Received: by 2002:a25:5b86:0:0:0:0:0 with SMTP id p128csp2277219ybb; Sat, 30 Mar 2019 00:49:15 -0700 (PDT) X-Google-Smtp-Source: APXvYqwwFov2/GbhSOoYOC/xKaEgcORNaQwoUuxCf8WU0Ho7bZ/5pOysb7eKUKVvzGABNIpDM0yb X-Received: by 2002:a63:330e:: with SMTP id z14mr2196157pgz.4.1553932155256; Sat, 30 Mar 2019 00:49:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553932155; cv=none; d=google.com; s=arc-20160816; b=ZrxdK+3ZRCEp3DGQijRGNVSBZk6Cb/eJzclr597i4M98juSnf85bpSF/1gFxuEq3Al KlSK4aihLvM0O5dKbAvEnyLFCqCrEEBpjmu90/QeSCbxNIAVBWRH7VAiWXVpjYWjX8un jgksxkzoQOYzySMjIDWWbomXQxWZp9Cwo4GO3wELjORwJ/oaenaFe6nGbwvCSq5kp2R+ VNSaApUsdhiXiZsxYkwAlvtd5pVbzQF06M2S8CbKAGZE1UO/e3J1fhfDSLvIiFLHNxU+ mHnC+560cC0zNazSvp++bMfnr+l1Sc/8yNCEqxzatOX5UEj3d7bDU83FAaVY3P6BuvtA MenQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=veJ41/czBjZjPZmExTeSyn7Vlevg++tHqoguVHWlJ64=; b=ytaFGhdm8HxoEdgSJh80rculUiqr1DHY6U2N6MJ9fva0XhHdVBNN++pIXs6iM47397 AW6YYLZeQY/t6U1jHxTAXHtbkkWax8+qFcs+1TpI7VXZAC3e9iMf8FgbYPPFMXgzjiCJ KPa7sHtHG1DLDDuXooXfvMsfAg+TmbwU8B7jpPP2Xt0ELeV+9cA3SNlShGCm/iGqeeyc r1G5pAUoBbf+nDi7FZltZYBw0p2WY8PRdYz2Dbadj4PY43n4OCrbfwSaEpN0ye44DGxX ZZlcPHChRFUqtLgE02vSpZu/FntqyawV3PmYrisXUmXJYTSEyws8jGF3XOcXRKO8Os3A hb5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="r/2Hn/o+"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z61si4070330plb.81.2019.03.30.00.48.59; Sat, 30 Mar 2019 00:49:15 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="r/2Hn/o+"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730406AbfC3HsN (ORCPT + 99 others); Sat, 30 Mar 2019 03:48:13 -0400 Received: from mail-wm1-f68.google.com ([209.85.128.68]:56085 "EHLO mail-wm1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726385AbfC3HsN (ORCPT ); Sat, 30 Mar 2019 03:48:13 -0400 Received: by mail-wm1-f68.google.com with SMTP id o25so4737151wmf.5; Sat, 30 Mar 2019 00:48:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=veJ41/czBjZjPZmExTeSyn7Vlevg++tHqoguVHWlJ64=; b=r/2Hn/o+rHqZqs+dGeJyW5NwAx3ee22D0KrwWHEzFWOZQdr5VXBo3TKbrtoPnjtFXI wx7m881rzFZzIn9tLK6ZlhlrreQhuyS//HEOpYlGDz0EHpvXWBhIIGTco1xuCreyoo3n wEFY3iQFQ7d8OolnwMaEcZWgyTgfc8L3C3j6lRgphveKC78ubNSjkLnn9AhR+2n0lHL8 /16fq6TG2FC6IANcHEVsV5936bOGC7LBEgQDkPSRzsQHPMNkXVA1YYLAPcbMOyLNU/o2 trEEuSeuEzm2khgE9sZ2/sBa5qYB+8l11VdKmqiz7A4zjTnMNAm8KU5fwWFZLvEda3WN xYPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=veJ41/czBjZjPZmExTeSyn7Vlevg++tHqoguVHWlJ64=; b=da4WssWNd6WAusi6wvtdEC1sslDaLrLnnine2wW7A12nMTFGyVrg6xZtJN2GV5b0tv h8dJMYzNs2FHaeTYaXTN7riN+CUFMjnoCLFnuocYhjZ3PQzAuB5jhLdaaEwC4eQzJaF4 7/wsNUMzAcknjE27iFRc/jc0bbulMyH9XOuFa+8SSqZG3wre/5Bf374jy1SZ0yIIjLx5 3byb2FkxVjf99MwMnGz5Eq9NHSQtd7SxGSN2HZivhZ8IXdguPcFRQ6k9rs5sKKwMf6ub wQXEJBHDiBmXYhYbmlYo9i/msQaCrutW8GjQNn9RS4OHTfDrpJHBAuUhH9r5nz6eGpG/ Nfrg== X-Gm-Message-State: APjAAAUYkv5Jp22ncerlgxqUW2a7G6ngdezCcPLoLlcdqBQuED4N3Eog xEzlp2obCpWn00d4yQ7wgQY/AMGG X-Received: by 2002:a1c:9d46:: with SMTP id g67mr5585550wme.99.1553932091511; Sat, 30 Mar 2019 00:48:11 -0700 (PDT) Received: from [192.168.8.147] (58.85.136.77.rev.sfr.net. [77.136.85.58]) by smtp.gmail.com with ESMTPSA id g84sm5570564wmf.25.2019.03.30.00.48.