| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Mar 2022 11:46:07 -0800
From: Tadeusz Struk <tadeusz.struk@...aro.org>
To: David Ahern <dsahern@...nel.org>,
David Laight <David.Laight@...LAB.COM>,
"davem@...emloft.net" <davem@...emloft.net>
Cc: Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
Jakub Kicinski <kuba@...nel.org>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <kafai@...com>,
Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
John Fastabend <john.fastabend@...il.com>,
KP Singh <kpsingh@...nel.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"bpf@...r.kernel.org" <bpf@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"stable@...r.kernel.org" <stable@...r.kernel.org>,
"syzbot+e223cf47ec8ae183f2a0@...kaller.appspotmail.com"
<syzbot+e223cf47ec8ae183f2a0@...kaller.appspotmail.com>
Subject: Re: [PATCH] net: ipv6: fix invalid alloclen in __ip6_append_data
On 3/8/22 10:18, David Ahern wrote:
>> alloclen = 1480
>> alloc_extra = 136
>> datalen = 64095
>> fragheaderlen = 1480
>> fraglen = 65575
>> transhdrlen = 0
>> mtu = 1480
>>
> Does this solve the problem (whitespace damaged on paste, but it is just
> a code move and removing fraglen getting set twice):
>
> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> index e69fac576970..59f036241f1b 100644
> --- a/net/ipv6/ip6_output.c
> +++ b/net/ipv6/ip6_output.c
> @@ -1589,6 +1589,15 @@ static int __ip6_append_data(struct sock *sk,
>
> if (datalen > (cork->length <= mtu &&
> !(cork->flags & IPCORK_ALLFRAG) ? mtu : maxfraglen) - fragheaderlen)
> datalen = maxfraglen - fragheaderlen -
> rt->dst.trailer_len;
> +
> + if (datalen != length + fraggap) {
> + /*
> + * this is not the last fragment, the
> trailer
> + * space is regarded as data space.
> + */
> + datalen += rt->dst.trailer_len;
> + }
> +
> fraglen = datalen + fragheaderlen;
> pagedlen = 0;
>
> @@ -1615,16 +1624,6 @@ static int __ip6_append_data(struct sock *sk,
> }
> alloclen += alloc_extra;
>
> - if (datalen != length + fraggap) {
> - /*
> - * this is not the last fragment, the
> trailer
> - * space is regarded as data space.
> - */
> - datalen += rt->dst.trailer_len;
> - }
> -
> - fraglen = datalen + fragheaderlen;
> -
> copy = datalen - transhdrlen - fraggap - pagedlen;
> if (copy < 0) {
> err = -EINVAL;
That fails in the same way:
skbuff: skb_over_panic: text:ffffffff83e7b48b len:65575 put:65575
head:ffff888101f8a000 data:ffff888101f8a088 tail:0x100af end:0x6c0 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 1852 Comm: repro Not tainted 5.17.0-rc7-00020-gea4424be1688-dirty #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1.fc35
RIP: 0010:skb_panic+0x173/0x175
I'm not sure how it supposed to help since it doesn't change the alloclen at all.
I think the problem here is that the size of the allocated skb is too small.
--
Thanks,
Tadeusz
Powered by blists - more mailing lists