Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5579613imm; Tue, 12 Jun 2018 09:55:53 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLf1lQJ1CesdPoDfdbrE3sADApTW+abukYNiA4iJj5pfYkeRDAuG9Nkl/C1s9vYm/7aIzMG X-Received: by 2002:a17:902:585c:: with SMTP id f28-v6mr1278890plj.206.1528822553873; Tue, 12 Jun 2018 09:55:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528822553; cv=none; d=google.com; s=arc-20160816; b=DQeRhrsP/Rl67l6MUrGivvCfiB4pvprnN42pgd+prdBkmHzWyvZbsxbkQ7yLR3wxNh P9QctXZY+kRZopSq3T0Qfmd6XDcYiav+QjR+t+9lPv8wbAuLoyzwtfA8fiYZ4rn5oT5d Q/NuO7EKzJh4f+lEum2BdaJiOXDRBEhf2YFevmeSRjlAI98UXwVKKf26dXRlCVOTdYT3 I8jaaH16B83vOBgtsdoNn4wkNIaEDBptlicepB9ZmyNpjKu05QSrGG4Ae+j7J7OFxQti oVLS/gbersHtPluyhaiu48HwMHy6sdGpv+yPQr7edLGG5EZbzHvuWMKMTQKvnL8k4XTI hW0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=reol08mW55zibu8FT6lDbcc2mJuIz7xaGNJVM/1kT00=; b=1GXRK2CaeafSpKpDlSg0V9LpS0k/aSi0P8Hq4kvsta/7pqnNmMf5SmdmYGur0lLTuH Mcmc/+4z26x0yWXOlTMflXvkf+oANL0NH1bYFhmMqJrGqRbmQ2tCS2rLSxpDpd+PtOea UHd+gJyY+hV+8VPCDRKcUIwdUqWePIiVxDYfs10cZGW4O+aYMZ9SahJO4SH17f5gzOEn NuXqiNp9UUcp3583ayEXj+f5FuQC+XmpGW1LETBQNtfCg85n1E95bmLhJ5HObpIDrWi6 dc+IZE1TZBi3crH6zc4bTYEHPkHAEcj4rziXmn5/9h0UIeuLbyg17riUC2uSccUutjuy W8Gw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LFIOmXRI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p4-v6si408542pgu.472.2018.06.12.09.55.39; Tue, 12 Jun 2018 09:55:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LFIOmXRI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934226AbeFLQyT (ORCPT + 99 others); Tue, 12 Jun 2018 12:54:19 -0400 Received: from mail.kernel.org ([198.145.29.99]:55512 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934765AbeFLQyO (ORCPT ); Tue, 12 Jun 2018 12:54:14 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A4388208B8; Tue, 12 Jun 2018 16:54:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1528822454; bh=W729ZqrgarqyQuaotihrgPztRnk/v4Pp38tsX1jkPtM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LFIOmXRIRSkfxIY85ZY6mKlgS+fUDDWSyi3OTtccfOXQAcSKTB94H2bOQp38Epl8J 2elc7236yc5SsE5Yu2UN+x1mcL6GzJQhdHAtqCZBQHWsEm9SOwASWUbWJfDu/cBz/9 HxN1G7+sVg+fwC/YqQH7yaIdY1hd8NqeW9LRRMHE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 3.18 17/21] net/packet: refine check for priv area size Date: Tue, 12 Jun 2018 18:52:14 +0200 Message-Id: <20180612164826.097182019@linuxfoundation.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180612164825.401145490@linuxfoundation.org> References: <20180612164825.401145490@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Dumazet [ Upstream commit eb73190f4fbeedf762394e92d6a4ec9ace684c88 ] syzbot was able to trick af_packet again [1] Various commits tried to address the problem in the past, but failed to take into account V3 header size. [1] tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96 BUG: KASAN: use-after-free in prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline] BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039 Write of size 2 at addr ffff8801cb62000e by task kworker/1:2/2106 CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436 prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline] prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039 __packet_lookup_frame_in_block net/packet/af_packet.c:1094 [inline] packet_current_rx_frame net/packet/af_packet.c:1117 [inline] tpacket_rcv+0x1866/0x3340 net/packet/af_packet.c:2282 dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018 xmit_one net/core/dev.c:3049 [inline] dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 neigh_resolve_output+0x679/0xad0 net/core/neighbour.c:1358 neigh_output include/net/neighbour.h:482 [inline] ip6_finish_output2+0xc9c/0x2810 net/ipv6/ip6_output.c:120 ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:444 [inline] NF_HOOK include/linux/netfilter.h:288 [inline] ndisc_send_skb+0x100d/0x1570 net/ipv6/ndisc.c:491 ndisc_send_ns+0x3c1/0x8d0 net/ipv6/ndisc.c:633 addrconf_dad_work+0xbef/0x1340 net/ipv6/addrconf.c:4033 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 The buggy address belongs to the page: page:ffffea00072d8800 count:0 mapcount:-127 mapping:0000000000000000 index:0xffff8801cb620e80 flags: 0x2fffc0000000000() raw: 02fffc0000000000 0000000000000000 ffff8801cb620e80 00000000ffffff80 raw: ffffea00072e3820 ffffea0007132d20 0000000000000002 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801cb620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Fixes: 2b6867c2ce76 ("net/packet: fix overflow in check for priv area size") Fixes: dc808110bb62 ("packet: handle too big packets for PACKET_V3") Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/packet/af_packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -3877,7 +3877,7 @@ static int packet_set_ring(struct sock * goto out; if (po->tp_version >= TPACKET_V3 && req->tp_block_size <= - BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv)) + BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr)) goto out; if (unlikely(req->tp_frame_size < po->tp_hdrlen + po->tp_reserve))