iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Mike Maloney 749439bfac ipv6: fix udpv6 sendmsg crash caused by too small MTU 
The logic in __ip6_append_data() assumes that the MTU is at least large
enough for the headers.  A device's MTU may be adjusted after being
added while sendmsg() is processing data, resulting in
__ip6_append_data() seeing any MTU.  For an mtu smaller than the size of
the fragmentation header, the math results in a negative 'maxfraglen',
which causes problems when refragmenting any previous skb in the
skb_write_queue, leaving it possibly malformed.

Instead sendmsg returns EINVAL when the mtu is calculated to be less
than IPV6_MIN_MTU.

Found by syzkaller:
kernel BUG at ./include/linux/skbuff.h:2064!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 14216 Comm: syz-executor5 Not tainted 4.13.0-rc4+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffff8801d0b68580 task.stack: ffff8801ac6b8000
RIP: 0010:__skb_pull include/linux/skbuff.h:2064 [inline]
RIP: 0010:__ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617
RSP: 0018:ffff8801ac6bf570 EFLAGS: 00010216
RAX: 0000000000010000 RBX: 0000000000000028 RCX: ffffc90003cce000
RDX: 00000000000001b8 RSI: ffffffff839df06f RDI: ffff8801d9478ca0
RBP: ffff8801ac6bf780 R08: ffff8801cc3f1dbc R09: 0000000000000000
R10: ffff8801ac6bf7a0 R11: 43cb4b7b1948a9e7 R12: ffff8801cc3f1dc8
R13: ffff8801cc3f1d40 R14: 0000000000001036 R15: dffffc0000000000
FS:  00007f43d740c700(0000) GS:ffff8801dc100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7834984000 CR3: 00000001d79b9000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ip6_finish_skb include/net/ipv6.h:911 [inline]
 udp_v6_push_pending_frames+0x255/0x390 net/ipv6/udp.c:1093
 udpv6_sendmsg+0x280d/0x31a0 net/ipv6/udp.c:1363
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:643
 SYSC_sendto+0x352/0x5a0 net/socket.c:1750
 SyS_sendto+0x40/0x50 net/socket.c:1718
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x4512e9
RSP: 002b:00007f43d740bc08 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000007180a8 RCX: 00000000004512e9
RDX: 000000000000002e RSI: 0000000020d08000 RDI: 0000000000000005
RBP: 0000000000000086 R08: 00000000209c1000 R09: 000000000000001c
R10: 0000000000040800 R11: 0000000000000216 R12: 00000000004b9c69
R13: 00000000ffffffff R14: 0000000000000005 R15: 00000000202c2000
Code: 9e 01 fe e9 c5 e8 ff ff e8 7f 9e 01 fe e9 4a ea ff ff 48 89 f7 e8 52 9e 01 fe e9 aa eb ff ff e8 a8 b6 cf fd 0f 0b e8 a1 b6 cf fd <0f> 0b 49 8d 45 78 4d 8d 45 7c 48 89 85 78 fe ff ff 49 8d 85 ba
RIP: __skb_pull include/linux/skbuff.h:2064 [inline] RSP: ffff8801ac6bf570
RIP: __ip6_make_skb+0x18cf/0x1f70 net/ipv6/ip6_output.c:1617 RSP: ffff8801ac6bf570

