]>
Commit | Line | Data |
---|---|---|
a9fba688 SL |
1 | From 446c142fa696959344b61879443d8b381cab7242 Mon Sep 17 00:00:00 2001 |
2 | From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> | |
3 | Date: Thu, 4 Apr 2019 16:37:53 +0200 | |
4 | Subject: ipv6: sit: reset ip header pointer in ipip6_rcv | |
5 | ||
6 | [ Upstream commit bb9bd814ebf04f579be466ba61fc922625508807 ] | |
7 | ||
8 | ipip6 tunnels run iptunnel_pull_header on received skbs. This can | |
9 | determine the following use-after-free accessing iph pointer since | |
10 | the packet will be 'uncloned' running pskb_expand_head if it is a | |
11 | cloned gso skb (e.g if the packet has been sent though a veth device) | |
12 | ||
13 | [ 706.369655] BUG: KASAN: use-after-free in ipip6_rcv+0x1678/0x16e0 [sit] | |
14 | [ 706.449056] Read of size 1 at addr ffffe01b6bd855f5 by task ksoftirqd/1/= | |
15 | [ 706.669494] Hardware name: HPE ProLiant m400 Server/ProLiant m400 Server, BIOS U02 08/19/2016 | |
16 | [ 706.771839] Call trace: | |
17 | [ 706.801159] dump_backtrace+0x0/0x2f8 | |
18 | [ 706.845079] show_stack+0x24/0x30 | |
19 | [ 706.884833] dump_stack+0xe0/0x11c | |
20 | [ 706.925629] print_address_description+0x68/0x260 | |
21 | [ 706.982070] kasan_report+0x178/0x340 | |
22 | [ 707.025995] __asan_report_load1_noabort+0x30/0x40 | |
23 | [ 707.083481] ipip6_rcv+0x1678/0x16e0 [sit] | |
24 | [ 707.132623] tunnel64_rcv+0xd4/0x200 [tunnel4] | |
25 | [ 707.185940] ip_local_deliver_finish+0x3b8/0x988 | |
26 | [ 707.241338] ip_local_deliver+0x144/0x470 | |
27 | [ 707.289436] ip_rcv_finish+0x43c/0x14b0 | |
28 | [ 707.335447] ip_rcv+0x628/0x1138 | |
29 | [ 707.374151] __netif_receive_skb_core+0x1670/0x2600 | |
30 | [ 707.432680] __netif_receive_skb+0x28/0x190 | |
31 | [ 707.482859] process_backlog+0x1d0/0x610 | |
32 | [ 707.529913] net_rx_action+0x37c/0xf68 | |
33 | [ 707.574882] __do_softirq+0x288/0x1018 | |
34 | [ 707.619852] run_ksoftirqd+0x70/0xa8 | |
35 | [ 707.662734] smpboot_thread_fn+0x3a4/0x9e8 | |
36 | [ 707.711875] kthread+0x2c8/0x350 | |
37 | [ 707.750583] ret_from_fork+0x10/0x18 | |
38 | ||
39 | [ 707.811302] Allocated by task 16982: | |
40 | [ 707.854182] kasan_kmalloc.part.1+0x40/0x108 | |
41 | [ 707.905405] kasan_kmalloc+0xb4/0xc8 | |
42 | [ 707.948291] kasan_slab_alloc+0x14/0x20 | |
43 | [ 707.994309] __kmalloc_node_track_caller+0x158/0x5e0 | |
44 | [ 708.053902] __kmalloc_reserve.isra.8+0x54/0xe0 | |
45 | [ 708.108280] __alloc_skb+0xd8/0x400 | |
46 | [ 708.150139] sk_stream_alloc_skb+0xa4/0x638 | |
47 | [ 708.200346] tcp_sendmsg_locked+0x818/0x2b90 | |
48 | [ 708.251581] tcp_sendmsg+0x40/0x60 | |
49 | [ 708.292376] inet_sendmsg+0xf0/0x520 | |
50 | [ 708.335259] sock_sendmsg+0xac/0xf8 | |
51 | [ 708.377096] sock_write_iter+0x1c0/0x2c0 | |
52 | [ 708.424154] new_sync_write+0x358/0x4a8 | |
53 | [ 708.470162] __vfs_write+0xc4/0xf8 | |
54 | [ 708.510950] vfs_write+0x12c/0x3d0 | |
55 | [ 708.551739] ksys_write+0xcc/0x178 | |
56 | [ 708.592533] __arm64_sys_write+0x70/0xa0 | |
