| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <66463e26-8564-9f58-ce41-9a2843891d1a@kernel.org>
Date: Tue, 8 Mar 2022 11:18:18 -0700
From: David Ahern <dsahern@...nel.org>
To: Tadeusz Struk <tadeusz.struk@...aro.org>,
David Laight <David.Laight@...LAB.COM>,
"davem@...emloft.net" <davem@...emloft.net>
Cc: Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Jakub Kicinski <kuba@...nel.org>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"bpf@...r.kernel.org" <bpf@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>,
"syzbot+e223cf47ec8ae183f2a0@...kaller.appspotmail.com"
<syzbot+e223cf47ec8ae183f2a0@...kaller.appspotmail.com>
Subject: Re: [PATCH] net: ipv6: fix invalid alloclen in __ip6_append_data
On 3/8/22 8:43 AM, Tadeusz Struk wrote:
> Hi David,
> On 3/7/22 18:58, David Laight wrote:
>>> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
>>> index 4788f6b37053..622345af323e 100644
>>> --- a/net/ipv6/ip6_output.c
>>> +++ b/net/ipv6/ip6_output.c
>>> @@ -1629,6 +1629,13 @@ static int __ip6_append_data(struct sock *sk,
>>> err = -EINVAL;
>>> goto error;
>>> }
>>> + if (unlikely(alloclen < fraglen)) {
>>> + if (printk_ratelimit())
>>> + pr_warn("%s: wrong alloclen: %d, fraglen: %d",
>>> + __func__, alloclen, fraglen);
>>> + alloclen = fraglen;
>>> + }
>>> +
>> Except that is a valid case, see a few lines higher:
>>
>> alloclen = min_t(int, fraglen, MAX_HEADER);
>> pagedlen = fraglen - alloclen;
>>
>> You need to report the input values that cause the problem later on.
>
> OK, but in this case it falls into the first if block:
> https://elixir.bootlin.com/linux/v5.17-rc7/source/net/ipv6/ip6_output.c#L1606
>
> where alloclen is assigned the value of mtu.
> The values in this case are just before the alloc_skb() are:
>
> alloclen = 1480
> alloc_extra = 136
> datalen = 64095
> fragheaderlen = 1480
> fraglen = 65575
> transhdrlen = 0
> mtu = 1480
>
Does this solve the problem (whitespace damaged on paste, but it is just
a code move and removing fraglen getting set twice):
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index e69fac576970..59f036241f1b 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1589,6 +1589,15 @@ static int __ip6_append_data(struct sock *sk,
if (datalen > (cork->length <= mtu &&
!(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen)
datalen = maxfraglen - fragheaderlen -
rt->dst.trailer_len;
+
+ if (datalen != length + fraggap) {
+ /*
+ * this is not the last fragment, the
trailer
+ * space is regarded as data space.
+ */
+ datalen += rt->dst.trailer_len;
+ }
+
fraglen = datalen + fragheaderlen;
pagedlen = 0;
@@ -1615,16 +1624,6 @@ static int __ip6_append_data(struct sock *sk,
}
alloclen += alloc_extra;
- if (datalen != length + fraggap) {
- /*
- * this is not the last fragment, the
trailer
- * space is regarded as data space.
- */
- datalen += rt->dst.trailer_len;
- }
-
- fraglen = datalen + fragheaderlen;
-
copy = datalen - transhdrlen - fraggap - pagedlen;
if (copy < 0) {
err = -EINVAL;
Powered by blists - more mailing lists