iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net/ipv6
History
Eric Dumazet 8ce48623f0 ipv6: tcp: restore IP6CB for pktoptions skbs 
Baozeng Ding reported following KASAN splat :

BUG: KASAN: use-after-free in ip6_datagram_recv_specific_ctl+0x13f1/0x15c0 at addr ffff880029c84ec8
Read of size 1 by task poc/25548
Call Trace:
 [<ffffffff82cf43c9>] dump_stack+0x12e/0x185 /lib/dump_stack.c:15
 [<     inline     >] print_address_description /mm/kasan/report.c:204
 [<ffffffff817ced3b>] kasan_report_error+0x48b/0x4b0 /mm/kasan/report.c:283
 [<     inline     >] kasan_report /mm/kasan/report.c:303
 [<ffffffff817ced9e>] __asan_report_load1_noabort+0x3e/0x40 /mm/kasan/report.c:321
 [<ffffffff85c71da1>] ip6_datagram_recv_specific_ctl+0x13f1/0x15c0 /net/ipv6/datagram.c:687
 [<ffffffff85c734c3>] ip6_datagram_recv_ctl+0x33/0x40
 [<ffffffff85c0b07c>] do_ipv6_getsockopt.isra.4+0xaec/0x2150
 [<ffffffff85c0c7f6>] ipv6_getsockopt+0x116/0x230
 [<ffffffff859b5a12>] tcp_getsockopt+0x82/0xd0 /net/ipv4/tcp.c:3035
 [<ffffffff855fb385>] sock_common_getsockopt+0x95/0xd0 /net/core/sock.c:2647
 [<     inline     >] SYSC_getsockopt /net/socket.c:1776
 [<ffffffff855f8ba2>] SyS_getsockopt+0x142/0x230 /net/socket.c:1758
 [<ffffffff8685cdc5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff880029c84d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff880029c84e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff880029c84e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                              ^
 ffff880029c84f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff880029c84f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

He also provided a syzkaller reproducer.

Issue is that ip6_datagram_recv_specific_ctl() expects to find IP6CB
data that was moved at a different place in tcp_v6_rcv()

This patch moves tcp_v6_restore_cb() up and calls it from
tcp_v6_do_rcv() when np->pktoptions is set.

