lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1394611.1686700788@warthog.procyon.org.uk>
Date:   Wed, 14 Jun 2023 00:59:48 +0100
From:   David Howells <dhowells@...hat.com>
To:     syzbot <syzbot+d8486855ef44506fd675@...kaller.appspotmail.com>
Cc:     dhowells@...hat.com, bpf@...r.kernel.org, davem@...emloft.net,
        dsahern@...nel.org, edumazet@...gle.com, kuba@...nel.org,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        pabeni@...hat.com, syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [net?] KASAN: stack-out-of-bounds Read in skb_splice_from_iter

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git main

commit b49195695a78f1fb56ecbfd3c3fd14dbe6844088
Author: David Howells <dhowells@...hat.com>
Date:   Wed Jun 14 00:14:32 2023 +0100

    ip, ip6: Handle splice to raw and ping sockets
    
    Splicing to SOCK_RAW sockets may set MSG_SPLICE_PAGES, but in such a case,
    __ip_append_data() will call skb_splice_from_iter() to access the 'from'
    data, assuming it to point to a msghdr struct with an iter, instead of
    using the provided getfrag function to access it.
    
    In the case of raw_sendmsg(), however, this is not the case and 'from' will
    point to a raw_frag_vec struct and raw_getfrag() will be the frag-getting
    function.  A similar issue may occur with rawv6_sendmsg().
    
    Fix this by ignoring MSG_SPLICE_PAGES if getfrag != ip_generic_getfrag as
    ip_generic_getfrag() expects "from" to be a msghdr*, but the other getfrags
    don't.  Note that this will prevent MSG_SPLICE_PAGES from being effective
    for udplite.
    
    This likely affects ping sockets too.  udplite looks like it should be okay
    as it expects "from" to be a msghdr.
    
    Signed-off-by: David Howells <dhowells@...hat.com>
    Reported-by: syzbot+d8486855ef44506fd675@...kaller.appspotmail.com
    Link: https://lore.kernel.org/r/000000000000ae4cbf05fdeb8349@google.com/
    Fixes: 2dc334f1a63a ("splice, net: Use sendmsg(MSG_SPLICE_PAGES) rather than ->sendpage()")
    cc: Willem de Bruijn <willemdebruijn.kernel@...il.com>
    cc: David Ahern <dsahern@...nel.org>
    cc: "David S. Miller" <davem@...emloft.net>
    cc: Eric Dumazet <edumazet@...gle.com>
    cc: Jakub Kicinski <kuba@...nel.org>
    cc: Paolo Abeni <pabeni@...hat.com>
    cc: Jens Axboe <axboe@...nel.dk>
    cc: Matthew Wilcox <willy@...radead.org>
    cc: netdev@...r.kernel.org

diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 244fb9365d87..4b39ea99f00b 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1040,7 +1040,8 @@ static int __ip_append_data(struct sock *sk,
 	} else if ((flags & MSG_SPLICE_PAGES) && length) {
 		if (inet->hdrincl)
 			return -EPERM;
-		if (rt->dst.dev->features & NETIF_F_SG)
+		if (rt->dst.dev->features & NETIF_F_SG &&
+		    getfrag == ip_generic_getfrag)
 			/* We need an empty buffer to attach stuff to */
 			paged = true;
 		else
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index c722cb881b2d..dd845139882c 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1592,7 +1592,8 @@ static int __ip6_append_data(struct sock *sk,
 	} else if ((flags & MSG_SPLICE_PAGES) && length) {
 		if (inet_sk(sk)->hdrincl)
 			return -EPERM;
-		if (rt->dst.dev->features & NETIF_F_SG)
+		if (rt->dst.dev->features & NETIF_F_SG &&
+		    getfrag == ip_generic_getfrag)
 			/* We need an empty buffer to attach stuff to */
 			paged = true;
 		else

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