iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet c4c857723b net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv() 
[ Upstream commit b0ec2abf98267f14d032102551581c833b0659d3 ]

Apply the same fix than ones found in :

8d975c15c0cd ("ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()")
1ca1ba465e55 ("geneve: make sure to pull inner header in geneve_rx()")

We have to save skb->network_header in a temporary variable
in order to be able to recompute the network_header pointer
after a pskb_inet_may_pull() call.

pskb_inet_may_pull() makes sure the needed headers are in skb->head.

syzbot reported:
BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
 BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
 BUG: KMSAN: uninit-value in IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
 BUG: KMSAN: uninit-value in ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409
  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
  IP_ECN_decapsulate include/net/inet_ecn.h:302 [inline]
  ip_tunnel_rcv+0xed9/0x2ed0 net/ipv4/ip_tunnel.c:409
  __ipgre_rcv+0x9bc/0xbc0 net/ipv4/ip_gre.c:389
  ipgre_rcv net/ipv4/ip_gre.c:411 [inline]
  gre_rcv+0x423/0x19f0 net/ipv4/ip_gre.c:447
  gre_rcv+0x2a4/0x390 net/ipv4/gre_demux.c:163
  ip_protocol_deliver_rcu+0x264/0x1300 net/ipv4/ip_input.c:205
  ip_local_deliver_finish+0x2b8/0x440 net/ipv4/ip_input.c:233
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip_local_deliver+0x21f/0x490 net/ipv4/ip_input.c:254
  dst_input include/net/dst.h:461 [inline]
  ip_rcv_finish net/ipv4/ip_input.c:449 [inline]
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip_rcv+0x46f/0x760 net/ipv4/ip_input.c:569
  __netif_receive_skb_one_core net/core/dev.c:5534 [inline]
  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5648
  netif_receive_skb_internal net/core/dev.c:5734 [inline]
  netif_receive_skb+0x58/0x660 net/core/dev.c:5793
  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1556
  tun_get_user+0x53b9/0x66e0 drivers/net/tun.c:2009
  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055
  call_write_iter include/linux/fs.h:2087 [inline]
  new_sync_write fs/read_write.c:497 [inline]
  vfs_write+0xb6b/0x1520 fs/read_write.c:590
  ksys_write+0x20f/0x4c0 fs/read_write.c:643
  __do_sys_write fs/read_write.c:655 [inline]
  __se_sys_write fs/read_write.c:652 [inline]
  __x64_sys_write+0x93/0xd0 fs/read_write.c:652
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
  __alloc_pages+0x9a6/0xe00 mm/page_alloc.c:4590
  alloc_pages_mpol+0x62b/0x9d0 mm/mempolicy.c:2133
  alloc_pages+0x1be/0x1e0 mm/mempolicy.c:2204
  skb_page_frag_refill+0x2bf/0x7c0 net/core/sock.c:2909
  tun_build_skb drivers/net/tun.c:1686 [inline]
  tun_get_user+0xe0a/0x66e0 drivers/net/tun.c:1826
  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2055
  call_write_iter include/linux/fs.h:2087 [inline]
  new_sync_write fs/read_write.c:497 [inline]
  vfs_write+0xb6b/0x1520 fs/read_write.c:590
  ksys_write+0x20f/0x4c0 fs/read_write.c:643
  __do_sys_write fs/read_write.c:655 [inline]
  __se_sys_write fs/read_write.c:652 [inline]
  __x64_sys_write+0x93/0xd0 fs/read_write.c:652
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0xcf/0x1e0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2024-03-26 18:19:39 -04:00
..
6lowpan
9p
net: 9p: avoid freeing uninit memory in p9pdu_vreadf
2024-01-01 12:42:41 +00:00
802
8021q
vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING
2024-01-31 16:19:01 -08:00
appletalk
appletalk: Fix Use-After-Free in atalk_ioctl
2023-12-20 17:01:50 +01:00
atm
atm: Fix Use-After-Free in do_vcc_ioctl
2023-12-20 17:01:48 +01:00
ax25
ax25: Kconfig: Update link for linux-ax25.org
2023-09-18 12:56:58 +01:00
batman-adv
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2023-08-24 10:51:39 -07:00
bluetooth
Bluetooth: fix use-after-free in accessing skb after sending it
2024-03-26 18:19:38 -04:00
bpf
bpf: Fix a few selftest failures due to llvm18 change
2024-02-05 20:14:20 +00:00
bpfilter
net: Use umd_cleanup_helper()
2023-05-31 13:06:57 +02:00
bridge
netfilter: bridge: confirm multicast packets before passing them up the stack
2024-03-06 14:48:36 +00:00
caif
sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES)
2023-06-24 15:50:13 -07:00
can
can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
2024-02-23 09:25:17 +01:00
ceph
libceph: fail sparse-read if the data length doesn't match
2024-03-01 13:34:56 +01:00
core
net: mctp: copy skb ext data when fragmenting
2024-03-26 18:19:34 -04:00
dcb
net: dcb: choose correct policy to parse DCB_ATTR_BCN
2023-08-01 21:07:46 -07:00
dccp
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
2023-11-20 11:59:35 +01:00
devlink
devlink: fix port dump cmd type
