + + /* All current transport protocols have the port numbers in the + * first four bytes of the transport header and this function is + * written with this assumption in mind. + */ +- ports = (__be16 *)skb_transport_header(skb); ++ ports = skb_header_pointer(skb, skb_transport_offset(skb), ++ sizeof(_ports), &_ports); ++ if (!ports) ++ return; + + sin.sin_family = AF_INET; + sin.sin_addr.s_addr = ip_hdr(skb)->daddr; +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -658,17 +658,15 @@ void ip6_datagram_recv_specific_ctl(stru + } + if (np->rxopt.bits.rxorigdstaddr) { + struct sockaddr_in6 sin6; +- __be16 *ports; +- int end; ++ __be16 _ports[2], *ports; + +- end = skb_transport_offset(skb) + 4; +- if (end <= 0 || pskb_may_pull(skb, end)) { ++ ports = skb_header_pointer(skb, skb_transport_offset(skb), ++ sizeof(_ports), &_ports); ++ if (ports) { + /* All current transport protocols have the port numbers in the + * first four bytes of the transport header and this function is + * written with this assumption in mind. + */ +- ports = (__be16 *)skb_transport_header(skb); +- + sin6.sin6_family = AF_INET6; + sin6.sin6_addr = ipv6_hdr(skb)->daddr; + sin6.sin6_port = ports[1]; diff --git a/queue-4.4/ipv6-fix-kernel-infoleak-in-ipv6_local_error.patch b/queue-4.4/ipv6-fix-kernel-infoleak-in-ipv6_local_error.patch new file mode 100644 index 00000000000..d293e305894 --- /dev/null +++ b/queue-4.4/ipv6-fix-kernel-infoleak-in-ipv6_local_error.patch @@ -0,0 +1,105 @@ +From foo@baz Mon Jan 21 09:11:03 CET 2019 +From: Eric Dumazet +Date: Tue, 8 Jan 2019 04:06:14 -0800 +Subject: ipv6: fix kernel-infoleak in ipv6_local_error() + +From: Eric Dumazet + +[ Upstream commit 7d033c9f6a7fd3821af75620a0257db87c2b552a ] + +This patch makes sure the flow label in the IPv6 header +forged in ipv6_local_error() is initialized. + +BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 +CPU: 1 PID: 24675 Comm: syz-executor1 Not tainted 4.20.0-rc7+ #4 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x173/0x1d0 lib/dump_stack.c:113 + kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613 + kmsan_internal_check_memory+0x455/0xb00 mm/kmsan/kmsan.c:675 + kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601 + _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32 + copy_to_user include/linux/uaccess.h:177 [inline] + move_addr_to_user+0x2e9/0x4f0 net/socket.c:227 + ___sys_recvmsg+0x5d7/0x1140 net/socket.c:2284 + __sys_recvmsg net/socket.c:2327 [inline] + __do_sys_recvmsg net/socket.c:2337 [inline] + __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334 + __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 +RIP: 0033:0x457ec9 +Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f8750c06c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002f +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9 +RDX: 0000000000002000 RSI: 0000000020000400 RDI: 0000000000000005 +RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8750c076d4 +R13: 00000000004c4a60 R14: 00000000004d8140 R15: 00000000ffffffff + +Uninit was stored to memory at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline] + kmsan_save_stack mm/kmsan/kmsan.c:219 [inline] + kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:439 + __msan_chain_origin+0x70/0xe0 mm/kmsan/kmsan_instr.c:200 + ipv6_recv_error+0x1e3f/0x1eb0 net/ipv6/datagram.c:475 + udpv6_recvmsg+0x398/0x2ab0 net/ipv6/udp.c:335 + inet_recvmsg+0x4fb/0x600 net/ipv4/af_inet.c:830 + sock_recvmsg_nosec net/socket.c:794 [inline] + sock_recvmsg+0x1d1/0x230 net/socket.c:801 + ___sys_recvmsg+0x4d5/0x1140 net/socket.c:2278 + __sys_recvmsg net/socket.c:2327 [inline] + __do_sys_recvmsg net/socket.c:2337 [inline] + __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334 + __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline] + kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158 + kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176 + kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185 + slab_post_alloc_hook mm/slab.h:446 [inline] + slab_alloc_node mm/slub.c:2759 [inline] + __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383 + __kmalloc_reserve net/core/skbuff.c:137 [inline] + __alloc_skb+0x309/0xa20 net/core/skbuff.c:205 + alloc_skb include/linux/skbuff.h:998 [inline] + ipv6_local_error+0x1a7/0x9e0 net/ipv6/datagram.c:334 + __ip6_append_data+0x129f/0x4fd0 net/ipv6/ip6_output.c:1311 + ip6_make_skb+0x6cc/0xcf0 net/ipv6/ip6_output.c:1775 + udpv6_sendmsg+0x3f8e/0x45d0 net/ipv6/udp.c:1384 + inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798 + sock_sendmsg_nosec net/socket.c:621 [inline] + sock_sendmsg net/socket.c:631 [inline] + __sys_sendto+0x8c4/0xac0 net/socket.c:1788 + __do_sys_sendto net/socket.c:1800 [inline] + __se_sys_sendto+0x107/0x130 net/socket.c:1796 + __x64_sys_sendto+0x6e/0x90 net/socket.c:1796 + do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291 + entry_SYSCALL_64_after_hwframe+0x63/0xe7 + +Bytes 4-7 of 28 are uninitialized +Memory access of size 28 starts at ffff8881937bfce0 +Data copied to user address 0000000020000000 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/datagram.