mirror
/
linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
linux/net
History
Eric Dumazet d89d7ff012 ipv6: ensure sane device mtu in tunnels 
Another syzbot report [1] with no reproducer hints
at a bug in ip6_gre tunnel (dev:ip6gretap0)

Since ipv6 mcast code makes sure to read dev->mtu once
and applies a sanity check on it (see commit b9b312a7a4
"ipv6: mcast: better catch silly mtu values"), a remaining
possibility is that a layer is able to set dev->mtu to
an underflowed value (high order bit set).

This could happen indeed in ip6gre_tnl_link_config_route(),
ip6_tnl_link_config() and ipip6_tunnel_bind_dev()

Make sure to sanitize mtu value in a local variable before
it is written once on dev->mtu, as lockless readers could
catch wrong temporary value.

[1]
skbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0 tail:0xd8 end:0xc0 dev:ip6gretap0
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:120
Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022
Workqueue: mld mld_ifc_work
pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : skb_panic+0x4c/0x50 net/core/skbuff.c:116
lr : skb_panic+0x4c/0x50 net/core/skbuff.c:116
sp : ffff800020dd3b60
x29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800
x26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200
x23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38
x20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9
x17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80
x14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80
x11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00
x8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000
x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000
x2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089
Call trace:
skb_panic+0x4c/0x50 net/core/skbuff.c:116
skb_over_panic net/core/skbuff.c:125 [inline]
skb_put+0xd4/0xdc net/core/skbuff.c:2049
ip6_mc_hdr net/ipv6/mcast.c:1714 [inline]
mld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765
add_grhead net/ipv6/mcast.c:1851 [inline]
add_grec+0xa20/0xae0 net/ipv6/mcast.c:1989
mld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115
mld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653
process_one_work+0x2d8/0x504 kernel/workqueue.c:2289
worker_thread+0x340/0x610 kernel/workqueue.c:2436
kthread+0x12c/0x158 kernel/kthread.c:376
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Code: 91011400 aa0803e1 a90027ea 94373093 (d4210000)

Fixes: c12b395a46 ("gre: Support GRE over IPv6")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20221024020124.3756833-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2022-10-25 16:04:22 -07:00
..
6lowpan
9p net/9p: clarify trans_fd parse_opt failure handling 2022-10-07 21:23:09 +09:00
802 treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
8021q net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
appletalk
atm net/atm: fix proc_mpc_write incorrect return value 2022-10-15 11:08:36 +01:00
ax25 ax25: move from strlcpy with unused retval to strscpy 2022-08-22 17:55:50 -07:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-09-22 13:02:10 -07:00
bluetooth Driver core changes for 6.1-rc1 2022-10-07 17:04:10 -07:00
bpf selftests/bpf: Add tests for kfunc returning a memory pointer 2022-09-07 11:05:17 -07:00
bpfilter
bridge net: bridge: assign path_cost for 2.5G and 5G link speed 2022-09-30 12:35:29 +01:00
caif caif: move from strlcpy with unused retval to strscpy 2022-08-22 17:57:35 -07:00
can can: bcm: check the result of can_send() in bcm_can_tx() 2022-09-23 13:53:10 +02:00
ceph Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
core net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed 2022-10-24 12:40:06 +01:00
dcb
dccp treewide: use get_random_{u8,u16}() when possible, part 1 2022-10-11 17:42:58 -06:00
dns_resolver
dsa net: dsa: uninitialized variable in dsa_slave_netdevice_event() 2022-10-15 11:15:27 +01:00
ethernet net: gro: skb_gro_header helper function 2022-08-25 10:33:21 +02:00
ethtool ethtool: eeprom: fix null-deref on genl_info in dump 2022-10-24 19:08:07 -07:00
hsr net: hsr: avoid possible NULL deref in skb_clone() 2022-10-18 19:18:27 -07:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-10-07 09:29:17 +02:00
ife
ipv4 Including fixes from bpf. 2022-10-24 12:43:51 -07:00
ipv6 ipv6: ensure sane device mtu in tunnels 2022-10-25 16:04:22 -07:00
iucv
kcm kcm: annotate data-races around kcm->rx_wait 2022-10-24 10:57:55 +01:00
key Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2022-08-24 12:51:50 +01:00
l2tp genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
l3mdev
lapb
llc
mac80211 Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
mac802154 mac802154: Fix LQI recording 2022-10-24 11:07:39 +02:00
mctp mctp: prevent double key removal and unref 2022-10-12 13:30:50 +01:00
mpls net: Use u64_stats_fetch_begin_irq() for stats fetch. 2022-08-29 13:02:27 +01:00
mptcp mptcp: fix abba deadlock on fastopen 2022-10-24 21:13:56 -07:00
ncsi genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netfilter Networking fixes for 6.1-rc2, including fixes from netfilter 2022-10-20 17:24:59 -07:00
netlabel genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netlink genetlink: piggy back on resv_op to default to a reject policy 2022-10-24 19:08:46 -07:00
netrom
nfc NFC: hci: Split memcpy() of struct hcp_message flexible array 2022-09-27 07:45:18 -07:00
nsh
openvswitch Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
packet treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
phonet
psample genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
qrtr net: qrtr: start MHI channel after endpoit creation 2022-08-15 11:21:42 +01:00
rds treewide: use get_random_{u8,u16}() when possible, part 2 2022-10-11 17:42:58 -06:00
rfkill
rose rose: check NULL rose_loopback_neigh->loopback 2022-08-22 14:24:54 +01:00
rxrpc rxrpc: remove rxrpc_max_call_lifetime declaration 2022-09-19 17:58:47 -07:00
sched Networking fixes for 6.1-rc2, including fixes from netfilter 2022-10-20 17:24:59 -07:00
sctp treewide: use get_random_{u8,u16}() when possible, part 1 2022-10-11 17:42:58 -06:00
smc net/smc: Fix an error code in smc_lgr_create() 2022-10-15 11:12:12 +01:00
strparser
sunrpc Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
switchdev
tipc tipc: fix a null-ptr-deref in tipc_topsrv_accept 2022-10-20 21:08:17 -07:00
tls tls: strp: make sure the TCP skbs do not have overlapping data 2022-10-14 08:25:26 +01:00
unix Random number generator fixes for Linux 6.1-rc1. 2022-10-16 15:27:07 -07:00
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
wireless Merge branch 'cve-fixes-2022-10-13' 2022-10-13 11:59:56 +02:00
x25 net/x25: fix call timeouts in blocking connects 2022-08-08 20:48:51 -07:00
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-10-03 17:44:18 -07:00
xfrm treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
Kconfig Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
Kconfig.debug net: make NET_(DEV|NS)_REFCNT_TRACKER depend on NET 2022-09-20 14:23:56 -07:00
Makefile Remove DECnet support from kernel 2022-08-22 14:26:30 +01:00
compat.c net: clear msg_get_inq in __get_compat_msghdr() 2022-09-20 08:23:20 -07:00
devres.c
socket.c d_path pile 2022-10-06 16:55:41 -07:00
sysctl_net.c