lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: 
 <170630762611.31948.444264827561958290.git-patchwork-notify@kernel.org>
Date: Fri, 26 Jan 2024 22:20:26 +0000
From: patchwork-bot+netdevbpf@...nel.org
To: Eric Dumazet <edumazet@...gle.com>
Cc: davem@...emloft.net, kuba@...nel.org, pabeni@...hat.com,
 dsahern@...nel.org, netdev@...r.kernel.org, eric.dumazet@...il.com,
 syzkaller@...glegroups.com
Subject: Re: [PATCH net] ip6_tunnel: make sure to pull inner header in
 __ip6_tnl_rcv()

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@...nel.org>:

On Thu, 25 Jan 2024 17:05:57 +0000 you wrote:
> syzbot found __ip6_tnl_rcv() could access unitiliazed data [1].
> 
> Call pskb_inet_may_pull() to fix this, and initialize ipv6h
> variable after this call as it can change skb->head.
> 
> [1]
>  BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
>  BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
>  BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321
>   __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
>   INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
>   IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321
>   ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727
>   __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845
>   ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888
>  gre_rcv+0x143f/0x1870
>   ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438
>   ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
>   NF_HOOK include/linux/netfilter.h:314 [inline]
>   ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
>   ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
>   dst_input include/net/dst.h:461 [inline]
>   ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79
>   NF_HOOK include/linux/netfilter.h:314 [inline]
>   ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310
>   __netif_receive_skb_one_core net/core/dev.c:5532 [inline]
>   __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646
>   netif_receive_skb_internal net/core/dev.c:5732 [inline]
>   netif_receive_skb+0x58/0x660 net/core/dev.c:5791
>   tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
>   tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002
>   tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
>   call_write_iter include/linux/fs.h:2084 [inline]
>   new_sync_write fs/read_write.c:497 [inline]
>   vfs_write+0x786/0x1200 fs/read_write.c:590
>   ksys_write+0x20f/0x4c0 fs/read_write.c:643
>   __do_sys_write fs/read_write.c:655 [inline]
>   __se_sys_write fs/read_write.c:652 [inline]
>   __x64_sys_write+0x93/0xd0 fs/read_write.c:652
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83
>  entry_SYSCALL_64_after_hwframe+0x63/0x6b
> 
> [...]

Here is the summary with links:
  - [net] ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv()
    https://git.kernel.org/netdev/net/c/8d975c15c0cd

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