github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-10 15:42:19 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
d35cd5e279
linux/net
History
Eric Dumazet d35cd5e279 flow_dissector: properly cap thoff field 
[ Upstream commit d0c081b491 ]

syzbot reported yet another crash [1] that is caused by
insufficient validation of DODGY packets.

Two bugs are happening here to trigger the crash.

1) Flow dissection leaves with incorrect thoff field.

2) skb_probe_transport_header() sets transport header to this invalid
thoff, even if pointing after skb valid data.

3) qdisc_pkt_len_init() reads out-of-bound data because it
trusts tcp_hdrlen(skb)

Possible fixes :

- Full flow dissector validation before injecting bad DODGY packets in
the stack.
 This approach was attempted here : https://patchwork.ozlabs.org/patch/
861874/

- Have more robust functions in the core.
  This might be needed anyway for stable versions.

This patch fixes the flow dissection issue.

[1]
CPU: 1 PID: 3144 Comm: syzkaller271204 Not tainted 4.15.0-rc4-mm1+ #49
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:355 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:413
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:432
 __tcp_hdrlen include/linux/tcp.h:35 [inline]
 tcp_hdrlen include/linux/tcp.h:40 [inline]
 qdisc_pkt_len_init net/core/dev.c:3160 [inline]
 __dev_queue_xmit+0x20d3/0x2200 net/core/dev.c:3465
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3554
 packet_snd net/packet/af_packet.c:2943 [inline]
 packet_sendmsg+0x3ad5/0x60a0 net/packet/af_packet.c:2968
 sock_sendmsg_nosec net/socket.c:628 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:638
 sock_write_iter+0x31a/0x5d0 net/socket.c:907
 call_write_iter include/linux/fs.h:1776 [inline]
 new_sync_write fs/read_write.c:469 [inline]
 __vfs_write+0x684/0x970 fs/read_write.c:482
 vfs_write+0x189/0x510 fs/read_write.c:544
 SYSC_write fs/read_write.c:589 [inline]
 SyS_write+0xef/0x220 fs/read_write.c:581
 entry_SYSCALL_64_fastpath+0x1f/0x96

Fixes: 34fad54c25 ("net: __skb_flow_dissect() must cap its return value")
Fixes: a6e544b0a8 ("flow_dissector: Jump to exit code in __skb_flow_dissect")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-01-31 12:06:14 +01:00
..
6lowpan
9p net/9p: Switch to wait_event_killable() 2017-11-30 08:37:25 +00:00
802
8021q 8021q: fix a memory leak for VLAN 0 device 2018-01-17 09:35:29 +01:00
appletalk
atm
ax25 ax25: Fix segfault after sock connection timeout 2017-02-04 09:45:09 +01:00
batman-adv batman-adv: Check for alloc errors when preparing TT local data 2016-12-15 08:49:23 -08:00
bluetooth Bluetooth: Prevent stack info leak from the EFS element. 2018-01-17 09:35:32 +01:00
bridge net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks 2018-01-02 20:33:26 +01:00
caif net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx 2017-07-05 14:37:14 +02:00
can can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once 2018-01-31 12:06:08 +01:00
ceph libceph: force GFP_NOIO for socket allocations 2017-04-08 09:53:30 +02:00
core flow_dissector: properly cap thoff field 2018-01-31 12:06:14 +01:00
dcb
dccp dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state 2018-01-31 12:06:12 +01:00
decnet decnet: always not take dst->__refcnt when inserting dst into hash table 2017-07-05 14:37:14 +02:00
dns_resolver KEYS: Fix race between updating and finding a negative key 2017-10-27 10:23:18 +02:00
dsa net: dsa: select NET_SWITCHDEV 2017-11-15 17:13:11 +01:00
ethernet net: introduce device min_header_len 2017-02-18 16:39:27 +01:00
hsr net/hsr: fix a warning message 2015-11-23 14:56:15 -05:00
ieee802154 Revert "net: fix percpu memory leaks" 2017-09-27 11:00:11 +02:00
ipv4 ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY 2018-01-31 12:06:14 +01:00
ipv6 ipv6: ip6_make_skb() needs to clear cork.base.dst 2018-01-31 12:06:13 +01:00
ipx ipx: call ipxitf_put() in ioctl error path 2017-05-25 14:30:13 +02:00
irda irda: do not leak initialized list.dev to userspace 2017-08-30 10:19:21 +02:00
iucv af_iucv: Validate socket address length in iucv_sock_bind() 2016-03-03 15:07:03 -08:00
key af_key: fix buffer overread in parse_exthdrs() 2018-01-23 19:50:14 +01:00
l2tp l2tp: cleanup l2tp_tunnel_delete calls 2017-12-20 10:04:59 +01:00
l3mdev
lapb
llc net/llc: avoid BUG_ON() in skb_orphan() 2017-02-26 11:07:49 +01:00
mac80211 net/mac80211/debugfs.c: prevent build failure with CONFIG_UBSAN=y 2018-01-17 09:35:25 +01:00
mac802154
mpls mpls: Send route delete notifications when router module is unloaded 2017-03-22 12:04:16 +01:00
netfilter netfilter: xt_osf: Add missing permission checks 2018-01-31 12:06:11 +01:00
netlabel netlabel: add address family checks to netlbl_{sock,req}_delattr() 2016-08-20 18:09:22 +02:00
netlink netlink: Add netns check on taps 2018-01-02 20:33:24 +01:00
netrom
nfc NFC: fix device-allocation error return 2017-11-30 08:37:23 +00:00
openvswitch openvswitch: fix potential out of bound access in parse_ct 2017-08-11 09:08:53 -07:00
packet net/packet: fix a race in packet_bind() and packet_notifier() 2017-12-16 10:33:56 +01:00
phonet phonet: properly unshare skbs in phonet_rcv() 2016-01-31 11:29:00 -08:00
rds RDS: null pointer dereference in rds_atomic_free_op 2018-01-17 09:35:29 +01:00
rfkill rfkill: fix rfkill_fop_read wait_event usage 2016-03-03 15:07:26 -08:00
rose
rxrpc rxrpc: Fix several cases where a padded len isn't checked in ticket decode 2017-06-29 12:48:52 +02:00
sched sch_dsmark: fix invalid skb_cow() usage 2017-12-25 14:22:10 +01:00
sctp sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf 2018-01-31 12:06:13 +01:00
sunrpc kernel: make groups_sort calling a responsibility group_info allocators 2018-01-10 09:27:10 +01:00
switchdev switchdev: pass pointer to fib_info instead of copy 2016-06-24 10:18:16 -07:00
tipc tipc: fix memory leak in tipc_accept_from_sock() 2017-12-16 10:33:56 +01:00
unix net/unix: don't show information about sockets from other namespaces 2017-11-18 11:11:06 +01:00
vmw_vsock vsock: use new wait API for vsock_stream_sendmsg() 2017-11-30 08:37:19 +00:00
wimax
wireless nl80211: Define policy for packet pattern attributes 2017-10-18 09:20:41 +02:00
x25 net: fix a kernel infoleak in x25 module 2016-05-18 17:06:43 -07:00
xfrm xfrm: Copy policy family in clone_policy 2017-12-16 10:33:55 +01:00
compat.c audit: log 32-bit socketcalls 2017-10-08 10:14:18 +02:00
Kconfig
Makefile
socket.c net: initialize msg.msg_flags in recvfrom 2017-12-20 10:04:53 +01:00
sysctl_net.c net: Use ns_capable_noaudit() when determining net sysctl permissions 2016-09-15 08:27:50 +02:00