lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CANn89iKU=5ht9u398f5cK=eEb_SVCJHQeah0yV8oqO1nrKNK5Q@mail.gmail.com>
Date: Thu, 28 Mar 2024 12:12:31 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: "David S . Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, 
	Paolo Abeni <pabeni@...hat.com>
Cc: netdev@...r.kernel.org, eric.dumazet@...il.com, 
	syzbot+1c1cf138518bf0c53d68@...kaller.appspotmail.com, 
	Lorenzo Bianconi <lorenzo@...nel.org>
Subject: Re: [PATCH net] erspan: make sure erspan_base_hdr is present in skb->head

On Thu, Mar 28, 2024 at 12:09 PM Eric Dumazet <edumazet@...gle.com> wrote:
>
> syzbot reported a problem in ip6erspan_rcv() [1]
>
> Issue is that ip6erspan_rcv() (and erspan_rcv()) no longer make
> sure erspan_base_hdr is present in skb linear part (skb->head)
> before getting @ver field from it.
>
> Add the missing pskb_may_pull() calls.
>
> [1]
>
>
> CPU: 1 PID: 5045 Comm: syz-executor114 Not tainted 6.9.0-rc1-syzkaller-00021-g962490525cff #0
>
> Fixes: cb73ee40b1b3 ("net: ip_gre: use erspan key field for tunnel lookup")
> Reported-by: syzbot+1c1cf138518bf0c53d68@...kaller.appspotmail.com
> Closes: https://lore.kernel.org/netdev/000000000000772f2c0614b66ef7@google.com/
> Signed-off-by: Eric Dumazet <edumazet@...gle.com>
> Cc: Lorenzo Bianconi <lorenzo@...nel.org>
> ---
>  net/ipv4/ip_gre.c  | 4 ++++
>  net/ipv6/ip6_gre.c | 3 +++
>  2 files changed, 7 insertions(+)
>
> diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
> index 7b16c211b904473cc5e350aafdefb86fbf1b3693..56982d6fb0cd6c39a0e769e130fd47460873b0d4 100644
> --- a/net/ipv4/ip_gre.c
> +++ b/net/ipv4/ip_gre.c
> @@ -280,6 +280,10 @@ static int erspan_rcv(struct sk_buff *skb, struct tnl_ptk_info *tpi,
>                                           tpi->flags | TUNNEL_NO_KEY,
>                                           iph->saddr, iph->daddr, 0);
>         } else {
> +               if (unlikely(!pskb_may_pull(skb,
> +                                           gre_hdr_len + sizeof(*ershdr))))
> +                       return PACKET_REJECT;

Sorry, I have to reload iph at this point, I will send a v2.

> +
>                 ershdr = (struct erspan_base_hdr *)(skb->data + gre_hdr_len);
>                 ver = ershdr->ver;
>                 tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex,
> diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
> index ca7e77e842835a6d153891fdca7dc8f196e0a2ba..c89aef524df9a2039d223fd2dd7566a9e1f7d3f4 100644
> --- a/net/ipv6/ip6_gre.c
> +++ b/net/ipv6/ip6_gre.c
> @@ -528,6 +528,9 @@ static int ip6erspan_rcv(struct sk_buff *skb,
>         struct ip6_tnl *tunnel;
>         u8 ver;
>
> +       if (unlikely(!pskb_may_pull(skb, sizeof(*ershdr))))
> +               return PACKET_REJECT;
> +
>         ipv6h = ipv6_hdr(skb);
>         ershdr = (struct erspan_base_hdr *)skb->data;
>         ver = ershdr->ver;
> --
> 2.44.0.396.g6e790dbe36-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