| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANn89iJeh5wCRpiBBBucmJXRdTb=DbOjXTHtEm1rOpvq=dGgvQ@mail.gmail.com>
Date: Tue, 17 Dec 2024 06:42:22 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: Mazin Al Haddad <mazin@...state.dev>
Cc: davem@...emloft.net, dsahern@...nel.org, kuba@...nel.org,
pabeni@...hat.com, horms@...nel.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
syzbot+6023ea32e206eef7920a@...kaller.appspotmail.com
Subject: Re: [PATCH] ip6_tunnel: Fix uninit-value in ip6_tnl_xmit
On Tue, Dec 17, 2024 at 4:09 AM Mazin Al Haddad <mazin@...state.dev> wrote:
>
> When taking the branch with skb_realloc_headroom, pskb_expand_head is
> called, as such, pointers referencing content within the new skb's header
> are invalid. Currently, the assignment of hop_limit accesses the now
> invalid pointer in the network header of this "new" skb. Fix this by
> moving the logic to assign hop_limit earlier so that the assignment
> references the original un-resized skb instead.
Unfortunately this is not fixing anything.
If the IPv6 header was in the skb head before skb_realloc_headroom()
and/or pskb_expand_head(),
it would be copied in the new skb head.
Note how the repro is sending a packet with vlan tag (88A8 : ETH_P_8021AD)
endto$packet(r0, &(0x7f0000000180)="a6bea8a120e5f8320c30ce5088a8",
0x12, 0x0, &(0x7f0000000140)={0x11, 0x0, r3, 0x1, 0x0, 0x6, @local},
0x14)
Current code, using pskb_inet_may_pull() is not ready yet.
My patch has been tested by syzbot and I was about to submit it.
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 235808cfec705032b545d6f396f8e58f4693e8d8..c4f0383a136cf5f5e6846293078ec8b826c754c9
100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -910,7 +910,7 @@ static netdev_tx_t ip6gre_tunnel_xmit(struct sk_buff *skb,
__be16 payload_protocol;
int ret;
- if (!pskb_inet_may_pull(skb))
+ if (!skb_vlan_inet_prepare(skb, false))
goto tx_err;
if (!ip6_tnl_xmit_ctl(t, &t->parms.laddr, &t->parms.raddr))
@@ -958,7 +958,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct
sk_buff *skb,
__u32 mtu;
int nhoff;
- if (!pskb_inet_may_pull(skb))
+ if (!skb_vlan_inet_prepare(skb, false))
goto tx_err;
if (!ip6_tnl_xmit_ctl(t, &t->parms.laddr, &t->parms.raddr))
Powered by blists - more mailing lists