iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet da23bd709b ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() 
[ Upstream commit d375b98e0248980681e5e56b712026174d617198 ]

syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken.

Reading frag_off can only be done if we pulled enough bytes
to skb->head. Currently we might access garbage.

[1]
BUG: KMSAN: uninit-value in ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0
ip6_tnl_parse_tlv_enc_lim+0x94f/0xbb0
ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]
ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
netdev_start_xmit include/linux/netdevice.h:4954 [inline]
xmit_one net/core/dev.c:3548 [inline]
dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
dev_queue_xmit include/linux/netdevice.h:3134 [inline]
neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592
neigh_output include/net/neighbour.h:542 [inline]
ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137
ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243
dst_output include/net/dst.h:451 [inline]
ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155
ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]
ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972
rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582
rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920
inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
slab_alloc_node mm/slub.c:3478 [inline]
__kmem_cache_alloc_node+0x5c9/0x970 mm/slub.c:3517
__do_kmalloc_node mm/slab_common.c:1006 [inline]
__kmalloc_node_track_caller+0x118/0x3c0 mm/slab_common.c:1027
kmalloc_reserve+0x249/0x4a0 net/core/skbuff.c:582
pskb_expand_head+0x226/0x1a00 net/core/skbuff.c:2098
__pskb_pull_tail+0x13b/0x2310 net/core/skbuff.c:2655
pskb_may_pull_reason include/linux/skbuff.h:2673 [inline]
pskb_may_pull include/linux/skbuff.h:2681 [inline]
ip6_tnl_parse_tlv_enc_lim+0x901/0xbb0 net/ipv6/ip6_tunnel.c:408
ipxip6_tnl_xmit net/ipv6/ip6_tunnel.c:1326 [inline]
ip6_tnl_start_xmit+0xab2/0x1a70 net/ipv6/ip6_tunnel.c:1432
__netdev_start_xmit include/linux/netdevice.h:4940 [inline]
netdev_start_xmit include/linux/netdevice.h:4954 [inline]
xmit_one net/core/dev.c:3548 [inline]
dev_hard_start_xmit+0x247/0xa10 net/core/dev.c:3564
__dev_queue_xmit+0x33b8/0x5130 net/core/dev.c:4349
dev_queue_xmit include/linux/netdevice.h:3134 [inline]
neigh_connected_output+0x569/0x660 net/core/neighbour.c:1592
neigh_output include/net/neighbour.h:542 [inline]
ip6_finish_output2+0x23a9/0x2b30 net/ipv6/ip6_output.c:137
ip6_finish_output+0x855/0x12b0 net/ipv6/ip6_output.c:222
NF_HOOK_COND include/linux/netfilter.h:303 [inline]
ip6_output+0x323/0x610 net/ipv6/ip6_output.c:243
dst_output include/net/dst.h:451 [inline]
ip6_local_out+0xe9/0x140 net/ipv6/output_core.c:155
ip6_send_skb net/ipv6/ip6_output.c:1952 [inline]
ip6_push_pending_frames+0x1f9/0x560 net/ipv6/ip6_output.c:1972
rawv6_push_pending_frames+0xbe8/0xdf0 net/ipv6/raw.c:582
rawv6_sendmsg+0x2b66/0x2e70 net/ipv6/raw.c:920
inet_sendmsg+0x105/0x190 net/ipv4/af_inet.c:847
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2584
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2638
__sys_sendmsg net/socket.c:2667 [inline]
__do_sys_sendmsg net/socket.c:2676 [inline]
__se_sys_sendmsg net/socket.c:2674 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2674
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x63/0x6b

CPU: 0 PID: 7345 Comm: syz-executor.3 Not tainted 6.7.0-rc8-syzkaller-00024-gac865f00af29 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

