queue-4.19/ipv6-sit-reset-ip-header-pointer-in-ipip6_rcv.patch

   1 From 446c142fa696959344b61879443d8b381cab7242 Mon Sep 17 00:00:00 2001
   2 From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
   3 Date: Thu, 4 Apr 2019 16:37:53 +0200
   4 Subject: ipv6: sit: reset ip header pointer in ipip6_rcv
   5
   6 [ Upstream commit bb9bd814ebf04f579be466ba61fc922625508807 ]
   7
   8 ipip6 tunnels run iptunnel_pull_header on received skbs. This can
   9 determine the following use-after-free accessing iph pointer since
  10 the packet will be 'uncloned' running pskb_expand_head if it is a
  11 cloned gso skb (e.g if the packet has been sent though a veth device)
  12
  13 [  706.369655] BUG: KASAN: use-after-free in ipip6_rcv+0x1678/0x16e0 [sit]
  14 [  706.449056] Read of size 1 at addr ffffe01b6bd855f5 by task ksoftirqd/1/=
  15 [  706.669494] Hardware name: HPE ProLiant m400 Server/ProLiant m400 Server, BIOS U02 08/19/2016
  16 [  706.771839] Call trace:
  17 [  706.801159]  dump_backtrace+0x0/0x2f8
  18 [  706.845079]  show_stack+0x24/0x30
  19 [  706.884833]  dump_stack+0xe0/0x11c
  20 [  706.925629]  print_address_description+0x68/0x260
  21 [  706.982070]  kasan_report+0x178/0x340
  22 [  707.025995]  __asan_report_load1_noabort+0x30/0x40
  23 [  707.083481]  ipip6_rcv+0x1678/0x16e0 [sit]
  24 [  707.132623]  tunnel64_rcv+0xd4/0x200 [tunnel4]
  25 [  707.185940]  ip_local_deliver_finish+0x3b8/0x988
  26 [  707.241338]  ip_local_deliver+0x144/0x470
  27 [  707.289436]  ip_rcv_finish+0x43c/0x14b0
  28 [  707.335447]  ip_rcv+0x628/0x1138
  29 [  707.374151]  __netif_receive_skb_core+0x1670/0x2600
  30 [  707.432680]  __netif_receive_skb+0x28/0x190
  31 [  707.482859]  process_backlog+0x1d0/0x610
  32 [  707.529913]  net_rx_action+0x37c/0xf68
  33 [  707.574882]  __do_softirq+0x288/0x1018
  34 [  707.619852]  run_ksoftirqd+0x70/0xa8
  35 [  707.662734]  smpboot_thread_fn+0x3a4/0x9e8
  36 [  707.711875]  kthread+0x2c8/0x350
  37 [  707.750583]  ret_from_fork+0x10/0x18
  38
  39 [  707.811302] Allocated by task 16982:
  40 [  707.854182]  kasan_kmalloc.part.1+0x40/0x108
  41 [  707.905405]  kasan_kmalloc+0xb4/0xc8
  42 [  707.948291]  kasan_slab_alloc+0x14/0x20
  43 [  707.994309]  __kmalloc_node_track_caller+0x158/0x5e0
  44 [  708.053902]  __kmalloc_reserve.isra.8+0x54/0xe0
  45 [  708.108280]  __alloc_skb+0xd8/0x400
  46 [  708.150139]  sk_stream_alloc_skb+0xa4/0x638
  47 [  708.200346]  tcp_sendmsg_locked+0x818/0x2b90
  48 [  708.251581]  tcp_sendmsg+0x40/0x60
  49 [  708.292376]  inet_sendmsg+0xf0/0x520
  50 [  708.335259]  sock_sendmsg+0xac/0xf8
  51 [  708.377096]  sock_write_iter+0x1c0/0x2c0
  52 [  708.424154]  new_sync_write+0x358/0x4a8
  53 [  708.470162]  __vfs_write+0xc4/0xf8
  54 [  708.510950]  vfs_write+0x12c/0x3d0
  55 [  708.551739]  ksys_write+0xcc/0x178
  56 [  708.592533]  __arm64_sys_write+0x70/0xa0
  57 [  708.639593]  el0_svc_handler+0x13c/0x298