Fixes: 971f10eca186 ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-10-13 11:07:34 -04:00
..
ila
ila: make nla_policy const
2016-09-01 14:09:01 -07:00
netfilter
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2016-09-25 23:34:19 +02:00
addrconf_core.c
ipv6: change ipv6_stub_impl.ipv6_dst_lookup to take net argument
2015-07-31 15:21:30 -07:00
addrconf.c
ipv6 addrconf: disallow rtr_solicits < -1
2016-10-07 23:43:56 -04:00
addrlabel.c
ipv6/addrlabel: fix ip6addrlbl_get()
2015-12-22 15:57:54 -05:00
af_inet6.c
tcp: Set read_sock and peek_len proto_ops
2016-08-28 23:32:41 -04:00
ah6.c
ah6: fix error return code
2015-08-25 13:37:31 -07:00
anycast.c
ipv6: coding style: comparison for equality with NULL
2015-03-31 13:51:54 -04:00
calipso.c
calipso: fix resource leak on calipso_genopt failure
2016-08-13 14:56:17 -07:00
datagram.c
sock: propagate __sock_cmsg_send() error
2016-05-16 13:46:23 -04:00
esp6.c
esp6: Switch to new AEAD interface
2015-05-28 11:23:20 +08:00
exthdrs_core.c
ipv6: constify the skb pointer of ipv6_find_tlv().
2016-06-27 15:06:15 -04:00
exthdrs_offload.c
ipv6: fix exthdrs offload registration in out_rt path
2015-09-02 15:31:00 -07:00
exthdrs.c
Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next
2016-07-07 10:15:34 +10:00
fib6_rules.c
net: flow: Add l3mdev flow update
2016-09-10 23:12:51 -07:00
fou6.c
fou: add Kconfig options for IPv6 support
2016-05-29 22:24:21 -07:00
icmp.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-06-30 05:03:36 -04:00
inet6_connection_sock.c
soreuseport: fast reuseport TCP socket selection
2016-02-11 03:54:15 -05:00
inet6_hashtables.c
net: rename NET_{ADD|INC}_STATS_BH()
2016-04-27 22:48:24 -04:00
ip6_checksum.c
ipv6: fix checksum annotation in udp6_csum_init
2016-06-14 15:26:42 -04:00
ip6_fib.c
ipv6: report NLM_F_CREATE and NLM_F_EXCL flags in RTM_NEWROUTE events
2016-09-09 16:50:23 -07:00
ip6_flowlabel.c
ipv6: add new struct ipcm6_cookie
2016-05-03 16:08:14 -04:00
ip6_gre.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-10-02 22:20:41 -04:00
ip6_icmp.c
ipv6: icmp: add a force_saddr param to icmp6_send()
2016-06-18 22:11:38 -07:00
ip6_input.c
net: vrf: ipv6 support for local traffic to local addresses
2016-06-08 00:25:38 -07:00
ip6_offload.c
gso: Support partial splitting at the frag_list pointer
2016-09-19 20:59:34 -04:00
ip6_offload.h
udp: Add GRO functions to UDP socket
2016-04-07 16:53:29 -04:00
ip6_output.c
net: ipv6: Remove l3mdev_get_saddr6
2016-09-10 23:12:53 -07:00
ip6_tunnel.c
ip6_tunnel: add collect_md mode to IPv6 tunnels
2016-09-17 10:13:07 -04:00
ip6_udp_tunnel.c
ip_tunnel: add support for setting flow label via collect metadata
2016-03-11 15:14:26 -05:00
ip6_vti.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-09-23 06:46:57 -04:00
ip6mr.c
ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route
2016-09-25 23:41:39 -04:00
ipcomp6.c
ipv6: White-space cleansing : Structure layouts
2014-08-24 22:37:52 -07:00
ipv6_sockglue.c
Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next
2016-07-07 10:15:34 +10:00
Kconfig
fou: fix IPv6 Kconfig options
2016-05-31 14:07:49 -07:00
Makefile
Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next
2016-07-07 10:15:34 +10:00
mcast_snoop.c
net: fix wrong skb_get() usage / crash in IGMP/MLD parsing code
2015-08-13 17:08:39 -07:00
mcast.c
net/multicast: should not send source list records when have filter mode change
2016-08-08 16:04:39 -07:00
mip6.c
ipv6: use ktime_t for internal timestamps
2015-10-05 03:16:47 -07:00
ndisc.c
net: l3mdev: remove redundant calls
2016-09-10 23:12:52 -07:00
netfilter.c
ipv6: Pass struct net into ip6_route_me_harder
2015-09-29 20:21:32 +02:00
output_core.c
net: l3mdev: Add hook to output path
2016-09-10 23:12:52 -07:00
ping.c
ipv6: release dst in ping_v6_sendmsg
2016-09-06 12:54:17 -07:00
proc.c
proc: Reduce cache miss in snmp6_seq_show
2016-09-30 01:50:44 -04:00
protocol.c
net: Export inet_offloads and inet6_offloads
2014-09-19 17:15:31 -04:00
raw.c
net: l3mdev: Add hook to output path
2016-09-10 23:12:52 -07:00
reassembly.c
ipv6: rename IP6_INC_STATS_BH()
2016-04-27 22:48:24 -04:00
route.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-10-02 22:20:41 -04:00
sit.c
sit: make function ipip6_valid_ip_proto() static
2016-08-12 21:52:18 -07:00
syncookies.c
net: rename NET_{ADD|INC}_STATS_BH()
2016-04-27 22:48:24 -04:00
sysctl_net_ipv6.c
calipso: Add a label cache.
2016-06-27 15:06:17 -04:00
tcp_ipv6.c
ipv6: tcp: restore IP6CB for pktoptions skbs
2016-10-13 11:07:34 -04:00
tcpv6_offload.c
tcp: cleanup static functions
2015-02-28 16:56:51 -05:00
tunnel6.c
ipv6: fix tunnel error handling
2015-11-03 10:52:13 -05:00
udp_impl.h
ipv6: udp: remove udp_v6_clear_sk()
2016-08-23 23:23:50 -07:00
udp_offload.c
gso: Remove arbitrary checks for unsupported GSO
2016-05-20 18:03:15 -04:00
udp.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-08-30 00:54:02 -04:00
udplite.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-08-30 00:54:02 -04:00
xfrm6_input.c
vti6: fix input path
2016-09-21 10:09:14 +02:00
xfrm6_mode_beet.c
xfrm: simplify xfrm_address_t use
2015-03-31 13:58:35 -04:00
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
ipv6: update skb->csum when CE mark is propagated
2016-01-15 15:07:23 -05:00
xfrm6_output.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-10-24 06:54:12 -07:00
xfrm6_policy.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-09-12 15:52:44 -07:00
xfrm6_protocol.c
xfrm6_state.c
ipv6: White-space cleansing : Line Layouts
2014-08-24 22:37:52 -07:00
xfrm6_tunnel.c
vti6: fix input path
2016-09-21 10:09:14 +02:00