[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id:
<170630762611.31948.444264827561958290.git-patchwork-notify@kernel.org>
Date: Fri, 26 Jan 2024 22:20:26 +0000
From: patchwork-bot+netdevbpf@...nel.org
To: Eric Dumazet <edumazet@...gle.com>
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
dsahern@...nel.org, netdev@...r.kernel.org, eric.dumazet@...il.com,
syzkaller@...glegroups.com
Subject: Re: [PATCH net] ip6_tunnel: make sure to pull inner header in
__ip6_tnl_rcv()
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@...nel.org>:
On Thu, 25 Jan 2024 17:05:57 +0000 you wrote:
> syzbot found __ip6_tnl_rcv() could access unitiliazed data [1].
>
> Call pskb_inet_may_pull() to fix this, and initialize ipv6h
> variable after this call as it can change skb->head.
>
> [1]
> BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
> BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
> BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321
> __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
> INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
> IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321
> ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727
> __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845
> ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888
> gre_rcv+0x143f/0x1870
> ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438
> ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
> NF_HOOK include/linux/netfilter.h:314 [inline]
> ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
> ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
> dst_input include/net/dst.h:461 [inline]
> ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79
> NF_HOOK include/linux/netfilter.h:314 [inline]
> ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310
> __netif_receive_skb_one_core net/core/dev.c:5532 [inline]
> __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646
> netif_receive_skb_internal net/core/dev.c:5732 [inline]
> netif_receive_skb+0x58/0x660 net/core/dev.c:5791
> tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
> tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002
> tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
> call_write_iter include/linux/fs.h:2084 [inline]
> new_sync_write fs/read_write.c:497 [inline]
> vfs_write+0x786/0x1200 fs/read_write.c:590
> ksys_write+0x20f/0x4c0 fs/read_write.c:643
> __do_sys_write fs/read_write.c:655 [inline]
> __se_sys_write fs/read_write.c:652 [inline]
> __x64_sys_write+0x93/0xd0 fs/read_write.c:652
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x63/0x6b
>
> [...]
Here is the summary with links:
- [net] ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
https://git.kernel.org/netdev/net/c/8d975c15c0cd
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
Powered by blists - more mailing lists