iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b65f99b8b1ab2b583a373afe3d960ced192503a1
linux/net/ipv4
History
Alexey Kodanev 6689f83586 vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit 
[ Upstream commit 36f6ee22d2 ]

When running LTP IPsec tests, KASan might report:

BUG: KASAN: use-after-free in vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
Read of size 4 at addr ffff880dc6ad1980 by task swapper/0/0
...
Call Trace:
  <IRQ>
  dump_stack+0x63/0x89
  print_address_description+0x7c/0x290
  kasan_report+0x28d/0x370
  ? vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
  __asan_report_load4_noabort+0x19/0x20
  vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
  ? vti_init_net+0x190/0x190 [ip_vti]
  ? save_stack_trace+0x1b/0x20
  ? save_stack+0x46/0xd0
  dev_hard_start_xmit+0x147/0x510
  ? icmp_echo.part.24+0x1f0/0x210
  __dev_queue_xmit+0x1394/0x1c60
...
Freed by task 0:
  save_stack_trace+0x1b/0x20
  save_stack+0x46/0xd0
  kasan_slab_free+0x70/0xc0
  kmem_cache_free+0x81/0x1e0
  kfree_skbmem+0xb1/0xe0
  kfree_skb+0x75/0x170
  kfree_skb_list+0x3e/0x60
  __dev_queue_xmit+0x1298/0x1c60
  dev_queue_xmit+0x10/0x20
  neigh_resolve_output+0x3a8/0x740
  ip_finish_output2+0x5c0/0xe70
  ip_finish_output+0x4ba/0x680
  ip_output+0x1c1/0x3a0
  xfrm_output_resume+0xc65/0x13d0
  xfrm_output+0x1e4/0x380
  xfrm4_output_finish+0x5c/0x70

Can be fixed if we get skb->len before dst_output().

Fixes: b9959fd3b0 ("vti: switch to new ip tunnel code")
Fixes: 22e1b23daf ("vti6: Support inter address family tunneling.")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-10-12 11:51:22 +02:00
..
netfilter
netfilter: invoke synchronize_rcu after set the _hook_ to NULL
2017-10-08 10:26:09 +02:00
af_inet.c
igmp: Fix regression caused by igmp sysctl namespace code.
2017-08-12 19:31:22 -07:00
ah4.c
ah4: Fix error return in ah_input().
2015-08-25 13:38:50 -07:00
arp.c
NET: Fix /proc/net/arp for AX.25
2017-06-17 06:41:50 +02:00
cipso_ipv4.c
netlabel: out of bound access in cipso_v4_validate()
2017-02-18 15:11:41 +01:00
datagram.c
net: Set sk_txhash from a random number
2015-07-29 22:44:04 -07:00
devinet.c
netconf: add a notif when settings are created
2016-09-01 15:18:08 -07:00
esp4.c
esp4: Fix integrity verification when ESN are used
2016-11-30 11:09:39 +01:00
fib_frontend.c
ipv4: initialize fib_trie prior to register_netdev_notifier call.
2017-08-11 08:49:32 -07:00
fib_lookup.h
ipv4: consider TOS in fib_select_default
2015-07-24 22:46:11 -07:00
fib_rules.c
switchdev: remove FIB offload infrastructure
2016-09-28 04:48:00 -04:00
fib_semantics.c
ipv4: fix NULL dereference in free_fib_info_rcu()
2017-08-30 10:21:39 +02:00
fib_trie.c
net: Improve handling of failures on link and route dumps
2017-06-07 12:07:44 +02:00
fou.c
net: add recursion limit to GRO
2016-10-20 14:32:22 -04:00
gre_demux.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-06-30 05:03:36 -04:00
gre_offload.c
net: add recursion limit to GRO
2016-10-20 14:32:22 -04:00
icmp.c
net: icmp_route_lookup should use rt dev to determine L3 domain
2016-11-09 18:49:39 -05:00
igmp.c
igmp: Fix regression caused by igmp sysctl namespace code.
2017-08-12 19:31:22 -07:00
inet_connection_sock.c
dccp/tcp: do not inherit mc_list from parent
2017-06-07 12:07:42 +02:00
inet_diag.c
net: inet: diag: expose the socket mark to privileged processes.