2024-03-01 13:35:09 +01:00
dns_resolver
keys, dns: Fix size check of V1 server-list header
2024-01-25 15:35:41 -08:00
dsa
net: dsa: mark parsed interface mode for legacy switch drivers
2023-08-09 13:08:09 -07:00
ethernet
ethtool
ethtool: netlink: Add missing ethnl_ops_begin/complete
2024-01-25 15:36:00 -08:00
handshake
net/handshake: Fix handshake_req_destroy_test1
2024-02-23 09:24:50 +01:00
hsr
net: hsr: Use correct offset for HSR TLV values in supervisory HSR frames
2024-03-06 14:48:36 +00:00
ieee802154
sysctl-6.6-rc1
2023-08-29 17:39:15 -07:00
ife
net: sched: ife: fix potential use-after-free
2024-01-01 12:42:30 +00:00
ipv4
net: ip_tunnel: make sure to pull inner header in ip_tunnel_rcv()
2024-03-26 18:19:39 -04:00
ipv6
ipv6: fib6_rules: flush route cache when rule is changed
2024-03-26 18:19:39 -04:00
iucv
net/iucv: fix the allocation size of iucv_path_table array
2024-03-26 18:19:12 -04:00
kcm
net: kcm: fix direct access to bv_len
2024-02-05 20:14:25 +00:00
key
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2023-08-18 12:44:56 -07:00
l2tp
l2tp: pass correct message length to ip6_append_data
2024-03-01 13:35:01 +01:00
l3mdev
lapb
llc
llc: call sock_orphan() at release time
2024-02-05 20:14:36 +00:00
mac80211
wifi: mac80211: only call drv_sta_rc_update for uploaded stations
2024-03-26 18:19:13 -04:00
mac802154
Core WPAN changes:
2023-06-24 15:41:46 -07:00
mctp
net: mctp: copy skb ext data when fragmenting
2024-03-26 18:19:34 -04:00
mpls
networking: Update to register_net_sysctl_sz
2023-08-15 15:26:18 -07:00
mptcp
mptcp: fix possible deadlock in subflow diag
2024-03-06 14:48:42 +00:00
ncsi
net/ncsi: Fix netlink major/minor version numbers
2024-01-25 15:35:20 -08:00
netfilter
netfilter: nf_conntrack_h323: Add protection for bmp length out of range
2024-03-15 10:48:19 -04:00
netlabel
calipso: fix memory leak in netlbl_calipso_add_pass()
2024-01-25 15:35:14 -08:00
netlink
netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
2024-03-06 14:48:34 +00:00
netrom
netrom: Fix data-races around sysctl_net_busy_read
2024-03-15 10:48:21 -04:00
nfc
nfc: nci: free rx_data_reassembly skb on NCI device cleanup
2024-02-23 09:25:02 +01:00
nsh
net: move gso declarations and functions to their own files
2023-06-10 00:11:41 -07:00
openvswitch
net: openvswitch: limit the number of recursions from action sets
2024-02-23 09:24:51 +01:00
packet
packet: Move reference count in packet_sock to atomic_long_t
2023-12-13 18:45:23 +01:00
phonet
phonet/pep: fix racy skb_queue_empty() use
2024-03-01 13:35:10 +01:00
psample
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
2023-12-13 18:45:10 +01:00
qrtr
net: qrtr: ns: Return 0 if server port is not present
2024-01-20 11:51:47 +01:00
rds
net/rds: fix WARNING in rds_conn_connect_if_down
2024-03-15 10:48:18 -04:00
rfkill
net: rfkill: gpio: set GPIO direction
2024-01-01 12:42:41 +00:00
rose
net/rose: fix races in rose_kill_by_device()
2024-01-01 12:42:31 +00:00
rxrpc
rxrpc: Fix counting of new acks and nacks
2024-02-16 19:10:50 +01:00
sched
net/sched: flower: Add lock protection when remove filter handle
2024-03-01 13:35:09 +01:00
sctp
sctp: fix busy polling
2024-01-25 15:35:30 -08:00
smc
net/smc: disable SEID on non-s390 archs where virtual ISM may be used
2024-02-05 20:14:25 +00:00
strparser
sunrpc
SUNRPC: fix some memleaks in gssx_dec_option_array
2024-03-26 18:19:36 -04:00
switchdev
net: bridge: switchdev: Skip MDB replays of deferred events on offload
2024-03-01 13:35:06 +01:00
tipc
tipc: Check the bearer type before calling tipc_udp_nl_bearer_add()
2024-02-16 19:10:50 +01:00
tls
tls: fix use-after-free on failed backlog decryption
2024-03-06 14:48:37 +00:00
unix
af_unix: Annotate data-race of gc_in_progress in wait_for_unix_gc().
2024-03-26 18:19:23 -04:00
vmw_vsock
virtio/vsock: send credit update during setting SO_RCVLOWAT
2024-01-25 15:35:26 -08:00
wireless
wifi: nl80211: reject iftype change with mesh ID change
2024-03-06 14:48:40 +00:00
x25
sock: Remove ->sendpage*() in favour of sendmsg(MSG_SPLICE_PAGES)
2023-06-24 15:50:13 -07:00
xdp
xsk: Add truesize to skb_add_rx_frag().
2024-03-01 13:35:05 +01:00
xfrm
xfrm: set skb control buffer based on packet offload as well
2024-03-26 18:19:15 -04:00
compat.c
net/compat: Update msg_control_is_user when setting a kernel pointer
2023-04-14 11:09:27 +01:00
devres.c
Kconfig
bpf: Add fd-based tcx multi-prog infra with link support
2023-07-19 10:07:27 -07:00
Kconfig.debug
Makefile
net/handshake: Create a NETLINK service for handling handshake requests
2023-04-19 18:48:48 -07:00
socket.c
net: Save and restore msg_namelen in sock_sendmsg
2024-01-10 17:16:51 +01:00
sysctl_net.c
sysctl: Add size to register_net_sysctl function
2023-08-15 15:26:17 -07:00