mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-12 21:57:43 +00:00
Code Issues Releases Wiki Activity
linux-stable/net/ipv6
History
Eric Dumazet af51fc23a0 ipv6: ensure sane device mtu in tunnels 
commit d89d7ff012 upstream.

Another syzbot report [1] with no reproducer hints
at a bug in ip6_gre tunnel (dev:ip6gretap0)

Since ipv6 mcast code makes sure to read dev->mtu once
and applies a sanity check on it (see commit b9b312a7a4
"ipv6: mcast: better catch silly mtu values"), a remaining
possibility is that a layer is able to set dev->mtu to
an underflowed value (high order bit set).

This could happen indeed in ip6gre_tnl_link_config_route(),
ip6_tnl_link_config() and ipip6_tunnel_bind_dev()

Make sure to sanitize mtu value in a local variable before
it is written once on dev->mtu, as lockless readers could
catch wrong temporary value.

[1]
skbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0 tail:0xd8 end:0xc0 dev:ip6gretap0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:120
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
Workqueue: mld mld_ifc_work
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : skb_panic+0x4c/0x50 net/core/skbuff.c:116
lr : skb_panic+0x4c/0x50 net/core/skbuff.c:116
sp : ffff800020dd3b60
x29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800
x26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200
x23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38
x20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9
x17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80
x14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80
x11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00
x8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089
Call trace:
skb_panic+0x4c/0x50 net/core/skbuff.c:116
skb_over_panic net/core/skbuff.c:125 [inline]
skb_put+0xd4/0xdc net/core/skbuff.c:2049
ip6_mc_hdr net/ipv6/mcast.c:1714 [inline]
mld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765
add_grhead net/ipv6/mcast.c:1851 [inline]
add_grec+0xa20/0xae0 net/ipv6/mcast.c:1989
mld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115
mld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653
process_one_work+0x2d8/0x504 kernel/workqueue.c:2289
worker_thread+0x340/0x610 kernel/workqueue.c:2436
kthread+0x12c/0x158 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Code: 91011400 aa0803e1 a90027ea 94373093 (d4210000)

