| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Dec 2017 20:55:34 +0800
From: Xin Long <lucien.xin@...il.com>
To: Eric Dumazet <eric.dumazet@...il.com>
Cc: David Miller <davem@...emloft.net>,
network dev <netdev@...r.kernel.org>
Subject: Re: [PATCH net] ipv6: mcast: better catch silly mtu values
On Mon, Dec 11, 2017 at 11:03 PM, Eric Dumazet <eric.dumazet@...il.com> wrote:
> From: Eric Dumazet <edumazet@...gle.com>
>
> syzkaller reported crashes in IPv6 stack [1]
>
> Xin Long found that lo MTU was set to silly values.
>
> IPv6 stack reacts to changes to small MTU, by disabling itself under
> RTNL.
>
> But there is a window where threads not using RTNL can see a wrong
> device mtu. This can lead to surprises, in mld code where it is assumed
> the mtu is suitable.
>
> Fix this by reading device mtu once and checking IPv6 minimal MTU.
>
> [1]
> skbuff: skb_over_panic: text:0000000010b86b8d len:196 put:20
> head:000000003b477e60 data:000000000e85441e tail:0xd4 end:0xc0 dev:lo
> ------------[ cut here ]------------
> kernel BUG at net/core/skbuff.c:104!
> invalid opcode: 0000 [#1] SMP KASAN
> Dumping ftrace buffer:
> (ftrace buffer empty)
> Modules linked in:
> CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.15.0-rc2-mm1+ #39
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:skb_panic+0x15c/0x1f0 net/core/skbuff.c:100
> RSP: 0018:ffff8801db307508 EFLAGS: 00010286
> RAX: 0000000000000082 RBX: ffff8801c517e840 RCX: 0000000000000000
> RDX: 0000000000000082 RSI: 1ffff1003b660e61 RDI: ffffed003b660e95
> RBP: ffff8801db307570 R08: 1ffff1003b660e23 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff85bd4020
> R13: ffffffff84754ed2 R14: 0000000000000014 R15: ffff8801c4e26540
> FS: 0000000000000000(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000463610 CR3: 00000001c6698000 CR4: 00000000001406e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <IRQ>
> skb_over_panic net/core/skbuff.c:109 [inline]
> skb_put+0x181/0x1c0 net/core/skbuff.c:1694
> add_grhead.isra.24+0x42/0x3b0 net/ipv6/mcast.c:1695
> add_grec+0xa55/0x1060 net/ipv6/mcast.c:1817
> mld_send_cr net/ipv6/mcast.c:1903 [inline]
> mld_ifc_timer_expire+0x4d2/0x770 net/ipv6/mcast.c:2448
> call_timer_fn+0x23b/0x840 kernel/time/timer.c:1320
> expire_timers kernel/time/timer.c:1357 [inline]
> __run_timers+0x7e1/0xb60 kernel/time/timer.c:1660
> run_timer_softirq+0x4c/0xb0 kernel/time/timer.c:1686
> __do_softirq+0x29d/0xbb2 kernel/softirq.c:285
> invoke_softirq kernel/softirq.c:365 [inline]
> irq_exit+0x1d3/0x210 kernel/softirq.c:405
> exiting_irq arch/x86/include/asm/apic.h:540 [inline]
> smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
> apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:920
>
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Reported-by: syzbot <syzkaller@...glegroups.com>
Tested-by: Xin Long <lucien.xin@...il.com>
Powered by blists - more mailing lists