evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/net/ipv6
History
Lorenzo Bianconi a04dde4e15 ipv6: sit: reset ip header pointer in ipip6_rcv 
[ Upstream commit bb9bd814ebf04f579be466ba61fc922625508807 ]

ipip6 tunnels run iptunnel_pull_header on received skbs. This can
determine the following use-after-free accessing iph pointer since
the packet will be 'uncloned' running pskb_expand_head if it is a
cloned gso skb (e.g if the packet has been sent though a veth device)

[  706.369655] BUG: KASAN: use-after-free in ipip6_rcv+0x1678/0x16e0 [sit]
[  706.449056] Read of size 1 at addr ffffe01b6bd855f5 by task ksoftirqd/1/=
[  706.669494] Hardware name: HPE ProLiant m400 Server/ProLiant m400 Server, BIOS U02 08/19/2016
[  706.771839] Call trace:
[  706.801159]  dump_backtrace+0x0/0x2f8
[  706.845079]  show_stack+0x24/0x30
[  706.884833]  dump_stack+0xe0/0x11c
[  706.925629]  print_address_description+0x68/0x260
[  706.982070]  kasan_report+0x178/0x340
[  707.025995]  __asan_report_load1_noabort+0x30/0x40
[  707.083481]  ipip6_rcv+0x1678/0x16e0 [sit]
[  707.132623]  tunnel64_rcv+0xd4/0x200 [tunnel4]
[  707.185940]  ip_local_deliver_finish+0x3b8/0x988
[  707.241338]  ip_local_deliver+0x144/0x470
[  707.289436]  ip_rcv_finish+0x43c/0x14b0
[  707.335447]  ip_rcv+0x628/0x1138
[  707.374151]  __netif_receive_skb_core+0x1670/0x2600
[  707.432680]  __netif_receive_skb+0x28/0x190
[  707.482859]  process_backlog+0x1d0/0x610
[  707.529913]  net_rx_action+0x37c/0xf68
[  707.574882]  __do_softirq+0x288/0x1018
[  707.619852]  run_ksoftirqd+0x70/0xa8
[  707.662734]  smpboot_thread_fn+0x3a4/0x9e8
[  707.711875]  kthread+0x2c8/0x350
[  707.750583]  ret_from_fork+0x10/0x18

[  707.811302] Allocated by task 16982:
[  707.854182]  kasan_kmalloc.part.1+0x40/0x108
[  707.905405]  kasan_kmalloc+0xb4/0xc8
[  707.948291]  kasan_slab_alloc+0x14/0x20
[  707.994309]  __kmalloc_node_track_caller+0x158/0x5e0
[  708.053902]  __kmalloc_reserve.isra.8+0x54/0xe0
[  708.108280]  __alloc_skb+0xd8/0x400
[  708.150139]  sk_stream_alloc_skb+0xa4/0x638
[  708.200346]  tcp_sendmsg_locked+0x818/0x2b90
[  708.251581]  tcp_sendmsg+0x40/0x60
[  708.292376]  inet_sendmsg+0xf0/0x520
[  708.335259]  sock_sendmsg+0xac/0xf8
[  708.377096]  sock_write_iter+0x1c0/0x2c0
[  708.424154]  new_sync_write+0x358/0x4a8
[  708.470162]  __vfs_write+0xc4/0xf8
[  708.510950]  vfs_write+0x12c/0x3d0
[  708.551739]  ksys_write+0xcc/0x178
[  708.592533]  __arm64_sys_write+0x70/0xa0
[  708.639593]  el0_svc_handler+0x13c/0x298
[  708.686646]  el0_svc+0x8/0xc

[  708.739019] Freed by task 17:
[  708.774597]  __kasan_slab_free+0x114/0x228
[  708.823736]  kasan_slab_free+0x10/0x18
[  708.868703]  kfree+0x100/0x3d8
[  708.905320]  skb_free_head+0x7c/0x98
[  708.948204]  skb_release_data+0x320/0x490
[  708.996301]  pskb_expand_head+0x60c/0x970
[  709.044399]  __iptunnel_pull_header+0x3b8/0x5d0
[  709.098770]  ipip6_rcv+0x41c/0x16e0 [sit]
[  709.146873]  tunnel64_rcv+0xd4/0x200 [tunnel4]
[  709.200195]  ip_local_deliver_finish+0x3b8/0x988
[  709.255596]  ip_local_deliver+0x144/0x470
[  709.303692]  ip_rcv_finish+0x43c/0x14b0
[  709.349705]  ip_rcv+0x628/0x1138
[  709.388413]  __netif_receive_skb_core+0x1670/0x2600
[  709.446943]  __netif_receive_skb+0x28/0x190
[  709.497120]  process_backlog+0x1d0/0x610
[  709.544169]  net_rx_action+0x37c/0xf68
[  709.589131]  __do_softirq+0x288/0x1018

[  709.651938] The buggy address belongs to the object at ffffe01b6bd85580
                which belongs to the cache kmalloc-1024 of size 1024
[  709.804356] The buggy address is located 117 bytes inside of
                1024-byte region [ffffe01b6bd85580, ffffe01b6bd85980)
[  709.946340] The buggy address belongs to the page:
[  710.003824] page:ffff7ff806daf600 count:1 mapcount:0 mapping:ffffe01c4001f600 index:0x0
[  710.099914] flags: 0xfffff8000000100(slab)
[  710.149059] raw: 0fffff8000000100 dead000000000100 dead000000000200 ffffe01c4001f600
[  710.242011] raw: 0000000000000000 0000000000380038 00000001ffffffff 0000000000000000
[  710.334966] page dumped because: kasan: bad access detected

