Recently Syzkaller found one more issue on RHEL7-based OpenVz kernels.
During its investigation I've found that upstream is affected too.
TEE target send sbk with small headroom into another interface which requires
an increased headroom.
ipv4 handles this problem in ip_finish_output2() and creates new skb with enough headroom,
though ip6_finish_output2() lacks this logic.
Suzkaller created C reproducer, it can be found in attachment.
It does not work per-se on original upstream kernels due to more strict iptables
rules validation in xt_check_table_hooks. To trigger the problem upstream
I was need to disable check_hooks in xt_check_table_hooks(),
via an additional patch or via systemtap script.
However I think valid iptables rules can be created too.
Vasily Averin (1):
ipv6: allocate enough headroom in ip6_finish_output2()
net/ipv6/ip6_output.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--
1.8.3.1