Fixes: fbfa743a9d2a ("ipv6: fix ip6_tnl_parse_tlv_enc_lim()")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-01-25 14:37:46 -08:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:50:34 +02:00
9p
9p/net: fix possible memory leak in p9_check_errors()
2024-01-05 15:12:29 +01:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-14 10:16:18 +01:00
8021q
net: check vlan filter feature in vlan_vids_add_by_dev() and vlan_vids_del_by_dev()
2024-01-05 15:12:24 +01:00
appletalk
appletalk: Fix Use-After-Free in atalk_ioctl
2023-12-20 15:44:29 +01:00
atm
atm: Fix Use-After-Free in do_vcc_ioctl
2023-12-20 15:44:28 +01:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:13:17 +02:00
batman-adv
net: vlan: introduce skb_vlan_eth_hdr()
2023-12-20 15:44:28 +01:00
bluetooth
Bluetooth: Fix bogus check for re-auth no supported with non-ssp
2024-01-25 14:37:46 -08:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2023-01-14 10:15:31 +01:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:56:29 +02:00
bridge
netfilter: nf_conntrack_bridge: initialize err to 0
2023-11-28 16:54:54 +00:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:45:11 +01:00
can
can: isotp: isotp_sendmsg(): fix TX state detection and wait behavior
2023-11-08 17:30:51 +01:00
ceph
libceph: use kernel_connect()
2023-10-25 11:54:15 +02:00
core
neighbour: Don't let neigh_forced_gc() disable preemption for long
2024-01-25 14:37:37 -08:00
dcb
net: dcb: choose correct policy to parse DCB_ATTR_BCN
2023-08-11 11:57:50 +02:00
dccp
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
2023-11-20 11:06:55 +01:00
decnet
Remove DECnet support from kernel
2023-06-21 15:45:38 +02:00
dns_resolver
keys, dns: Fix missing size check of V1 server-list header
2024-01-15 18:48:03 +01:00
dsa
net: dsa: tag_sja1105: fix MAC DA patching from meta frames
2023-07-27 08:44:10 +02:00
ethernet
ethtool
net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
2023-01-24 07:19:55 +01:00
hsr
hsr: Prevent use after free in prp_create_tagged_frame()
2023-11-20 11:06:55 +01:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:57:51 +09:00
ife
net: sched: ife: fix potential use-after-free
2024-01-05 15:12:24 +01:00
ipv4
net: Remove acked SYN flag from packet in the transmit queue correctly
2023-12-20 15:44:28 +01:00
ipv6
ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim()
2024-01-25 14:37:46 -08:00
iucv
net/iucv: Fix size of interrupt data
2023-03-22 13:30:00 +01:00
kcm
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
2023-09-19 12:20:30 +02:00
key
net: af_key: fix sadb_x_filter validation
2023-08-26 15:26:51 +02:00
l2tp
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
2023-10-10 21:53:38 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:53:50 +02:00
lapb
llc
llc: verify mac len before reading mac header
2023-11-20 11:06:55 +01:00
mac80211
wifi: mac80211: mesh_plink: fix matches_local logic
2024-01-05 15:12:23 +01:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:32:01 +01:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:55:58 +01:00
mptcp
mptcp: fix uninit-value in mptcp_incoming_options
2024-01-25 14:37:35 -08:00
ncsi
net/ncsi: Fix netlink major/minor version numbers
2024-01-25 14:37:44 -08:00
netfilter
netfilter: nf_tables: mark newset as dead on transaction abort
2024-01-25 14:37:46 -08:00
netlabel
calipso: fix memory leak in netlbl_calipso_add_pass()
2024-01-25 14:37:40 -08:00
netlink
drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
2023-12-13 18:27:06 +01:00
netrom
netrom: Deny concurrent connect().
2023-09-19 12:20:10 +02:00
nfc
nfc: llcp_core: Hold a ref to llcp_local->dev when holding a ref to llcp_local
2024-01-15 18:48:03 +01:00
nsh
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
2023-05-30 12:57:52 +01:00
openvswitch
net: openvswitch: fix possible memory leak in ovs_meter_cmd_set()
2023-02-22 12:55:57 +01:00
packet
packet: Move reference count in packet_sock to atomic_long_t
2023-12-13 18:27:03 +01:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:25:01 +01:00
psample
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
2023-12-13 18:27:06 +01:00
qrtr
net: qrtr: ns: Return 0 if server port is not present
2024-01-25 14:37:38 -08:00
rds
net: prevent address rewrite in kernel_bind()
2023-10-25 11:54:13 +02:00
rfkill
net: rfkill: gpio: set GPIO direction
2024-01-05 15:12:28 +01:00
rose
net/rose: fix races in rose_kill_by_device()
2024-01-05 15:12:24 +01:00
rxrpc
rxrpc: Fix hard call timeout units
2023-05-17 11:48:11 +02:00
sched
net: sched: em_text: fix possible memory leak in em_text_destroy()
2024-01-15 18:48:04 +01:00
sctp
sctp: update hb timer immediately after users change hb_interval
2023-10-10 21:53:39 +02:00
smc
net/smc: avoid data corruption caused by decline
2023-12-08 08:46:08 +01:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 14:04:27 +01:00
sunrpc
SUNRPC: Fix RPC client cleaned up the freed pipefs dentries
2023-11-28 16:54:53 +00:00
switchdev
tipc
tipc: Fix kernel-infoleak due to uninitialized TLV value
2023-11-28 16:54:54 +00:00
tls
net: tls, update curr on splice as well
2024-01-15 18:48:07 +01:00
unix
af_unix: Fix data-race around unix_tot_inflight.
2023-09-19 12:20:26 +02:00
vmw_vsock
virtio/vsock: fix logic which reduces credit update messages
2024-01-25 14:37:45 -08:00
wimax
wireless
wifi: cfg80211: fix certs build to not depend on file order
2024-01-05 15:12:27 +01:00
x25
net/x25: Fix to not accept on connected socket
2023-02-15 17:22:15 +01:00
xdp
xsk: Honor SO_BINDTODEVICE on bind
2023-07-27 08:44:09 +02:00
xfrm
xfrm: interface: use DEV_STATS_INC()
2023-10-25 11:54:19 +02:00
compat.c
net: Return the correct errno code
2021-06-18 10:00:06 +02:00
devres.c
Kconfig
Remove DECnet support from kernel
2023-06-21 15:45:38 +02:00
Makefile
Remove DECnet support from kernel
2023-06-21 15:45:38 +02:00
socket.c
net: Save and restore msg_namelen in sock_sendmsg
2024-01-15 18:48:04 +01:00
sysctl_net.c