| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Mar 2024 12:12:31 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org, eric.dumazet@...il.com,
syzbot+1c1cf138518bf0c53d68@...kaller.appspotmail.com,
Lorenzo Bianconi <lorenzo@...nel.org>
Subject: Re: [PATCH net] erspan: make sure erspan_base_hdr is present in skb->head
On Thu, Mar 28, 2024 at 12:09 PM Eric Dumazet <edumazet@...gle.com> wrote:
>
> syzbot reported a problem in ip6erspan_rcv() [1]
>
> Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make
> sure erspan_base_hdr is present in skb linear part (skb->head)
> before getting @ver field from it.
>
> Add the missing pskb_may_pull() calls.
>
> [1]
>
>
> CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0
>
> Fixes: cb73ee40b1b3 ("net: ip_gre: use erspan key field for tunnel lookup")
> Reported-by: syzbot+1c1cf138518bf0c53d68@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/000000000000772f2c0614b66ef7@google.com/
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Lorenzo Bianconi <lorenzo@...nel.org>
> ---
> net/ipv4/ip_gre.c | 4 ++++
> net/ipv6/ip6_gre.c | 3 +++
> 2 files changed, 7 insertions(+)
>
> diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
> index 7b16c211b904473cc5e350aafdefb86fbf1b3693..56982d6fb0cd6c39a0e769e130fd47460873b0d4 100644
> --- a/net/ipv4/ip_gre.c
> +++ b/net/ipv4/ip_gre.c
> @@ -280,6 +280,10 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
> tpi->flags | TUNNEL_NO_KEY,
> iph->saddr, iph->daddr, 0);
> } else {
> + if (unlikely(!pskb_may_pull(skb,
> + gre_hdr_len + sizeof(*ershdr))))
> + return PACKET_REJECT;
Sorry, I have to reload iph at this point, I will send a v2.
> +
> ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
> ver = ershdr->ver;
> tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
> diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
> index ca7e77e842835a6d153891fdca7dc8f196e0a2ba..c89aef524df9a2039d223fd2dd7566a9e1f7d3f4 100644
> --- a/net/ipv6/ip6_gre.c
> +++ b/net/ipv6/ip6_gre.c
> @@ -528,6 +528,9 @@ static int ip6erspan_rcv(struct sk_buff *skb,
> struct ip6_tnl *tunnel;
> u8 ver;
>
> + if (unlikely(!pskb_may_pull(skb, sizeof(*ershdr))))
> + return PACKET_REJECT;
> +
> ipv6h = ipv6_hdr(skb);
> ershdr = (struct erspan_base_hdr *)skb->data;
> ver = ershdr->ver;
> --
> 2.44.0.396.g6e790dbe36-goog
>
Powered by blists - more mailing lists