57 | [ 708.639593] el0_svc_handler+0x13c/0x298 | |
58 | [ 708.686646] el0_svc+0x8/0xc | |
59 | ||
60 | [ 708.739019] Freed by task 17: | |
61 | [ 708.774597] __kasan_slab_free+0x114/0x228 | |
62 | [ 708.823736] kasan_slab_free+0x10/0x18 | |
63 | [ 708.868703] kfree+0x100/0x3d8 | |
64 | [ 708.905320] skb_free_head+0x7c/0x98 | |
65 | [ 708.948204] skb_release_data+0x320/0x490 | |
66 | [ 708.996301] pskb_expand_head+0x60c/0x970 | |
67 | [ 709.044399] __iptunnel_pull_header+0x3b8/0x5d0 | |
68 | [ 709.098770] ipip6_rcv+0x41c/0x16e0 [sit] | |
69 | [ 709.146873] tunnel64_rcv+0xd4/0x200 [tunnel4] | |
70 | [ 709.200195] ip_local_deliver_finish+0x3b8/0x988 | |
71 | [ 709.255596] ip_local_deliver+0x144/0x470 | |
72 | [ 709.303692] ip_rcv_finish+0x43c/0x14b0 | |
73 | [ 709.349705] ip_rcv+0x628/0x1138 | |
74 | [ 709.388413] __netif_receive_skb_core+0x1670/0x2600 | |
75 | [ 709.446943] __netif_receive_skb+0x28/0x190 | |
76 | [ 709.497120] process_backlog+0x1d0/0x610 | |
77 | [ 709.544169] net_rx_action+0x37c/0xf68 | |
78 | [ 709.589131] __do_softirq+0x288/0x1018 | |
79 | ||
80 | [ 709.651938] The buggy address belongs to the object at ffffe01b6bd85580 | |
81 | which belongs to the cache kmalloc-1024 of size 1024 | |
82 | [ 709.804356] The buggy address is located 117 bytes inside of | |
83 | 1024-byte region [ffffe01b6bd85580, ffffe01b6bd85980) | |
84 | [ 709.946340] The buggy address belongs to the page: | |
85 | [ 710.003824] page:ffff7ff806daf600 count:1 mapcount:0 mapping:ffffe01c4001f600 index:0x0 | |
86 | [ 710.099914] flags: 0xfffff8000000100(slab) | |
87 | [ 710.149059] raw: 0fffff8000000100 dead000000000100 dead000000000200 ffffe01c4001f600 | |
88 | [ 710.242011] raw: 0000000000000000 0000000000380038 00000001ffffffff 0000000000000000 | |
89 | [ 710.334966] page dumped because: kasan: bad access detected | |
90 | ||
91 | Fix it resetting iph pointer after iptunnel_pull_header | |
92 | ||
93 | Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap") | |
94 | Tested-by: Jianlin Shi <jishi@redhat.com> | |
95 | Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> | |
96 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
97 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
98 | --- | |
99 | net/ipv6/sit.c | 4 ++++ | |
100 | 1 file changed, 4 insertions(+) | |
101 | ||
102 | diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c | |
103 | index de9aa5cb295c..8f6cf8e6b5c1 100644 | |
104 | --- a/net/ipv6/sit.c | |
105 | +++ b/net/ipv6/sit.c | |
106 | @@ -669,6 +669,10 @@ static int ipip6_rcv(struct sk_buff *skb) | |
107 | !net_eq(tunnel->net, dev_net(tunnel->dev)))) | |
108 | goto out; | |
109 | ||
110 | + /* skb can be uncloned in iptunnel_pull_header, so | |
111 | + * old iph is no longer valid | |
112 | + */ | |
113 | + iph = (const struct iphdr *)skb_mac_header(skb); | |
114 | err = IP_ECN_decapsulate(iph, skb); | |
115 | if (unlikely(err)) { | |
116 | if (log_ecn_error) | |
117 | -- | |
118 | 2.19.1 | |
119 |