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 30 Mar 2019 00:48:10 -0700 (PDT) Subject: Re: [PATCH net] ipv6: Fix dangling pointer when ipv6 fragment To: hujunwei , davem@davemloft.net, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: mingfangsen@huawei.com, liuzhiqiang26@huawei.com, zhangwenhao8@huawei.com References: From: Eric Dumazet Message-ID: Date: Sat, 30 Mar 2019 00:48:06 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 03/30/2019 12:29 AM, hujunwei wrote: > From: Junwei Hu > > At the beginning of ip6_fragment func, the prevhdr pointer is > obtained in the ip6_find_1stfragopt func. > However, all the pointers pointing into skb header may change > when calling skb_checksum_help func with > skb->ip_summed = CHECKSUM_PARTIAL condition. > The prevhdr pointe will be dangling if it is not reloaded after > calling __skb_linearize func in skb_checksum_help func. > > Here, I add a variable, nexthdr_offset, to evaluate the offset, > which does not changes even after calling __skb_linearize func. > > Fixes: 405c92f7a541 ("ipv6: add defensive check for CHECKSUM_PARTIAL skbs in ip_fragment") > Signed-off-by: Junwei Hu > Reported-by: Wenhao Zhang > Reviewed-by: Zhiqiang Liu Interesting. We got a syzbot report yesterday about this issue. (email thread : BUG: unable to handle kernel paging request in ip6_fragment) syzbot found the following crash on: HEAD commit: 8c838f53 dpaa2-eth: fix race condition with bql frame acco.. git tree: net console output: https://syzkaller.appspot.com/x/log.txt?x=12b83a9b200000 kernel config: https://syzkaller.appspot.com/x/.config?x=f05902bca21d8935 dashboard link: https://syzkaller.appspot.com/bug?extid=e8ce541d095e486074fc compiler: gcc (GCC) 9.0.0 20181231 (experimental) Unfortunately, I don't have any reproducer for this crash yet. IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+e8ce541d095e486074fc@syzkaller.appspotmail.com > > --- >  net/ipv6/ip6_output.c | 4 ++++ >  1 file changed, 4 insertions(+) > > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c > index edbd12067170..6db3c60b3b66 100644 > --- a/net/ipv6/ip6_output.c > +++ b/net/ipv6/ip6_output.c > @@ -606,12 +606,14 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, >      __be32 frag_id; >      int ptr, offset = 0, err = 0; >      u8 *prevhdr, nexthdr = 0; > +    u8 nexthdr_offset; >   >      err = ip6_find_1stfragopt(skb, &prevhdr); >      if (err < 0) >          goto fail; >      hlen = err; >      nexthdr = *prevhdr; > +    nexthdr_offset = prevhdr - skb_network_header(skb); >   >      mtu = ip6_skb_dst_mtu(skb); >   > @@ -646,6 +648,8 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, >          (err = skb_checksum_help(skb))) >          goto fail; >   > +    prevhdr = skb_network_header(skb) + nexthdr_offset; > + >      hroom = LL_RESERVED_SPACE(rt->dst.dev); >      if (skb_has_frag_list(skb)) { >          unsigned int first_len = skb_pagelen(skb); >