Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp895151yba; Mon, 1 Apr 2019 20:26:13 -0700 (PDT) X-Google-Smtp-Source: APXvYqzPuogZNboP/aB3zr+La6zQT3H1JKTB8ByyZqJty1cnKwoiBwG6Z5AYyXeOlOxWL/YBe7pL X-Received: by 2002:a17:902:bcc9:: with SMTP id o9mr54860940pls.65.1554175573211; Mon, 01 Apr 2019 20:26:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1554175573; cv=none; d=google.com; s=arc-20160816; b=PIoIUO3d6yusM5YHfHMSYSYte57695rJdOiwjuNZarUli5qRPHt3UImYvoRCSlqHRP qM0QanHQsjLtB5515v3sZp4ZW/tam5U4JKmo7dDNYJKeT9q8EmCrckM1lV1Cj5bwjkCo 1Gv8VAI39nESYxuismySehYLqyX9ZQqV54xe4deIqLPYWBu9LurfcunhwXM7VwgPVkmR 4EhRdPsSrh2mK32Mvf6y3YdM3ggw1+l662TMWMrDX8T4JmB/uqncXfQuufh8Pun/F1/x T9zio8BiCuYpuXUXcwK/0ExPvq3QDUMFZk6jlFyGZ9z13ZT60QbZzsMi94eE4wj/X6ql 6IIw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:mime-version:user-agent:date:message-id:subject :from:cc:to; bh=H2SvTJKJsTr3jLTR5k/CAPme+85Kn55fqpK+fu7zskY=; b=Tl4H+pJWHalZvnM8GDmGCdKuGIHgCaXm2301bb7r6PFjg08AzroJaN60shUcqNO0yd bTx0zQ6QjCC48yg4Bf9gi1c23pDMmbSh8YZZkz03poPXkivXao4CtFd1X0V6T89bDfaZ IMDncxKJMoT3kgH1SBMFa8Z94vEN5480z5gjbCk3d2HgCTspyaIaVQjSYdg34jzTCLPT fwbCu1BQ03dP17C8ON3HpOG/oLtil2nWm+3v0ifzqclm/dNR/uQr5t+uqTu2oqngamZr gRgWQE4VGe39VttpZTbeSq2OLWNreIICp1E2u+WQfc0yjpmu0l8Uk+iu1/CTYvu47jCE pPBg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e7si9039887pfc.152.2019.04.01.20.25.57; Mon, 01 Apr 2019 20:26:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728647AbfDBDJ7 (ORCPT + 99 others); Mon, 1 Apr 2019 23:09:59 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:5650 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726841AbfDBDJ6 (ORCPT ); Mon, 1 Apr 2019 23:09:58 -0400 Received: from DGGEMS408-HUB.china.huawei.com (unknown [10.3.19.208]) by Forcepoint Email with ESMTP id B0DEEB5F7C4F7C7DE724; Tue, 2 Apr 2019 11:09:56 +0800 (CST) Received: from [127.0.0.1] (10.184.191.73) by DGGEMS408-HUB.china.huawei.com (10.3.19.208) with Microsoft SMTP Server id 14.3.408.0; Tue, 2 Apr 2019 11:09:47 +0800 To: , , , , CC: , , , From: hujunwei Subject: [PATCH v3 net] ipv6: Fix dangling pointer when ipv6 fragment Message-ID: <44e8dcf8-bf64-0407-65bb-122d0853c672@huawei.com> Date: Tue, 2 Apr 2019 11:09:28 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.184.191.73] Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Junwei Hu At the beginning of ip6_fragment func, the prevhdr pointer is obtained in the ip6_find_1stfragopt func. However, all the pointers pointing into skb header may change when calling skb_checksum_help func with skb->ip_summed = CHECKSUM_PARTIAL condition. The prevhdr pointe will be dangling if it is not reloaded after calling __skb_linearize func in skb_checksum_help func. Here, I add a variable, nexthdr_offset, to evaluate the offset, which does not changes even after calling __skb_linearize func. Fixes: 405c92f7a541 ("ipv6: add defensive check for CHECKSUM_PARTIAL skbs in ip_fragment") Signed-off-by: Junwei Hu Reported-by: Wenhao Zhang Reported-by: syzbot+e8ce541d095e486074fc@syzkaller.appspotmail.com Reviewed-by: Zhiqiang Liu Acked-by: Martin KaFai Lau --- V2->V3: - fix patch format issue - add Acked-by net/ipv6/ip6_output.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index edbd12067170..533be3268e52 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -601,11 +601,12 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, inet6_sk(skb->sk) : NULL; struct ipv6hdr *tmp_hdr; struct frag_hdr *fh; - unsigned int mtu, hlen, left, len; + unsigned int mtu, hlen, left, len, nexthdr_offset; int hroom, troom; __be32 frag_id; int ptr, offset = 0, err = 0; u8 *prevhdr, nexthdr = 0; + nexthdr_offset = prevhdr - skb_network_header(skb); err = ip6_find_1stfragopt(skb, &prevhdr); if (err < 0) @@ -646,6 +647,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, (err = skb_checksum_help(skb))) goto fail; + prevhdr = skb_network_header(skb) + nexthdr_offset; hroom = LL_RESERVED_SPACE(rt->dst.dev); if (skb_has_frag_list(skb)) { unsigned int first_len = skb_pagelen(skb); -- 2.19.1