[thirdparty/kernel/stable-queue.git] / releases / 4.19.35 / ipv6-sit-reset-ip-header-pointer-in-ipip6_rcv.patch

From 446c142fa696959344b61879443d8b381cab7242 Mon Sep 17 00:00:00 2001
From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Date: Thu, 4 Apr 2019 16:37:53 +0200
Subject: ipv6: sit: reset ip header pointer in ipip6_rcv

[ Upstream commit bb9bd814ebf04f579be466ba61fc922625508807 ]

ipip6 tunnels run iptunnel_pull_header on received skbs. This can
determine the following use-after-free accessing iph pointer since
the packet will be 'uncloned' running pskb_expand_head if it is a
cloned gso skb (e.g if the packet has been sent though a veth device)

[  706.369655] BUG: KASAN: use-after-free in ipip6_rcv+0x1678/0x16e0 [sit]
[  706.449056] Read of size 1 at addr ffffe01b6bd855f5 by task ksoftirqd/1/=
[  706.669494] Hardware name: HPE ProLiant m400 Server/ProLiant m400 Server, BIOS U02 08/19/2016
[  706.771839] Call trace:
[  706.801159]  dump_backtrace+0x0/0x2f8
[  706.845079]  show_stack+0x24/0x30
[  706.884833]  dump_stack+0xe0/0x11c
[  706.925629]  print_address_description+0x68/0x260
[  706.982070]  kasan_report+0x178/0x340
[  707.025995]  __asan_report_load1_noabort+0x30/0x40
[  707.083481]  ipip6_rcv+0x1678/0x16e0 [sit]
[  707.132623]  tunnel64_rcv+0xd4/0x200 [tunnel4]
[  707.185940]  ip_local_deliver_finish+0x3b8/0x988
[  707.241338]  ip_local_deliver+0x144/0x470
[  707.289436]  ip_rcv_finish+0x43c/0x14b0
[  707.335447]  ip_rcv+0x628/0x1138
[  707.374151]  __netif_receive_skb_core+0x1670/0x2600
[  707.432680]  __netif_receive_skb+0x28/0x190
[  707.482859]  process_backlog+0x1d0/0x610
[  707.529913]  net_rx_action+0x37c/0xf68
[  707.574882]  __do_softirq+0x288/0x1018
[  707.619852]  run_ksoftirqd+0x70/0xa8
[  707.662734]  smpboot_thread_fn+0x3a4/0x9e8
[  707.711875]  kthread+0x2c8/0x350
[  707.750583]  ret_from_fork+0x10/0x18

[  707.811302] Allocated by task 16982:
[  707.854182]  kasan_kmalloc.part.1+0x40/0x108
[  707.905405]  kasan_kmalloc+0xb4/0xc8
[  707.948291]  kasan_slab_alloc+0x14/0x20
[  707.994309]  __kmalloc_node_track_caller+0x158/0x5e0
[  708.053902]  __kmalloc_reserve.isra.8+0x54/0xe0
[  708.108280]  __alloc_skb+0xd8/0x400
[  708.150139]  sk_stream_alloc_skb+0xa4/0x638
[  708.200346]  tcp_sendmsg_locked+0x818/0x2b90
[  708.251581]  tcp_sendmsg+0x40/0x60
[  708.292376]  inet_sendmsg+0xf0/0x520
[  708.335259]  sock_sendmsg+0xac/0xf8
[  708.377096]  sock_write_iter+0x1c0/0x2c0
[  708.424154]  new_sync_write+0x358/0x4a8
[  708.470162]  __vfs_write+0xc4/0xf8
[  708.510950]  vfs_write+0x12c/0x3d0
[  708.551739]  ksys_write+0xcc/0x178
[  708.592533]  __arm64_sys_write+0x70/0xa0
[  708.639593]  el0_svc_handler+0x13c/0x298
[  708.686646]  el0_svc+0x8/0xc

[  708.739019] Freed by task 17:
[  708.774597]  __kasan_slab_free+0x114/0x228
[  708.823736]  kasan_slab_free+0x10/0x18
[  708.868703]  kfree+0x100/0x3d8
[  708.905320]  skb_free_head+0x7c/0x98
[  708.948204]  skb_release_data+0x320/0x490
[  708.996301]  pskb_expand_head+0x60c/0x970
[  709.044399]  __iptunnel_pull_header+0x3b8/0x5d0
[  709.098770]  ipip6_rcv+0x41c/0x16e0 [sit]
[  709.146873]  tunnel64_rcv+0xd4/0x200 [tunnel4]
[  709.200195]  ip_local_deliver_finish+0x3b8/0x988
[  709.255596]  ip_local_deliver+0x144/0x470
[  709.303692]  ip_rcv_finish+0x43c/0x14b0
[  709.349705]  ip_rcv+0x628/0x1138
[  709.388413]  __netif_receive_skb_core+0x1670/0x2600
[  709.446943]  __netif_receive_skb+0x28/0x190
[  709.497120]  process_backlog+0x1d0/0x610
[  709.544169]  net_rx_action+0x37c/0xf68
[  709.589131]  __do_softirq+0x288/0x1018

