Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5591070imm; Tue, 12 Jun 2018 10:04:42 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJ7dvzYfJeLQxp6gtjNJrTN/GwdrR/N+qQGktXtLatzuaLboz7bJmYQLJ1vda/lcOpR2ELC X-Received: by 2002:a62:4c04:: with SMTP id z4-v6mr1216047pfa.205.1528823082405; Tue, 12 Jun 2018 10:04:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528823082; cv=none; d=google.com; s=arc-20160816; b=mZ2qYN9gAX9vd6T5Q7RuTptP3L71wt8xSfoaS3uzhtrv2B7dXTH7RET+jrwHsYTygK vGXLje0QW38fFkILzs6EGuM/EcYFvI0n6UtwaPv0Pno6d7WTYDhNGNtH+57jKAlNE8Gj ztJA7P3d2+iUMQv3YHe3FLzjSFDNH6LQHngSOSWnfAOorgZhDLPbX9RgC1ozNhkV82PJ VHClXusGdPQuFos3xQFrzXcyCb+rQHfLfXmo3UKwhmyRP/WyVA5MsA5Ge8b/iql9xaDg ePljCATwbMLae4IGFjvKR7t0+pJ5pi0PT5ORO5oFTXNM2VSFs1JUb3rUzORBScrHMUIT H8Ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=HOSO5a+QYCqwvKhCjW557Dw0dY69F3xWAlXQa/Ogv3U=; b=BEJhbZMSaKBRrkYJtrHMRxKL5NX0zq+f/q5ivx5e0FodUwdtFcUJZMYdV6uZSd+a8/ Y/t7G9hO92FcbQY+jR0zQNwHZhUcbrGc4XScfoq7bI63SBXtp3Zznh8T2gv8sDN8UKFZ E47Rd5mclxQjdmlqr6fbf3fbxZItsztg1Z2B/Tqq+ldvR6pDXU3siNIPmdKrKv47xxJH jhWNTS7uOCCHno9BXrwJRYF5jp4enMHda3dBfXPUiyln8vXEVevdsmu800DDW+tg9mAI iOie6Tf4BKT+mZvC6+zYsbSCZ7LcNP/PErg67C21fxjjrCaUuLfVYFOQkSOOQL80e2e5 O4Mg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Xk1IbDpB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x70-v6si497787pfj.347.2018.06.12.10.04.27; Tue, 12 Jun 2018 10:04:42 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Xk1IbDpB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934992AbeFLRBx (ORCPT + 99 others); Tue, 12 Jun 2018 13:01:53 -0400 Received: from mail.kernel.org ([198.145.29.99]:49998 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935106AbeFLQw7 (ORCPT ); Tue, 12 Jun 2018 12:52:59 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C46E7208C0; Tue, 12 Jun 2018 16:52:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1528822379; bh=2PrHmzQ7IuEhxEJ2Ei0qia7WHFhYCx9q0IG1tXWlO6o=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Xk1IbDpBsajLqA5/iQqMd1qSLuQ+zrEtxAiNU2ueixkNWktF94jb7FoBoSkpumlND O/TEPcD0XSGVbStzKqeU659BcVweZqx9LYb5nuOi5VSihXMUlUL3aKtSNF1PbWbw87 BMZAMT2Ys9bykJ/rpYdctyyrYk4N/0ZrdByboTQU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Dumazet , syzbot , "David S. Miller" Subject: [PATCH 4.4 16/24] net/packet: refine check for priv area size Date: Tue, 12 Jun 2018 18:52:00 +0200 Message-Id: <20180612164817.407745364@linuxfoundation.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180612164816.587001852@linuxfoundation.org> References: <20180612164816.587001852@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Dumazet [ Upstream commit eb73190f4fbeedf762394e92d6a4ec9ace684c88 ] syzbot was able to trick af_packet again [1] Various commits tried to address the problem in the past, but failed to take into account V3 header size. [1] tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96 BUG: KASAN: use-after-free in prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline] BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039 Write of size 2 at addr ffff8801cb62000e by task kworker/1:2/2106 CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436 prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline] prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039 __packet_lookup_frame_in_block net/packet/af_packet.c:1094 [inline] packet_current_rx_frame net/packet/af_packet.c:1117 [inline] tpacket_rcv+0x1866/0x3340 net/packet/af_packet.c:2282 dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018 xmit_one net/core/dev.c:3049 [inline] dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 neigh_resolve_output+0x679/0xad0 net/core/neighbour.c:1358 neigh_output include/net/neighbour.h:482 [inline] ip6_finish_output2+0xc9c/0x2810 net/ipv6/ip6_output.c:120 ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:444 [inline] NF_HOOK include/linux/netfilter.h:288 [inline] ndisc_send_skb+0x100d/0x1570 net/ipv6/ndisc.c:491 ndisc_send_ns+0x3c1/0x8d0 net/ipv6/ndisc.c:633 addrconf_dad_work+0xbef/0x1340 net/ipv6/addrconf.c:4033 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 The buggy address belongs to the page: page:ffffea00072d8800 count:0 mapcount:-127 mapping:0000000000000000 index:0xffff8801cb620e80 flags: 0x2fffc0000000000() raw: 02fffc0000000000 0000000000000000 ffff8801cb620e80 00000000ffffff80 raw: ffffea00072e3820 ffffea0007132d20 0000000000000002 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801cb620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Fixes: 2b6867c2ce76 ("net/packet: fix overflow in check for priv area size") Fixes: dc808110bb62 ("packet: handle too big packets for PACKET_V3") Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/packet/af_packet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/packet/af_packet.c +++ b/net/packet/af_packet.c @@ -4198,7 +4198,7 @@ static int packet_set_ring(struct sock * goto out; if (po->tp_version >= TPACKET_V3 && req->tp_block_size <= - BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv)) + BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + sizeof(struct tpacket3_hdr)) goto out; if (unlikely(req->tp_frame_size < po->tp_hdrlen + po->tp_reserve))