linux

iv/linux

History

Alexey Kodanev 1625f45299 net/xfrm_input: fix possible NULL deref of tunnel.ip6->parms.i_key Running LTP 'icmp-uni-basic.sh -6 -p ipcomp -m tunnel' test over openvswitch + veth can trigger kernel panic: BUG: unable to handle kernel NULL pointer dereference at 00000000000000e0 IP: [<ffffffff8169d1d2>] xfrm_input+0x82/0x750 ... [<ffffffff816d472e>] xfrm6_rcv_spi+0x1e/0x20 [<ffffffffa082c3c2>] xfrm6_tunnel_rcv+0x42/0x50 [xfrm6_tunnel] [<ffffffffa082727e>] tunnel6_rcv+0x3e/0x8c [tunnel6] [<ffffffff8169f365>] ip6_input_finish+0xd5/0x430 [<ffffffff8169fc53>] ip6_input+0x33/0x90 [<ffffffff8169f1d5>] ip6_rcv_finish+0xa5/0xb0 ... It seems that tunnel.ip6 can have garbage values and also dereferenced without a proper check, only tunnel.ip4 is being verified. Fix it by adding one more if block for AF_INET6 and initialize tunnel.ip6 with NULL inside xfrm6_rcv_spi() (which is similar to xfrm4_rcv_spi()). Fixes: `049f8e2` ("xfrm: Override skb->mark with tunnel->parm.i_key in xfrm_input") Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>		2016-08-11 13:15:57 +02:00
..
ila	ila: ipv6/ila: fix nlsize calculation for lwtunnel	2016-05-10 16:00:25 -04:00
netfilter	Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf	2016-06-01 17:54:19 -07:00
addrconf_core.c
addrconf.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2016-04-27 15:43:10 -04:00
addrlabel.c	ipv6/addrlabel: fix ip6addrlbl_get()	2015-12-22 15:57:54 -05:00
af_inet6.c	udp: Add GRO functions to UDP socket	2016-04-07 16:53:29 -04:00
ah6.c
anycast.c
datagram.c	sock: propagate __sock_cmsg_send() error	2016-05-16 13:46:23 -04:00
esp6.c
exthdrs_core.c	ipv6: re-enable fragment header matching in ipv6_find_hdr	2016-03-03 16:35:20 -05:00
exthdrs_offload.c
exthdrs.c	ipv6: rename IP6_INC_STATS_BH()	2016-04-27 22:48:24 -04:00
fib6_rules.c	ipv6: fix the incorrect return value of throw route	2015-10-23 02:38:18 -07:00
fou6.c	fou: add Kconfig options for IPv6 support	2016-05-29 22:24:21 -07:00
icmp.c	ipv6: fix endianness error in icmpv6_err	2016-06-14 15:24:35 -04:00
inet6_connection_sock.c	soreuseport: fast reuseport TCP socket selection	2016-02-11 03:54:15 -05:00
inet6_hashtables.c	net: rename NET_{ADD\|INC}_STATS_BH()	2016-04-27 22:48:24 -04:00
ip6_checksum.c	ipv6: fix checksum annotation in udp6_csum_init	2016-06-14 15:26:42 -04:00
ip6_fib.c	ipv6: Fix mem leak in rt6i_pcpu	2016-07-05 14:09:23 -07:00
ip6_flowlabel.c	ipv6: add new struct ipcm6_cookie	2016-05-03 16:08:14 -04:00
ip6_gre.c	gre: fix error handler	2016-06-15 22:15:21 -07:00
ip6_icmp.c
ip6_input.c	ipv6: Change "final" protocol processing for encapsulation	2016-05-20 18:03:16 -04:00
ip6_offload.c	ip4ip6: Support for GSO/GRO	2016-05-20 18:03:17 -04:00
ip6_offload.h	udp: Add GRO functions to UDP socket	2016-04-07 16:53:29 -04:00
ip6_output.c	ipv6: Skip XFRM lookup if dst_entry in socket cache is valid	2016-06-08 11:16:06 -07:00
ip6_tunnel.c	ipv6: Don't reset inner headers in ip6_tnl_xmit	2016-05-20 18:03:17 -04:00
ip6_udp_tunnel.c	ip_tunnel: add support for setting flow label via collect metadata	2016-03-11 15:14:26 -05:00
ip6_vti.c	net: replace dst_cache ip6_tunnel implementation with the generic one	2016-02-16 20:21:48 -05:00
ip6mr.c	ipmr/ip6mr: Initialize the last assert time of mfc entries.	2016-06-28 04:14:09 -04:00
ipcomp6.c
ipv6_sockglue.c	ipv6: add new struct ipcm6_cookie	2016-05-03 16:08:14 -04:00
Kconfig	fou: fix IPv6 Kconfig options	2016-05-31 14:07:49 -07:00
Makefile	fou: fix IPv6 Kconfig options	2016-05-31 14:07:49 -07:00
mcast_snoop.c
mcast.c	mld, igmp: Fix reserved tailroom calculation	2016-03-03 15:41:07 -05:00
mip6.c	ipv6: use ktime_t for internal timestamps	2015-10-05 03:16:47 -07:00
ndisc.c	ipv6: add option to drop unsolicited neighbor advertisements	2016-02-11 04:27:36 -05:00
netfilter.c	ipv6: Pass struct net into ip6_route_me_harder	2015-09-29 20:21:32 +02:00
output_core.c	ipv4, ipv6: Pass net into ip_local_out and ip6_local_out	2015-10-08 04:27:02 -07:00
ping.c	ipv6: add new struct ipcm6_cookie	2016-05-03 16:08:14 -04:00
proc.c
protocol.c
raw.c	ipv6: add new struct ipcm6_cookie	2016-05-03 16:08:14 -04:00
reassembly.c	ipv6: rename IP6_INC_STATS_BH()	2016-04-27 22:48:24 -04:00
route.c	ipv6: enforce egress device match in per table nexthop lookups	2016-06-27 10:37:20 -04:00
sit.c	sit: correct IP protocol used in ipip6_err	2016-06-16 17:10:30 -07:00
syncookies.c	net: rename NET_{ADD\|INC}_STATS_BH()	2016-04-27 22:48:24 -04:00
sysctl_net_ipv6.c
tcp_ipv6.c	ipv6: tcp: fix endianness annotation in tcp_v6_send_response	2016-06-14 15:25:35 -04:00
tcpv6_offload.c
tunnel6.c	ipv6: fix tunnel error handling	2015-11-03 10:52:13 -05:00
udp_impl.h
udp_offload.c	gso: Remove arbitrary checks for unsupported GSO	2016-05-20 18:03:15 -04:00
udp.c	udp: prevent bugcheck if filter truncates packet too much	2016-07-11 12:43:15 -07:00
udplite.c
xfrm6_input.c	net/xfrm_input: fix possible NULL deref of tunnel.ip6->parms.i_key	2016-08-11 13:15:57 +02:00
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c	ipv6: update skb->csum when CE mark is propagated	2016-01-15 15:07:23 -05:00
xfrm6_output.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2015-10-24 06:54:12 -07:00
xfrm6_policy.c	Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec	2015-12-22 16:26:31 -05:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c