| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20170517.145730.76726417606716563.davem@davemloft.net> Date: Wed, 17 May 2017 14:57:30 -0400 (EDT) From: David Miller <davem@...emloft.net> To: kraigatgoog@...il.com Cc: andreyknvl@...gle.com, netdev@...r.kernel.org Subject: Re: [PATCH net-next] ipv6: Prevent overrun when parsing v6 header options From: Craig Gallek <kraigatgoog@...il.com> Date: Tue, 16 May 2017 14:36:23 -0400 > From: Craig Gallek <kraig@...gle.com> > > The KASAN warning repoted below was discovered with a syzkaller > program. The reproducer is basically: > int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP); > send(s, &one_byte_of_data, 1, MSG_MORE); > send(s, &more_than_mtu_bytes_data, 2000, 0); > > The socket() call sets the nexthdr field of the v6 header to > NEXTHDR_HOP, the first send call primes the payload with a non zero > byte of data, and the second send call triggers the fragmentation path. > > The fragmentation code tries to parse the header options in order > to figure out where to insert the fragment option. Since nexthdr points > to an invalid option, the calculation of the size of the network header > can made to be much larger than the linear section of the skb and data > is read outside of it. > > This fix makes ip6_find_1stfrag return an error if it detects > running out-of-bounds. ... > Reported-by: Andrey Konovalov <andreyknvl@...gle.com> > Signed-off-by: Craig Gallek <kraig@...gle.com> Since this is a reasonably serious bug I'm going to apply this to 'net' and queue it up for -stable. Thanks.
Powered by blists - more mailing lists