lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 12 Oct 2019 09:56:53 -0700
From:   Alexei Starovoitov <alexei.starovoitov@...il.com>
To:     Jiri Benc <jbenc@...hat.com>
Cc:     bpf <bpf@...r.kernel.org>,
        Network Development <netdev@...r.kernel.org>,
        Peter Oskolkov <posk@...gle.com>,
        Stanislav Fomichev <sdf@...gle.com>,
        Eric Dumazet <edumazet@...gle.com>
Subject: Re: [PATCH bpf] bpf: lwtunnel: fix reroute supplying invalid dst

On Wed, Oct 9, 2019 at 1:31 AM Jiri Benc <jbenc@...hat.com> wrote:
>
> The dst in bpf_input() has lwtstate field set. As it is of the
> LWTUNNEL_ENCAP_BPF type, lwtstate->data is struct bpf_lwt. When the bpf
> program returns BPF_LWT_REROUTE, ip_route_input_noref is directly called on
> this skb. This causes invalid memory access, as ip_route_input_slow calls
> skb_tunnel_info(skb) that expects the dst->lwstate->data to be
> struct ip_tunnel_info. This results to struct bpf_lwt being accessed as
> struct ip_tunnel_info.
>
> Drop the dst before calling the IP route input functions (both for IPv4 and
> IPv6).
>
> Reported by KASAN.
>
> Fixes: 3bd0b15281af ("bpf: add handling of BPF_LWT_REROUTE to lwt_bpf.c")
> Cc: Peter Oskolkov <posk@...gle.com>
> Signed-off-by: Jiri Benc <jbenc@...hat.com>

Peter and other google folks,
please review.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