2016-09-08 16:13:09 -07:00
inet_fragment.c
Revert "net: use lib/percpu_counter API for fragmentation mem accounting"
2017-09-20 08:19:55 +02:00
inet_hashtables.c
net: Require exact match for TCP socket lookups if dif is l3mdev
2016-10-17 10:17:05 -04:00
inet_timewait_sock.c
timers, net/ipv4/inet: Initialize connection request timers as pinned
2016-07-07 10:35:06 +02:00
inetpeer.c
net: Add helper function to compare inetpeer addresses
2015-08-28 13:32:36 -07:00
ip_forward.c
ipv4: allow local fragmentation in ip_finish_output_gso()
2016-11-03 16:10:26 -04:00
ip_fragment.c
Revert "net: fix percpu memory leaks"
2017-09-20 08:19:55 +02:00
ip_gre.c
net/ip_tunnels: Introduce tunnel_id_to_key32() and key32_to_tunnel_id()
2016-09-10 20:53:55 -07:00
ip_input.c
net: VRF: Pass original iif to ip_route_input()
2016-09-16 04:24:07 -04:00
ip_options.c
net: ipv4: Convert IP network timestamps to be y2038 safe
2016-03-01 17:18:44 -05:00
ip_output.c
udp: consistently apply ufo or fragmentation
2017-08-12 19:31:22 -07:00
ip_sockglue.c
net-timestamp: avoid use-after-free in ip_recv_error
2017-05-03 08:36:36 -07:00
ip_tunnel_core.c
net: Specify the owning module for lwtunnel ops
2017-02-04 09:47:11 +01:00
ip_tunnel.c
ip_tunnel: fix setting ttl and tos value in collect_md mode
2017-09-20 08:19:56 +02:00
ip_vti.c
vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
2017-10-12 11:51:22 +02:00
ipcomp.c
ipv4: coding style: comparison for equality with NULL
2015-04-03 12:11:15 -04:00
ipconfig.c
net: ipconfig: Fix NULL pointer dereference on RARP/BOOTP/DHCP timeout
2016-08-22 21:04:41 -07:00
ipip.c
ip_tunnel: add collect_md mode to IPIP tunnel
2016-09-17 10:13:07 -04:00
ipmr.c
ipv4: allow local fragmentation in ip_finish_output_gso()
2016-11-03 16:10:26 -04:00
Kconfig
tcp: Set DEFAULT_TCP_CONG to bbr if DEFAULT_BBR is set
2016-11-28 12:15:00 -05:00
Makefile
tcp_bbr: add BBR congestion control
2016-09-21 00:23:01 -04:00
netfilter.c
netfilter: use skb_to_full_sk in ip_route_me_harder
2017-07-05 14:40:28 +02:00
ping.c
ping: implement proper locking
2017-05-03 08:36:34 -07:00
proc.c
net: Suppress the "Comparison to NULL could be written" warnings
2016-09-30 01:50:45 -04:00
protocol.c
raw.c
ipv4, ipv6: ensure raw socket message is big enough to hold an IP header
2017-05-14 14:00:21 +02:00
route.c
ipv4: better IP_MAX_MTU enforcement
2017-08-30 10:21:40 +02:00
syncookies.c
ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check()
2017-08-11 08:49:32 -07:00
sysctl_net_ipv4.c
ipv4: make tcp_notsent_lowat sysctl knob behave as true unsigned int
2017-08-11 08:49:35 -07:00
tcp_bbr.c
tcp_bbr: init pacing rate on first RTT sample
2017-08-11 08:49:32 -07:00
tcp_bic.c
tcp: replace cnt & rtt with struct in pkts_acked()
2016-05-11 14:43:19 -04:00
tcp_cdg.c
tcp: cdg: rename struct minmax in tcp_cdg.c to avoid a naming conflict
2016-09-21 00:22:59 -04:00
tcp_cong.c
tcp: disallow cwnd undo when switching congestion control
2017-06-14 15:05:52 +02:00
tcp_cubic.c
tcp: replace cnt & rtt with struct in pkts_acked()
2016-05-11 14:43:19 -04:00
tcp_dctcp.c
dctcp: avoid bogus doubling of cwnd after loss
2016-10-31 15:16:28 -04:00
tcp_diag.c