[  709.651938] The buggy address belongs to the object at ffffe01b6bd85580
                which belongs to the cache kmalloc-1024 of size 1024
[  709.804356] The buggy address is located 117 bytes inside of
                1024-byte region [ffffe01b6bd85580, ffffe01b6bd85980)
[  709.946340] The buggy address belongs to the page:
[  710.003824] page:ffff7ff806daf600 count:1 mapcount:0 mapping:ffffe01c4001f600 index:0x0
[  710.099914] flags: 0xfffff8000000100(slab)
[  710.149059] raw: 0fffff8000000100 dead000000000100 dead000000000200 ffffe01c4001f600
[  710.242011] raw: 0000000000000000 0000000000380038 00000001ffffffff 0000000000000000
[  710.334966] page dumped because: kasan: bad access detected

Fix it resetting iph pointer after iptunnel_pull_header

Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap")
Tested-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/sit.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index de9aa5cb295c..8f6cf8e6b5c1 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -669,6 +669,10 @@ static int ipip6_rcv(struct sk_buff *skb)
 		    !net_eq(tunnel->net, dev_net(tunnel->dev))))
 			goto out;
 
+		/* skb can be uncloned in iptunnel_pull_header, so
+		 * old iph is no longer valid
+		 */
+		iph = (const struct iphdr *)skb_mac_header(skb);
 		err = IP_ECN_decapsulate(iph, skb);
 		if (unlikely(err)) {
 			if (log_ecn_error)
-- 
2.19.1
Commit	Line	Data
a9fba688 SL	1	From 446c142fa696959344b61879443d8b381cab7242 Mon Sep 17 00:00:00 2001
	2	From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
	3	Date: Thu, 4 Apr 2019 16:37:53 +0200
	4	Subject: ipv6: sit: reset ip header pointer in ipip6_rcv
	5
	6	[ Upstream commit bb9bd814ebf04f579be466ba61fc922625508807 ]
	7
	8	ipip6 tunnels run iptunnel_pull_header on received skbs. This can
	9	determine the following use-after-free accessing iph pointer since
	10	the packet will be 'uncloned' running pskb_expand_head if it is a
	11	cloned gso skb (e.g if the packet has been sent though a veth device)
	12
	13	[ 706.369655] BUG: KASAN: use-after-free in ipip6_rcv+0x1678/0x16e0 [sit]
	14	[ 706.449056] Read of size 1 at addr ffffe01b6bd855f5 by task ksoftirqd/1/=
	15	[ 706.669494] Hardware name: HPE ProLiant m400 Server/ProLiant m400 Server, BIOS U02 08/19/2016
	16	[ 706.771839] Call trace:
	17	[ 706.801159] dump_backtrace+0x0/0x2f8
	18	[ 706.845079] show_stack+0x24/0x30
	19	[ 706.884833] dump_stack+0xe0/0x11c
	20	[ 706.925629] print_address_description+0x68/0x260
	21	[ 706.982070] kasan_report+0x178/0x340
	22	[ 707.025995] __asan_report_load1_noabort+0x30/0x40
	23	[ 707.083481] ipip6_rcv+0x1678/0x16e0 [sit]
	24	[ 707.132623] tunnel64_rcv+0xd4/0x200 [tunnel4]
	25	[ 707.185940] ip_local_deliver_finish+0x3b8/0x988
	26	[ 707.241338] ip_local_deliver+0x144/0x470
	27	[ 707.289436] ip_rcv_finish+0x43c/0x14b0
	28	[ 707.335447] ip_rcv+0x628/0x1138
	29	[ 707.374151] __netif_receive_skb_core+0x1670/0x2600
	30	[ 707.432680] __netif_receive_skb+0x28/0x190
	31	[ 707.482859] process_backlog+0x1d0/0x610
	32	[ 707.529913] net_rx_action+0x37c/0xf68
	33	[ 707.574882] __do_softirq+0x288/0x1018
	34	[ 707.619852] run_ksoftirqd+0x70/0xa8
	35	[ 707.662734] smpboot_thread_fn+0x3a4/0x9e8
	36	[ 707.711875] kthread+0x2c8/0x350
	37	[ 707.750583] ret_from_fork+0x10/0x18
	38
	39	[ 707.811302] Allocated by task 16982:
	40	[ 707.854182] kasan_kmalloc.part.1+0x40/0x108