Fix it resetting iph pointer after iptunnel_pull_header

Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap")
Tested-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-04-27 09:33:54 +02:00
..
netfilter netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES 2019-03-23 08:44:29 +01:00
addrconf.c net: fix IPv6 prefix route residue 2019-02-23 09:05:13 +01:00
addrconf_core.c
addrlabel.c ipv6/addrlabel: fix ip6addrlbl_get() 2015-12-22 15:57:54 -05:00
af_inet6.c ipv6: Consider sk_bound_dev_if when binding a socket to an address 2019-02-06 19:43:06 +01:00
ah6.c ipsec: check return value of skb_to_sgvec always 2018-04-13 19:50:23 +02:00
anycast.c
datagram.c ip: on queued skb use skb_header_pointer instead of pskb_may_pull 2019-01-26 09:42:49 +01:00
esp6.c ipsec: check return value of skb_to_sgvec always 2018-04-13 19:50:23 +02:00
exthdrs.c ipv6: add complete rcu protection around np->opt 2015-12-02 23:37:16 -05:00
exthdrs_core.c ipv6: re-enable fragment header matching in ipv6_find_hdr 2016-04-20 15:41:59 +09:00
exthdrs_offload.c
fib6_rules.c ipv6: Do not leak throw route references 2017-07-05 14:37:14 +02:00
icmp.c ipv6: fix endianness error in icmpv6_err 2019-04-03 06:23:24 +02:00
ila.c
inet6_connection_sock.c ipv6: kill sk_dst_lock 2015-12-03 11:32:06 -05:00
inet6_hashtables.c
ip6_checksum.c udplite: fix partial checksum initialization 2018-03-11 16:19:46 +01:00
ip6_fib.c ipv6: fix typo in fib6_net_exit() 2017-09-27 11:00:12 +02:00
ip6_flowlabel.c ipv6: flowlabel: do not leave opt->tot_len with garbage 2017-11-18 11:11:06 +01:00
ip6_gre.c ip6_gre: better validate user provided tunnel names 2018-04-13 19:50:26 +02:00
ip6_icmp.c
ip6_input.c
ip6_offload.c gso_segment: Reset skb->mac_len after modifying network header 2018-09-29 03:08:52 -07:00
ip6_offload.h
ip6_output.c ipv6: Fix dangling pointer when ipv6 fragment 2019-04-27 09:33:54 +02:00
ip6_tunnel.c ip6_tunnel: be careful when accessing the inner header 2018-10-20 09:52:36 +02:00
ip6_udp_tunnel.c ipv6: explicitly initialize udp6_addr in udp_sock_create6() 2019-01-13 10:05:27 +01:00
ip6_vti.c vti6: flush x-netns xfrm cache when vti interface is removed 2018-11-10 07:41:38 -08:00
ip6mr.c ip6mr: Do not call __IP6_INC_STATS() from preemptible context 2019-03-23 08:44:24 +01:00
ipcomp6.c
ipv6_sockglue.c netfilter: drop outermost socket lock in getsockopt() 2018-02-28 10:17:21 +01:00
Kconfig ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV 2018-08-15 17:42:05 +02:00
Makefile
mcast.c ipv6: mcast: fix a use-after-free in inet6_mc_check 2018-11-10 07:41:41 -08:00
mcast_snoop.c
mip6.c
ndisc.c ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called 2018-11-10 07:41:41 -08:00
netfilter.c
output_core.c ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() 2017-09-27 11:00:10 +02:00
ping.c net: ping: do not abuse udp_poll() 2017-06-14 13:16:19 +02:00
proc.c inet: frags: break the 2GB limit for frags storage 2019-02-08 11:25:31 +01:00
protocol.c
raw.c net: ping: do not abuse udp_poll() 2017-06-14 13:16:19 +02:00
reassembly.c ip: use rb trees for IP frag queue. 2019-02-08 11:25:32 +01:00
route.c net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255 2019-03-23 08:44:30 +01:00
sit.c ipv6: sit: reset ip header pointer in ipip6_rcv 2019-04-27 09:33:54 +02:00
syncookies.c ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check() 2017-08-11 09:08:51 -07:00
sysctl_net_ipv6.c
tcp_ipv6.c tcp: do not use ipv6 header for ipv4 flow 2019-04-03 06:23:25 +02:00
tcpv6_offload.c
tunnel6.c
udp.c udplite: call proper backlog handlers 2019-03-23 08:44:29 +01:00
udp_impl.h udplite: call proper backlog handlers 2019-03-23 08:44:29 +01:00
udp_offload.c net: avoid skb_warn_bad_offload false positives on UFO 2017-08-12 19:29:08 -07:00
udplite.c udplite: call proper backlog handlers 2019-03-23 08:44:29 +01:00
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() 2017-06-14 13:16:19 +02:00
xfrm6_mode_transport.c ipv6: xfrm: Handle errors reported by xfrm6_find_1stfragopt() 2017-06-14 13:16:19 +02:00
xfrm6_mode_tunnel.c ipv6: update skb->csum when CE mark is propagated 2016-01-31 11:29:01 -08:00
xfrm6_output.c xfrm6: call kfree_skb when skb is toobig 2018-11-10 07:41:32 -08:00
xfrm6_policy.c xfrm6: avoid potential infinite loop in _decode_session6() 2018-07-03 11:21:24 +02:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi 2019-02-20 10:13:10 +01:00