net: diag: Fix refcnt leak in error path destroying socket
2016-08-23 23:11:36 -07:00
tcp_fastopen.c
tcp: initialize max window for a new fastopen socket
2017-02-04 09:47:10 +01:00
tcp_highspeed.c
tcp: add tcp_in_slow_start helper
2015-07-09 14:22:52 -07:00
tcp_htcp.c
tcp: replace cnt & rtt with struct in pkts_acked()
2016-05-11 14:43:19 -04:00
tcp_hybla.c
tcp: do not slow start when cwnd equals ssthresh
2015-07-09 14:22:52 -07:00
tcp_illinois.c
tcp: replace cnt & rtt with struct in pkts_acked()
2016-05-11 14:43:19 -04:00
tcp_input.c
tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
2017-08-30 10:21:42 +02:00
tcp_ipv4.c
dccp/tcp: fix routing redirect race
2017-03-22 12:43:34 +01:00
tcp_lp.c
tcp: fix wraparound issue in tcp_lp
2017-05-14 14:00:21 +02:00
tcp_metrics.c
tcp: make nla_policy const
2016-09-01 14:09:01 -07:00
tcp_minisocks.c
tcp: do not inherit fastopen_req from parent
2017-05-14 14:00:21 +02:00
tcp_nv.c
tcp: add NV congestion control
2016-06-10 23:07:49 -07:00
tcp_offload.c
gso: Support partial splitting at the frag_list pointer
2016-09-19 20:59:34 -04:00
tcp_output.c
tcp: fastopen: fix on syn-data transmit failure
2017-10-12 11:51:21 +02:00
tcp_probe.c
tcp: tcp_probe: use spin_lock_bh()
2017-06-17 06:41:49 +02:00
tcp_rate.c
tcp: export data delivery rate
2016-09-21 00:23:00 -04:00
tcp_recovery.c
tcp: do not assume TCP code is non preemptible
2016-05-02 17:02:25 -04:00
tcp_scalable.c
tcp: add tcp_in_slow_start helper
2015-07-09 14:22:52 -07:00
tcp_timer.c
net: fix keepalive code vs TCP_FASTOPEN_CONNECT
2017-08-12 19:31:21 -07:00
tcp_vegas.c
tcp: replace cnt & rtt with struct in pkts_acked()
2016-05-11 14:43:19 -04:00
tcp_vegas.h
tcp: replace cnt & rtt with struct in pkts_acked()
2016-05-11 14:43:19 -04:00
tcp_veno.c
tcp: replace cnt & rtt with struct in pkts_acked()
2016-05-11 14:43:19 -04:00
tcp_westwood.c
tcp: replace cnt & rtt with struct in pkts_acked()
2016-05-11 14:43:19 -04:00
tcp_yeah.c
tcp: cwnd does not increase in TCP YeAH
2016-09-08 17:16:12 -07:00
tcp.c
tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
2017-09-20 08:19:55 +02:00
tunnel4.c
tunnels: correct conditional build of MPLS and IPv6
2016-07-11 13:27:06 -07:00
udp_diag.c
net: inet: diag: expose the socket mark to privileged processes.
2016-09-08 16:13:09 -07:00
udp_impl.h
udplite: call proper backlog handlers
2016-11-24 15:32:14 -05:00
udp_offload.c
udp: disable inner UDP checksum offloads in IPsec case
2017-10-08 10:26:08 +02:00
udp_tunnel.c
net: Remove deprecated tunnel specific UDP offload functions
2016-06-17 20:23:32 -07:00
udp.c
udp: consistently apply ufo or fragmentation
2017-08-12 19:31:22 -07:00
udplite.c
udplite: call proper backlog handlers
2016-11-24 15:32:14 -05:00
xfrm4_input.c
netfilter: Pass net into okfn
2015-09-17 17:18:37 -07:00
xfrm4_mode_beet.c
xfrm4_mode_transport.c
xfrm4_mode_tunnel.c
ipv4: hash net ptr into fragmentation bucket selection
2015-03-25 14:07:04 -04:00
xfrm4_output.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-10-24 06:54:12 -07:00
xfrm4_policy.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-09-12 15:52:44 -07:00
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c