Fixes: c12b395a46 ("gre: Support GRE over IPv6")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20221024020124.3756833-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ta: Backport patch for stable kernels < 5.10.y. Fix conflict in
net/ipv6/ip6_tunnel.c, mtu initialized with:
mtu = rt->dst.dev->mtu - t_hlen;]
Cc: <stable@vger.kernel.org> # 4.14.y, 4.19.y, 5.4.y
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-02-06 07:52:51 +01:00
..
ila
netfilter netfilter: nft_fib: Fix for rpath check with VRF devices 2022-10-26 13:22:25 +02:00
addrconf.c ipv6: take care of disable_policy when restoring routes 2022-07-07 17:36:47 +02:00
addrconf_core.c
addrlabel.c ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network 2022-11-25 17:42:05 +01:00
af_inet6.c ip: Fix data-races around sysctl_ip_no_pmtu_disc. 2022-07-29 17:14:10 +02:00
ah6.c ah6: fix error return code in ah6_input() 2020-11-24 13:28:55 +01:00
anycast.c
calipso.c cipso,calipso: resolve a number of problems with the DOI refcounts 2021-03-17 17:03:35 +01:00
datagram.c
esp6.c esp: limit skb_page_frag_refill use to a single page 2022-07-12 16:30:45 +02:00
esp6_offload.c esp: delete NETIF_F_SCTP_CRC bit from features for esp offload 2021-04-14 08:24:13 +02:00
exthdrs.c ipv6: fix out-of-bound access in ip6_parse_tlv() 2021-07-14 16:53:33 +02:00
exthdrs_core.c
exthdrs_offload.c
fib6_notifier.c
fib6_rules.c ipv6: fix memory leak in fib6_rule_suppress 2021-12-08 09:01:13 +01:00
fou6.c
icmp.c net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending 2021-03-04 10:26:53 +01:00
inet6_connection_sock.c
inet6_hashtables.c secure_seq: use the 64 bits of the siphash for port offset calculation 2022-06-06 08:33:49 +02:00
ip6_checksum.c
ip6_fib.c ipv6: annotate accesses to fn->fn_sernum 2022-02-01 17:24:38 +01:00
ip6_flowlabel.c
ip6_gre.c ipv6: ensure sane device mtu in tunnels 2023-02-06 07:52:51 +01:00
ip6_icmp.c net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending 2021-03-04 10:26:53 +01:00
ip6_input.c tcp/udp: Make early_demux back namespacified. 2022-11-10 17:57:55 +01:00
ip6_offload.c gso: do not skip outer ip header in case of ipip and net_failover 2022-03-02 11:41:06 +01:00
ip6_offload.h
ip6_output.c ipv6: avoid use-after-free in ip6_fragment() 2022-12-14 11:30:48 +01:00
ip6_tunnel.c ipv6: ensure sane device mtu in tunnels 2023-02-06 07:52:51 +01:00
ip6_udp_tunnel.c
ip6_vti.c ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate 2022-01-11 15:23:33 +01:00
ip6mr.c ipv6: make mc_forwarding atomic 2022-04-15 14:18:32 +02:00
ipcomp6.c
ipv6_sockglue.c tcp/udp: Fix memory leak in ipv6_renew_options(). 2022-11-10 17:57:54 +01:00
Kconfig net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC 2020-09-26 18:03:13 +02:00
Makefile
mcast.c mld: fix panic in mld_newpack() 2021-06-03 08:59:14 +02:00
mcast_snoop.c net: bridge: mcast: fix broken length + header check for MRDv6 Adv. 2021-05-14 09:44:32 +02:00
mip6.c
ndisc.c Exempt multicast addresses from five-second neighbor lifetime 2020-11-24 13:28:56 +01:00
netfilter.c netfilter: use actual socket sk rather than skb sk when routing harder 2020-11-18 19:20:17 +01:00
output_core.c ipv6: use prandom_u32() for ID generation 2021-07-19 08:53:09 +02:00
ping.c net: ping6: Fix memleak in ipv6_renew_options(). 2022-08-03 11:59:39 +02:00
proc.c
protocol.c
raw.c ipv6: raw: Deduct extension header length in rawv6_push_pending_frames 2023-01-18 11:42:02 +01:00
reassembly.c ipv6: record frag_max_size in atomic fragments in input path 2021-06-03 08:59:15 +02:00
route.c ipv6: fix WARNING in ip6_route_net_exit_late() 2022-11-10 17:57:52 +01:00
seg6.c ipv6: sr: fix out-of-bounds read when setting HMAC data. 2022-09-15 12:04:55 +02:00
seg6_hmac.c net: ipv6: unexport __init-annotated seg6_hmac_net_init() 2022-07-07 17:36:49 +02:00
seg6_iptunnel.c seg6: fix skb checksum evaluation in SRH encapsulation/insertion 2022-07-21 20:59:23 +02:00
seg6_local.c seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors 2022-07-21 20:59:23 +02:00
sit.c ipv6: ensure sane device mtu in tunnels 2023-02-06 07:52:51 +01:00
syncookies.c tcp: Fix data-races around sysctl_tcp_syncookies. 2022-07-29 17:14:13 +02:00
sysctl_net_ipv6.c
tcp_ipv6.c dccp/tcp: Reset saddr on failure after inet6?_hash_connect(). 2022-12-08 11:22:59 +01:00
tcpv6_offload.c
tunnel6.c
udp.c tcp/udp: Make early_demux back namespacified. 2022-11-10 17:57:55 +01:00
udp_impl.h
udp_offload.c
udplite.c
xfrm6_input.c
xfrm6_output.c xfrm: fix tunnel model fragmentation behavior 2022-04-15 14:17:56 +02:00
xfrm6_policy.c xfrm: Fix ignored return value in xfrm6_init() 2022-12-08 11:22:58 +01:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c