| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 22 Jul 2018 18:43:31 -0700
From: Eric Dumazet <eric.dumazet@...il.com>
To: Willem de Bruijn <willemdebruijn.kernel@...il.com>,
netdev@...r.kernel.org
Cc: davem@...emloft.net, Willem de Bruijn <willemb@...gle.com>
Subject: Re: [PATCH net] ip: in cmsg IP(V6)_ORIGDSTADDR do not read beyond
headlen
On 07/22/2018 05:43 PM, Willem de Bruijn wrote:
> From: Willem de Bruijn <willemb@...gle.com>
>
> Syzbot reported a read beyond the end of the skb head when returning
> IPV6_ORIGDSTADDR:
>
> BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242
> CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x185/0x1d0 lib/dump_stack.c:113
> kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125
> kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219
> kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261
> copy_to_user include/linux/uaccess.h:184 [inline]
> put_cmsg+0x5ef/0x860 net/core/scm.c:242
> ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719
> ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733
> rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521
> [..]
>
> This logic and its ipv4 counterpart read the destination port from
> the packet at skb_transport_offset(skb) + 4.
>
> With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a
> packet that stores headers exactly up to skb_transport_offset(skb) in
> the head and the remainder in a frag.
>
> Avoid reading beyond skb->tail by testing skb_headlen(skb) instead of
> skb->len when trying to access this field.
>
> Link: http://lkml.kernel.org/r/CAF=yD-LEJwZj5a1-bAAj2Oy_hKmGygV6rsJ_WOrAYnv-fnayiQ@mail.gmail.com
> Reported-by: syzbot+9adb4b567003cac781f0@...kaller.appspotmail.com
> Signed-off-by: Willem de Bruijn <willemb@...gle.com>
> ---
> net/ipv4/ip_sockglue.c | 2 +-
> net/ipv6/datagram.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
> index 64c76dcf7386..5f228d641d9b 100644
> --- a/net/ipv4/ip_sockglue.c
> +++ b/net/ipv4/ip_sockglue.c
> @@ -152,7 +152,7 @@ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb)
> const struct iphdr *iph = ip_hdr(skb);
> __be16 *ports = (__be16 *)skb_transport_header(skb);
>
> - if (skb_transport_offset(skb) + 4 > (int)skb->len)
> + if (skb_transport_offset(skb) + 4 > (int)skb_headlen(skb))
> return;
>
This really should call pskb_may_pull() or skb_header_pointer().
Powered by blists - more mailing lists