  58 [  708.686646]  el0_svc+0x8/0xc
  59
  60 [  708.739019] Freed by task 17:
  61 [  708.774597]  __kasan_slab_free+0x114/0x228
  62 [  708.823736]  kasan_slab_free+0x10/0x18
  63 [  708.868703]  kfree+0x100/0x3d8
  64 [  708.905320]  skb_free_head+0x7c/0x98
  65 [  708.948204]  skb_release_data+0x320/0x490
  66 [  708.996301]  pskb_expand_head+0x60c/0x970
  67 [  709.044399]  __iptunnel_pull_header+0x3b8/0x5d0
  68 [  709.098770]  ipip6_rcv+0x41c/0x16e0 [sit]
  69 [  709.146873]  tunnel64_rcv+0xd4/0x200 [tunnel4]
  70 [  709.200195]  ip_local_deliver_finish+0x3b8/0x988
  71 [  709.255596]  ip_local_deliver+0x144/0x470
  72 [  709.303692]  ip_rcv_finish+0x43c/0x14b0
  73 [  709.349705]  ip_rcv+0x628/0x1138
  74 [  709.388413]  __netif_receive_skb_core+0x1670/0x2600
  75 [  709.446943]  __netif_receive_skb+0x28/0x190
  76 [  709.497120]  process_backlog+0x1d0/0x610
  77 [  709.544169]  net_rx_action+0x37c/0xf68
  78 [  709.589131]  __do_softirq+0x288/0x1018
  79
  80 [  709.651938] The buggy address belongs to the object at ffffe01b6bd85580
  81                 which belongs to the cache kmalloc-1024 of size 1024
  82 [  709.804356] The buggy address is located 117 bytes inside of
  83                 1024-byte region [ffffe01b6bd85580, ffffe01b6bd85980)
  84 [  709.946340] The buggy address belongs to the page:
  85 [  710.003824] page:ffff7ff806daf600 count:1 mapcount:0 mapping:ffffe01c4001f600 index:0x0
  86 [  710.099914] flags: 0xfffff8000000100(slab)
  87 [  710.149059] raw: 0fffff8000000100 dead000000000100 dead000000000200 ffffe01c4001f600
  88 [  710.242011] raw: 0000000000000000 0000000000380038 00000001ffffffff 0000000000000000
  89 [  710.334966] page dumped because: kasan: bad access detected
  90
  91 Fix it resetting iph pointer after iptunnel_pull_header
  92
  93 Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap")
  94 Tested-by: Jianlin Shi <jishi@redhat.com>
  95 Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
  96 Signed-off-by: David S. Miller <davem@davemloft.net>
  97 Signed-off-by: Sasha Levin <sashal@kernel.org>
  98 ---
  99  net/ipv6/sit.c | 4 ++++
 100  1 file changed, 4 insertions(+)
 101
 102 diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
 103 index de9aa5cb295c..8f6cf8e6b5c1 100644
 104 --- a/net/ipv6/sit.c
 105 +++ b/net/ipv6/sit.c
 106 @@ -669,6 +669,10 @@ static int ipip6_rcv(struct sk_buff *skb)
 107                     !net_eq(tunnel->net, dev_net(tunnel->dev))))
 108                         goto out;
 109
 110 +               /* skb can be uncloned in iptunnel_pull_header, so
 111 +                * old iph is no longer valid
 112 +                */
 113 +               iph = (const struct iphdr *)skb_mac_header(skb);
 114                 err = IP_ECN_decapsulate(iph, skb);
 115                 if (unlikely(err)) {
 116                         if (log_ecn_error)
 117 --
 118 2.19.1
 119