iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net/ipv6
History
Taehee Yoo 5d407b071d ip: frags: fix crash in ip_do_fragment() 
A kernel crash occurrs when defragmented packet is fragmented
in ip_do_fragment().
In defragment routine, skb_orphan() is called and
skb->ip_defrag_offset is set. but skb->sk and
skb->ip_defrag_offset are same union member. so that
frag->sk is not NULL.
Hence crash occurrs in skb->sk check routine in ip_do_fragment() when
defragmented packet is fragmented.

test commands:
   %iptables -t nat -I POSTROUTING -j MASQUERADE
   %hping3 192.168.4.2 -s 1000 -p 2000 -d 60000

splat looks like:
[  261.069429] kernel BUG at net/ipv4/ip_output.c:636!
[  261.075753] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[  261.083854] CPU: 1 PID: 1349 Comm: hping3 Not tainted 4.19.0-rc2+ #3
[  261.100977] RIP: 0010:ip_do_fragment+0x1613/0x2600
[  261.106945] Code: e8 e2 38 e3 fe 4c 8b 44 24 18 48 8b 74 24 08 e9 92 f6 ff ff 80 3c 02 00 0f 85 da 07 00 00 48 8b b5 d0 00 00 00 e9 25 f6 ff ff <0f> 0b 0f 0b 44 8b 54 24 58 4c 8b 4c 24 18 4c 8b 5c 24 60 4c 8b 6c
[  261.127015] RSP: 0018:ffff8801031cf2c0 EFLAGS: 00010202
[  261.134156] RAX: 1ffff1002297537b RBX: ffffed0020639e6e RCX: 0000000000000004
[  261.142156] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880114ba9bd8
[  261.150157] RBP: ffff880114ba8a40 R08: ffffed0022975395 R09: ffffed0022975395
[  261.158157] R10: 0000000000000001 R11: ffffed0022975394 R12: ffff880114ba9ca4
[  261.166159] R13: 0000000000000010 R14: ffff880114ba9bc0 R15: dffffc0000000000
[  261.174169] FS:  00007fbae2199700(0000) GS:ffff88011b400000(0000) knlGS:0000000000000000
[  261.183012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  261.189013] CR2: 00005579244fe000 CR3: 0000000119bf4000 CR4: 00000000001006e0
[  261.198158] Call Trace:
[  261.199018]  ? dst_output+0x180/0x180
[  261.205011]  ? save_trace+0x300/0x300
[  261.209018]  ? ip_copy_metadata+0xb00/0xb00
[  261.213034]  ? sched_clock_local+0xd4/0x140
[  261.218158]  ? kill_l4proto+0x120/0x120 [nf_conntrack]
[  261.223014]  ? rt_cpu_seq_stop+0x10/0x10
[  261.227014]  ? find_held_lock+0x39/0x1c0
[  261.233008]  ip_finish_output+0x51d/0xb50
[  261.237006]  ? ip_fragment.constprop.56+0x220/0x220
[  261.243011]  ? nf_ct_l4proto_register_one+0x5b0/0x5b0 [nf_conntrack]
[  261.250152]  ? rcu_is_watching+0x77/0x120
[  261.255010]  ? nf_nat_ipv4_out+0x1e/0x2b0 [nf_nat_ipv4]
[  261.261033]  ? nf_hook_slow+0xb1/0x160
[  261.265007]  ip_output+0x1c7/0x710
[  261.269005]  ? ip_mc_output+0x13f0/0x13f0
[  261.273002]  ? __local_bh_enable_ip+0xe9/0x1b0
[  261.278152]  ? ip_fragment.constprop.56+0x220/0x220
[  261.282996]  ? nf_hook_slow+0xb1/0x160
[  261.287007]  raw_sendmsg+0x21f9/0x4420
[  261.291008]  ? dst_output+0x180/0x180
[  261.297003]  ? sched_clock_cpu+0x126/0x170
[  261.301003]  ? find_held_lock+0x39/0x1c0
[  261.306155]  ? stop_critical_timings+0x420/0x420
[  261.311004]  ? check_flags.part.36+0x450/0x450
[  261.315005]  ? _raw_spin_unlock_irq+0x29/0x40
[  261.320995]  ? _raw_spin_unlock_irq+0x29/0x40
[  261.326142]  ? cyc2ns_read_end+0x10/0x10
[  261.330139]  ? raw_bind+0x280/0x280
[  261.334138]  ? sched_clock_cpu+0x126/0x170
[  261.338995]  ? check_flags.part.36+0x450/0x450
[  261.342991]  ? __lock_acquire+0x4500/0x4500
[  261.348994]  ? inet_sendmsg+0x11c/0x500
[  261.352989]  ? dst_output+0x180/0x180
[  261.357012]  inet_sendmsg+0x11c/0x500
[ ... ]

v2:
 - clear skb->sk at reassembly routine.(Eric Dumarzet)

Fixes: fa0f527358bd ("ip: use rb trees for IP frag queue.")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-09 14:50:56 -07:00
..