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Mike Maloney <maloney@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-01-15 13:28:18 -05:00
..
6lowpan
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
9p
9p: add missing module license for xen transport
2018-01-15 13:13:53 -05:00
802
treewide: setup_timer() -> timer_setup()
2017-11-21 15:57:07 -08:00
8021q
8021q: fix a memory leak for VLAN 0 device
2018-01-10 15:31:07 -05:00
appletalk
treewide: setup_timer() -> timer_setup()
2017-11-21 15:57:07 -08:00
atm
treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts
2017-11-21 16:35:54 -08:00
ax25
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
batman-adv
batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq
2017-12-04 11:47:33 +01:00
bluetooth
treewide: setup_timer() -> timer_setup()
2017-11-21 15:57:07 -08:00
bpf
bpf: add meta pointer for direct access
2017-09-26 13:36:44 -07:00
bridge
net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks
2017-12-18 13:29:01 -05:00
caif
caif_usb: use strlcpy() instead of strncpy()
2018-01-10 15:06:14 -05:00
can
treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts
2017-11-21 16:35:54 -08:00
ceph
We have a set of file locking improvements from Zheng, rbd rw/ro
2017-11-21 05:38:32 -10:00
core
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
2018-01-10 11:17:21 -05:00
dcb
rtnetlink: make rtnl_register accept a flags parameter
2017-08-09 16:57:38 -07:00
dccp
dccp: CVE-2017-8824: use-after-free in DCCP code
2017-12-05 18:08:53 -05:00
decnet
treewide: setup_timer() -> timer_setup()
2017-11-21 15:57:07 -08:00
dns_resolver
KEYS: Fix race between updating and finding a negative key
2017-10-18 09:12:40 +01:00
dsa
net: remove duplicate includes
2017-12-13 13:18:46 -05:00
ethernet
networking: make skb_push & __skb_push return void pointers
2017-06-16 11:48:40 -04:00
hsr
net: hsr: Convert timers to use timer_setup()
2017-10-25 13:00:27 +09:00
ieee802154
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
ife
MAINTAINERS: Update Yotam's E-mail
2017-11-01 12:19:03 +09:00
ipv4
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
2018-01-12 10:32:49 -05:00
ipv6
ipv6: fix udpv6 sendmsg crash caused by too small MTU
2018-01-15 13:28:18 -05:00
ipx
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
iucv
iucv: Convert sk_wmem_alloc accesses to refcount_t.
2017-07-03 02:31:22 -07:00
kcm
make sock_alloc_file() do sock_release() on failures
2017-12-05 18:39:29 -05:00
key
af_key: Fix memory leak in key_notify_policy.
2018-01-10 09:45:11 +01:00
l2tp
l2tp: exit_net cleanup check added
2017-11-14 15:45:53 +09:00
l3mdev
lapb
treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts
2017-11-21 16:35:54 -08:00
llc
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-11-15 11:56:19 -08:00
mac80211
mac80211: mesh: drop frames appearing to be from us
2018-01-04 15:51:53 +01:00
mac802154
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
mpls
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
ncsi
treewide: setup_timer() -> timer_setup() (2 field)
2017-11-21 15:57:09 -08:00
netfilter
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-01-08 20:21:39 -08:00
netlabel
net/netlabel: Add list_next_rcu() in rcu_dereference().
2017-11-18 10:32:41 +09:00
netlink
netlink: Add netns check on taps
2017-12-11 11:58:18 -05:00
netrom
treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts
2017-11-21 16:35:54 -08:00
nfc
treewide: setup_timer() -> timer_setup()
2017-11-21 15:57:07 -08:00
nsh
openvswitch: enable NSH support
2017-11-08 16:12:33 +09:00
openvswitch
openvswitch: Fix pop_vlan action for double tagged frames
2017-12-21 13:02:08 -05:00
packet
net/packet: fix a race in packet_bind() and packet_notifier()
2017-11-28 11:13:30 -05:00
phonet
phonet: exit_net cleanup check added
2017-11-14 15:45:53 +09:00
psample
MAINTAINERS: Update Yotam's E-mail
2017-11-01 12:19:03 +09:00
qrtr
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-10 10:00:18 +09:00
rds
RDS: null pointer dereference in rds_atomic_free_op
2018-01-04 14:19:26 -05:00
rfkill
net: rfkill: gpio: Switch to devm_acpi_dev_add_driver_gpios()
2017-06-13 11:07:51 +02:00
rose
treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts
2017-11-21 16:35:54 -08:00
rxrpc
rxrpc: Use correct netns source in rxrpc_release_sock()
2017-12-03 10:05:20 -05:00
sched
net/sched: Fix update of lastuse in act modules implementing stats_update
2018-01-02 13:27:52 -05:00
sctp
sctp: make use of pre-calculated len
2018-01-10 14:53:22 -05:00
smc
net/smc: Fix preinitialization of buf_desc in __smc_buf_create()
2017-11-24 01:33:34 +09:00
strparser
strparser: Call sock_owned_by_user_nocheck
2017-12-28 14:28:22 -05:00
sunrpc
NFS client fixes for Linux 4.15-rc4
2017-12-16 13:12:53 -08:00
switchdev
net: bridge: Add/del switchdev object on host join/leave
2017-11-10 13:41:40 +09:00
tipc
tipc: fix problems with multipoint-to-point flow control
2018-01-02 21:52:07 -05:00
tls
tls: don't override sk_write_space if tls_set_sw_offload fails.
2017-11-14 16:26:35 +09:00
unix
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
vmw_vsock
VSOCK: fix outdated sk_state value in hvs_release()
2017-12-05 15:07:37 -05:00
wimax
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
wireless
nl80211: Check for the required netlink attribute presence
2018-01-04 15:22:02 +01:00
x25
treewide: Remove TIMER_FUNC_TYPE and TIMER_DATA_TYPE casts
2017-11-21 16:35:54 -08:00
xfrm
xfrm: Fix a race in the xdst pcpu cache.
2018-01-10 12:14:28 +01:00
compat.c
net: compat: assert the size of cmsg copied in is as expected
2017-09-20 15:36:18 -07:00
Kconfig
net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros.
2017-09-04 13:25:20 +02:00
Makefile
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
socket.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2018-01-10 17:55:42 -08:00
sysctl_net.c