	41	[ 707.905405] kasan_kmalloc+0xb4/0xc8
	42	[ 707.948291] kasan_slab_alloc+0x14/0x20
	43	[ 707.994309] __kmalloc_node_track_caller+0x158/0x5e0
	44	[ 708.053902] __kmalloc_reserve.isra.8+0x54/0xe0
	45	[ 708.108280] __alloc_skb+0xd8/0x400
	46	[ 708.150139] sk_stream_alloc_skb+0xa4/0x638
	47	[ 708.200346] tcp_sendmsg_locked+0x818/0x2b90
	48	[ 708.251581] tcp_sendmsg+0x40/0x60
	49	[ 708.292376] inet_sendmsg+0xf0/0x520
	50	[ 708.335259] sock_sendmsg+0xac/0xf8
	51	[ 708.377096] sock_write_iter+0x1c0/0x2c0
	52	[ 708.424154] new_sync_write+0x358/0x4a8
	53	[ 708.470162] __vfs_write+0xc4/0xf8
	54	[ 708.510950] vfs_write+0x12c/0x3d0
	55	[ 708.551739] ksys_write+0xcc/0x178
	56	[ 708.592533] __arm64_sys_write+0x70/0xa0
	57	[ 708.639593] el0_svc_handler+0x13c/0x298
	58	[ 708.686646] el0_svc+0x8/0xc
	59
	60	[ 708.739019] Freed by task 17:
	61	[ 708.774597] __kasan_slab_free+0x114/0x228
	62	[ 708.823736] kasan_slab_free+0x10/0x18
	63	[ 708.868703] kfree+0x100/0x3d8
	64	[ 708.905320] skb_free_head+0x7c/0x98
65	[ 708.948204] skb_release_data+0x320/0x490
66	[ 708.996301] pskb_expand_head+0x60c/0x970
67	[ 709.044399] __iptunnel_pull_header+0x3b8/0x5d0
68	[ 709.098770] ipip6_rcv+0x41c/0x16e0 [sit]
69	[ 709.146873] tunnel64_rcv+0xd4/0x200 [tunnel4]
70	[ 709.200195] ip_local_deliver_finish+0x3b8/0x988
71	[ 709.255596] ip_local_deliver+0x144/0x470
72	[ 709.303692] ip_rcv_finish+0x43c/0x14b0
73	[ 709.349705] ip_rcv+0x628/0x1138
74	[ 709.388413] __netif_receive_skb_core+0x1670/0x2600
75	[ 709.446943] __netif_receive_skb+0x28/0x190
76	[ 709.497120] process_backlog+0x1d0/0x610
77	[ 709.544169] net_rx_action+0x37c/0xf68
78	[ 709.589131] __do_softirq+0x288/0x1018
79
80	[ 709.651938] The buggy address belongs to the object at ffffe01b6bd85580
81	which belongs to the cache kmalloc-1024 of size 1024
82	[ 709.804356] The buggy address is located 117 bytes inside of
83	1024-byte region [ffffe01b6bd85580, ffffe01b6bd85980)
84	[ 709.946340] The buggy address belongs to the page:
85	[ 710.003824] page:ffff7ff806daf600 count:1 mapcount:0 mapping:ffffe01c4001f600 index:0x0
86	[ 710.099914] flags: 0xfffff8000000100(slab)
87	[ 710.149059] raw: 0fffff8000000100 dead000000000100 dead000000000200 ffffe01c4001f600
88	[ 710.242011] raw: 0000000000000000 0000000000380038 00000001ffffffff 0000000000000000
89	[ 710.334966] page dumped because: kasan: bad access detected
90
91	Fix it resetting iph pointer after iptunnel_pull_header
92
93	Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap")
94	Tested-by: Jianlin Shi <jishi@redhat.com>
95	Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
96	Signed-off-by: David S. Miller <davem@davemloft.net>
97	Signed-off-by: Sasha Levin <sashal@kernel.org>
98	---
99	net/ipv6/sit.c \| 4 ++++
100	1 file changed, 4 insertions(+)
101
102	diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
103	index de9aa5cb295c..8f6cf8e6b5c1 100644
104	--- a/net/ipv6/sit.c
105	+++ b/net/ipv6/sit.c
106	@@ -669,6 +669,10 @@ static int ipip6_rcv(struct sk_buff *skb)
107	!net_eq(tunnel->net, dev_net(tunnel->dev))))
108	goto out;
109
110	+ /* skb can be uncloned in iptunnel_pull_header, so
111	+ * old iph is no longer valid
112	+ */
113	+ iph = (const struct iphdr *)skb_mac_header(skb);
114	err = IP_ECN_decapsulate(iph, skb);
115	if (unlikely(err)) {
116	if (log_ecn_error)
117	--
118	2.19.1
119