ila
ila: remove blank lines at EOF
2018-07-24 14:10:42 -07:00
netfilter
ip: frags: fix crash in ip_do_fragment()
2018-09-09 14:50:56 -07:00
addrconf_core.c
net/ipv6: Add helper to return path MTU based on fib result
2018-05-22 10:51:09 +02:00
addrconf.c
addrconf: reduce unnecessary atomic allocations
2018-08-22 21:42:07 -07:00
addrlabel.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
af_inet6.c
ipv6: fix cleanup ordering for pingv6 registration
2018-08-29 19:28:55 -07:00
ah6.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-11-15 11:56:19 -08:00
anycast.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2018-06-06 18:39:49 -07:00
calipso.c
ipv6: make ipv6_renew_options() interrupt/kernel safe
2018-07-05 20:15:26 +09:00
datagram.c
net: add helpers checking if socket can be bound to nonlocal address
2018-08-01 09:50:04 -07:00
esp6_offload.c
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next
2018-07-27 09:33:37 -07:00
esp6.c
esp6: fix memleak on error path in esp6_input
2018-06-27 17:32:11 +02:00
exthdrs_core.c
net: ipv6: Fix typo in ipv6_find_hdr() documentation
2018-05-07 23:50:27 -04:00
exthdrs_offload.c
exthdrs.c
ipv6: make ipv6_renew_options() interrupt/kernel safe
2018-07-05 20:15:26 +09:00
fib6_notifier.c
net: Add module reference to FIB notifiers
2017-09-01 20:33:42 -07:00
fib6_rules.c
net/ipv6: Add fib6_lookup
2018-05-11 00:10:56 +02:00
fou6.c
fou: make local function static
2017-05-21 13:42:36 -04:00
icmp.c
ipv6: Add icmp_echo_ignore_all support for ICMPv6
2018-08-13 08:42:25 -07:00
inet6_connection_sock.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-01-28 10:33:06 -05:00
inet6_hashtables.c
bpf: Enable BPF_PROG_TYPE_SK_REUSEPORT bpf prog in reuseport selection
2018-08-11 01:58:46 +02:00
ip6_checksum.c
udplite: fix partial checksum initialization
2018-02-16 15:57:42 -05:00
ip6_fib.c
net/ipv6: Only update MTU metric if it set
2018-09-02 14:03:54 -07:00
ip6_flowlabel.c
ipv6: fold sockcm_cookie into ipcm6_cookie
2018-07-07 10:58:49 +09:00
ip6_gre.c
erspan: set erspan_ver to 1 by default when adding an erspan dev
2018-08-27 15:13:17 -07:00
ip6_icmp.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ip6_input.c
net: ipv6: listify ipv6_rcv() and ip6_rcv_finish()
2018-07-06 11:19:07 +09:00
ip6_offload.c
net: Convert GRO SKB handling to list_head.
