| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 May 2019 10:23:27 -0700
From: Gregory Rose <gvrose8192@...il.com>
To: William Tu <u9012063@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCHv2 net] net: ip6_gre: access skb data after skb_cow_head()
On 5/30/2019 9:59 AM, William Tu wrote:
> When increases the headroom, skb's data pointer might get re-allocated.
> As a result, the skb->data before the skb_cow_head becomes a dangling pointer,
> and dereferences to daddr causes general protection fault at the following
> line in __gre6_xmit():
>
> if (dev->header_ops && dev->type == ARPHRD_IP6GRE)
> fl6->daddr = ((struct ipv6hdr *)skb->data)->daddr;
>
> general protection fault: 0000 [#1] SMP PTI
> OE 4.15.0-43-generic #146-Ubuntu
> Hardware name: VMware, Inc. VMware Virtual Platform 440BX Desktop Reference
> Platform, BIOS 6.00 07/03/2018
> RIP: 0010: __gre6_xmit+0x11f/0x2c0 [openvswitch]
> RSP: 0018:ffffb8d5c44df6a8 EFLAGS: 00010286
> RAX: 00000000ffffffea RBX: ffff8b1528a0000 RCX: 0000000000000036
> RDX: ffff000000000000 RSI: 0000000000000000 RDI: ffff8db267829200
> RBP: ffffb8d5c44df 700 R08: 0000000000005865 RĂ˜9: ffffb8d5c44df724
> R10: 0000000000000002 R11: 0000000000000000 R12: ffff8db267829200
> R13: 0000000000000000 R14: ffffb8d5c44df 728 R15: 00000000ffffffff
> FS: 00007f8744df 2700(0000) GS:ffff8db27fc0000000000) knlGS:0000000000000000
> CS: 0910 DS: 0000 ES: 9000 CRO: 0000000080050033
> CR2: 00007f893ef92148 CR3: 0000000400462003 CR4: 00000000001626f8
> Call Trace:
> ip6gre_tunnel_xmit+0x1cc/0x530 [openvswitch]
> ? skb_clone+0x58/0xc0
> __ip6gre_tunnel_xmit+0x12/0x20 [openvswitch]
> ovs_vport_send +0xd4/0x170 [openvswitch]
> do_output+0x53/0x160 [openvswitch]
> do_execute_actions+0x9a1/0x1880 [openvswitch]
>
> Fix it by moving skb_cow_head before accessing the skb->data pointer.
>
> Fixes: 01b8d064d58b4 ("net: ip6_gre: Request headroom in __gre6_xmit()")
> Reported-by: Haichao Ma <haichaom@...are.com>
> Signed-off-by: William Tu <u9012063@...il.com>
> ---
> v1-v2: add more details in commit message.
> ---
> net/ipv6/ip6_gre.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
> index 655e46b227f9..90b2b129b105 100644
> --- a/net/ipv6/ip6_gre.c
> +++ b/net/ipv6/ip6_gre.c
> @@ -714,6 +714,9 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb,
> struct ip6_tnl *tunnel = netdev_priv(dev);
> __be16 protocol;
>
> + if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen))
> + return -ENOMEM;
> +
> if (dev->type == ARPHRD_ETHER)
> IPCB(skb)->flags = 0;
>
> @@ -722,9 +725,6 @@ static netdev_tx_t __gre6_xmit(struct sk_buff *skb,
> else
> fl6->daddr = tunnel->parms.raddr;
>
> - if (skb_cow_head(skb, dev->needed_headroom ?: tunnel->hlen))
> - return -ENOMEM;
> -
> /* Push GRE header. */
> protocol = (dev->type == ARPHRD_ETHER) ? htons(ETH_P_TEB) : proto;
>
Tested-by: Greg Rose <gvrose8192@...il.com>
Reviewed-by: Greg Rose <gvrose8192@...il.com>
Powered by blists - more mailing lists