| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 Jul 2018 13:40:33 -0700 (PDT)
From: David Miller <davem@...emloft.net>
To: bhole_prashant_q7@....ntt.co.jp
Cc: kuznet@....inr.ac.ru, yoshfuji@...ux-ipv6.org, u9012063@...il.com,
netdev@...r.kernel.org
Subject: Re: [PATCH net-next] net: ip6_gre: get ipv6hdr after skb_cow_head()
From: Prashant Bhole <bhole_prashant_q7@....ntt.co.jp>
Date: Fri, 13 Jul 2018 14:40:50 +0900
> A KASAN:use-after-free bug was found related to ip6-erspan
> while running selftests/net/ip6_gre_headroom.sh
>
> It happens because of following sequence:
> - ipv6hdr pointer is obtained from skb
> - skb_cow_head() is called, skb->head memory is reallocated
> - old data is accessed using ipv6hdr pointer
>
> skb_cow_head() call was added in e41c7c68ea77 ("ip6erspan: make sure
> enough headroom at xmit."), but looking at the history there was a
> chance of similar bug because gre_handle_offloads() and pskb_trim()
> can also reallocate skb->head memory. Fixes tag points to commit
> which introduced possibility of this bug.
>
> This patch moves ipv6hdr pointer assignment after skb_cow_head() call.
>
> Fixes: 5a963eb61b7c ("ip6_gre: Add ERSPAN native tunnel support")
> Signed-off-by: Prashant Bhole <bhole_prashant_q7@....ntt.co.jp>
This bug goes back to 4.16, therefore applied to 'net' and queued up
for -stable.
Please do not submit bug fixes against 'net-next' in this situation
in the future.
Thanks.
Powered by blists - more mailing lists