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -290,6 +290,7 @@ void ipv6_local_error(struct sock *sk, i + skb_reset_network_header(skb); + iph = ipv6_hdr(skb); + iph->daddr = fl6->daddr; ++ ip6_flow_hdr(iph, 0, 0); + + serr = SKB_EXT_ERR(skb); + serr->ee.ee_errno = err; diff --git a/queue-4.4/net-bridge-fix-a-bug-on-using-a-neighbour-cache-entry-without-checking-its-state.patch b/queue-4.4/net-bridge-fix-a-bug-on-using-a-neighbour-cache-entry-without-checking-its-state.patch new file mode 100644 index 00000000000..ceb5317763e --- /dev/null +++ b/queue-4.4/net-bridge-fix-a-bug-on-using-a-neighbour-cache-entry-without-checking-its-state.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Jan 21 09:11:03 CET 2019 +From: JianJhen Chen +Date: Sun, 6 Jan 2019 11:28:13 +0800 +Subject: net: bridge: fix a bug on using a neighbour cache entry without checking its state + +From: JianJhen Chen + +[ Upstream commit 4c84edc11b76590859b1e45dd676074c59602dc4 ] + +When handling DNAT'ed packets on a bridge device, the neighbour cache entry +from lookup was used without checking its state. It means that a cache entry +in the NUD_STALE state will be used directly instead of entering the NUD_DELAY +state to confirm the reachability of the neighbor. + +This problem becomes worse after commit 2724680bceee ("neigh: Keep neighbour +cache entries if number of them is small enough."), since all neighbour cache +entries in the NUD_STALE state will be kept in the neighbour table as long as +the number of cache entries does not exceed the value specified in gc_thresh1. + +This commit validates the state of a neighbour cache entry before using +the entry. + +Signed-off-by: JianJhen Chen +Reviewed-by: JinLin Chen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_netfilter_hooks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -267,7 +267,7 @@ int br_nf_pre_routing_finish_bridge(stru + struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb); + int ret; + +- if (neigh->hh.hh_len) { ++ if ((neigh->nud_state & NUD_CONNECTED) && neigh->hh.hh_len) { + neigh_hh_bridge(&neigh->hh, skb); + skb->dev = nf_bridge->physindev; + ret = br_handle_frame_finish(net, sk, skb); diff --git a/queue-4.4/packet-do-not-leak-dev-refcounts-on-error-exit.patch b/queue-4.4/packet-do-not-leak-dev-refcounts-on-error-exit.patch new file mode 100644 index 00000000000..7d88552917e --- /dev/null +++ b/queue-4.4/packet-do-not-leak-dev-refcounts-on-error-exit.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Jan 21 09:11:03 CET 2019 +From: Jason Gunthorpe +Date: Tue, 8 Jan 2019 23:27:06 +0000 +Subject: packet: Do not leak dev refcounts on error exit + +From: Jason Gunthorpe + +[ Upstream commit d972f3dce8d161e2142da0ab1ef25df00e2f21a9 ] + +'dev' is non NULL when the addr_len check triggers so it must goto a label +that does the dev_put otherwise dev will have a leaked refcount. + +This bug causes the ib_ipoib module to become unloadable when using +systemd-network as it triggers this check on InfiniBand links. + +Fixes: 99137b7888f4 ("packet: validate address length") +Reported-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2514,7 +2514,7 @@ static int tpacket_snd(struct packet_soc + addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(&po->sk), saddr->sll_ifindex); + if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out; ++ goto out_put; + } + + err = -ENXIO; +@@ -2683,7 +2683,7 @@ static int packet_snd(struct socket *soc + addr = saddr->sll_halen ? saddr->sll_addr : NULL; + dev = dev_get_by_index(sock_net(sk), saddr->sll_ifindex); + if (addr && dev && saddr->sll_halen < dev->addr_len) +- goto out; ++ goto out_unlock; + } + + err = -ENXIO; diff --git a/queue-4.4/series b/queue-4.4/series index 2010a527b5e..eb6a3bef403 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -39,3 +39,7 @@ media-em28xx-fix-misplaced-reset-of-dev-v4l-field_count.patch proc-remove-empty-line-in-proc-self-status.patch arm64-kvm-consistently-handle-host-hcr_el2-flags.patch arm64-don-t-trap-host-pointer-auth-use-to-el2.patch +ipv6-fix-kernel-infoleak-in-ipv6_local_error.patch +net-bridge-fix-a-bug-on-using-a-neighbour-cache-entry-without-checking-its-state.patch +packet-do-not-leak-dev-refcounts-on-error-exit.patch +ip-on-queued-skb-use-skb_header_pointer-instead-of-pskb_may_pull.patch