2018-06-26 11:33:04 +09:00
ip6_offload.h
ip6_output.c
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net
2018-07-24 19:21:58 -07:00
ip6_tunnel.c
ip6_tunnel: respect ttl inherit for ip6tnl
2018-09-03 19:04:12 -07:00
ip6_udp_tunnel.c
ip6_vti.c
vti6: remove !skb->ignore_df check from vti6_xmit()
2018-08-29 17:51:44 -07:00
ip6mr.c
rhashtable: split rhashtable.h
2018-06-22 13:43:27 +09:00
ipcomp6.c
ipv6_sockglue.c
Merge ra.kernel.org:/pub/scm/linux/kernel/git/torvalds/linux
2018-07-20 21:17:12 -07:00
Kconfig
net: remove blank lines at end of file
2018-07-24 14:10:43 -07:00
Makefile
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
mcast_snoop.c
mcast.c
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net
2018-07-24 19:21:58 -07:00
mip6.c
ktime: Get rid of ktime_equal()
2016-12-25 17:21:23 +01:00
ndisc.c
ipv6: make DAD fail with enhanced DAD when nonce length differs
2018-07-16 13:45:16 -07:00
netfilter.c
netfilter: utils: move nf_ip6_checksum* from ipv6 to utils
2018-07-16 17:51:48 +02:00
output_core.c
net: accept UFO datagrams from tuntap and packet
2017-11-24 01:37:35 +09:00
ping.c
ipv6: fold sockcm_cookie into ipcm6_cookie
2018-07-07 10:58:49 +09:00
proc.c
proc: introduce proc_create_net_single
2018-05-16 07:24:30 +02:00
protocol.c
net: Add sysctl to toggle early demux for tcp and udp
2017-03-24 13:17:07 -07:00
raw.c
ipv6: fold sockcm_cookie into ipcm6_cookie
2018-07-07 10:58:49 +09:00
reassembly.c
ipv6: defrag: drop non-last frags smaller than min mtu
2018-08-05 17:21:14 -07:00
route.c
ipv6: don't get lwtstate twice in ip6_rt_copy_init()
2018-09-01 17:42:12 -07:00
seg6_hmac.c
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net
2018-07-03 10:29:26 +09:00
seg6_iptunnel.c
ipv6: sr: fix useless rol32 call on hash
2018-07-18 15:10:47 -07:00
seg6_local.c
bpf: add End.DT6 action to bpf_lwt_seg6_action helper
2018-07-31 09:22:48 +02:00
seg6.c
rhashtable: split rhashtable.h
2018-06-22 13:43:27 +09:00
sit.c
ip6_tunnel: remove magic mtu value 0xFFF8
2018-06-01 13:56:30 -04:00
syncookies.c
net/ipv4: disable SMC TCP option with SYN Cookies
2018-03-25 20:53:54 -04:00
sysctl_net_ipv6.c
ipv6: sr: Compute flowlabel for outer IPv6 header of seg6 encap mode
2018-04-25 13:02:15 -04:00
tcp_ipv6.c
net/ipv6: Fix linklocal to global address with VRF
2018-07-21 19:31:46 -07:00
tcpv6_offload.c
net: Convert GRO SKB handling to list_head.
2018-06-26 11:33:04 +09:00
tunnel6.c
udp_impl.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
udp_offload.c
net: Convert GRO SKB handling to list_head.
2018-06-26 11:33:04 +09:00
udp.c
bpf: Enable BPF_PROG_TYPE_SK_REUSEPORT bpf prog in reuseport selection
2018-08-11 01:58:46 +02:00
udplite.c
proc: introduce proc_create_net{,_data}
2018-05-16 07:24:30 +02:00
xfrm6_input.c
xfrm: Reinject transport-mode packets through tasklet
2017-12-19 08:23:21 +01:00
xfrm6_mode_beet.c
networking: make skb_pull & friends return void pointers
2017-06-16 11:48:39 -04:00
xfrm6_mode_ro.c
ipv6: xfrm: use 64-bit timestamps
2018-07-11 15:26:35 +02:00
xfrm6_mode_transport.c
ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt()
2017-06-02 13:57:27 -04:00
xfrm6_mode_tunnel.c
xfrm: Verify MAC header exists before overwriting eth_hdr(skb)->h_proto
2018-03-07 10:54:29 +01:00
xfrm6_output.c
net: xfrm: use skb_gso_validate_network_len() to check gso sizes
2018-03-04 17:49:17 -05:00
xfrm6_policy.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-06-03 09:31:58 -04:00
xfrm6_protocol.c
xfrm: input: constify xfrm_input_afinfo
2017-02-09 10:22:17 +01:00
xfrm6_state.c
xfrm: remove VLA usage in __xfrm6_sort()
2018-04-26 07:51:48 +02:00
xfrm6_tunnel.c
xfrm: Fix warning in xfrm6_tunnel_net_exit.
2018-04-16 07:50:09 +02:00