Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1083329ybi; Fri, 2 Aug 2019 09:04:33 -0700 (PDT) X-Google-Smtp-Source: APXvYqxB1M24k2tCTxx1hCYKwVlQQnz/sacU/oXyksS57p6kJjEIQIHyO/vQ3/Ol/1eoFbTnsC2V X-Received: by 2002:a17:902:8d92:: with SMTP id v18mr133986898plo.211.1564761873717; Fri, 02 Aug 2019 09:04:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564761873; cv=none; d=google.com; s=arc-20160816; b=Uy8G7yhHA+CT1iDgkZEgQo985Co92dwavQ/jDuf/IMSCFVznR9FAttHvIzNdbGvtsc cXVjBtMp4mJVbu9St4BNgRuQAjn98DQPWHh7j44h92nGPX1347gQb5YXMeqF+XoPA7SX Zgrniw4wv6Mhw74rCsg3iS04rCcG2mdqp62DqALK5qiq9NkyGPwHkTd65ENQTIYLKgL3 pbX08a3OTk46Zu+PJ4Jwoa+p9ybUxddlm/iQDNwnn9yi+2ju3SUfT+Cpzfxak82K0J7Q Kqvl+w270rkzvOjrrZ2L2/nLWl9jjLGAOHMPXrrh4OJdVgUhn6Kx0KKei+TNhwErfLWl lJVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=NeONqB6Jjgdz7sJcfocxmP4TvRr1SYP9Ez56oySBHhA=; b=CJhKJNFHdUhwZMpeOlMyrGU12nYqAvMDm4lhxIq5168fk7JRCZteH/EskyzRaYGBm1 OVz+/80Ibcz2IHCT8wzNLkLD+pGRESZO3xCL8r5/DWGAIsW2HRLKMoTJX8FerW0hK372 o8dVb9SYWBAaHSD3HvF05tuyGpNA3NnAE1rYo1/uqNAblui289zugxbFswalcKDct4He d9qusEzoz6+NlTkBXBbmRKTvH+3nJd3tCrfh1w8A9lR+SmOPTQbC5CBCNRoSHdDbLKhZ 53iuCX9CU5cTDi8TRMgnjSTmCGIeq3MoA4CePiEJvWJVM013ScX/qckTibHOb/pcv1uy X1Kw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zaMtk0S1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r12si37804503pgv.574.2019.08.02.09.04.18; Fri, 02 Aug 2019 09:04:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=zaMtk0S1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404249AbfHBJgg (ORCPT + 99 others); Fri, 2 Aug 2019 05:36:36 -0400 Received: from mail.kernel.org ([198.145.29.99]:37530 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729530AbfHBJge (ORCPT ); Fri, 2 Aug 2019 05:36:34 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id EBC9820679; Fri, 2 Aug 2019 09:36:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564738593; bh=VgkyJWjxi4/ryR8FqLPpV4vveEySu8OOX5bC331V+n4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zaMtk0S1Ck/N1gcTw0FWPx30yquxt3nnoPhHsxFEeyFO+LD8UtD7J6ik78osyOQsB 4p4WjjCY5N13DJFkS8tEEGr8aWerOWtN3mHdZCzw2XodAYMCxSOuunMkTkqG1A56SI b8TXjeoNIh97Ewc8WoaSsLCpm517Y1O8XKrQBJx8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xin Long , "David S. Miller" , Sasha Levin Subject: [PATCH 4.4 150/158] ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt Date: Fri, 2 Aug 2019 11:29:31 +0200 Message-Id: <20190802092232.662779783@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190802092203.671944552@linuxfoundation.org> References: <20190802092203.671944552@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 99253eb750fda6a644d5188fb26c43bad8d5a745 ] Commit 5e1859fbcc3c ("ipv4: ipmr: various fixes and cleanups") fixed the issue for ipv4 ipmr: ip_mroute_setsockopt() & ip_mroute_getsockopt() should not access/set raw_sk(sk)->ipmr_table before making sure the socket is a raw socket, and protocol is IGMP The same fix should be done for ipv6 ipmr as well. This patch can fix the panic caused by overwriting the same offset as ipmr_table as in raw_sk(sk) when accessing other type's socket by ip_mroute_setsockopt(). Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/ipv6/ip6mr.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/net/ipv6/ip6mr.c +++ b/net/ipv6/ip6mr.c @@ -1666,6 +1666,10 @@ int ip6_mroute_setsockopt(struct sock *s struct net *net = sock_net(sk); struct mr6_table *mrt; + if (sk->sk_type != SOCK_RAW || + inet_sk(sk)->inet_num != IPPROTO_ICMPV6) + return -EOPNOTSUPP; + mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT); if (!mrt) return -ENOENT; @@ -1677,9 +1681,6 @@ int ip6_mroute_setsockopt(struct sock *s switch (optname) { case MRT6_INIT: - if (sk->sk_type != SOCK_RAW || - inet_sk(sk)->inet_num != IPPROTO_ICMPV6) - return -EOPNOTSUPP; if (optlen < sizeof(int)) return -EINVAL; @@ -1816,6 +1817,10 @@ int ip6_mroute_getsockopt(struct sock *s struct net *net = sock_net(sk); struct mr6_table *mrt; + if (sk->sk_type != SOCK_RAW || + inet_sk(sk)->inet_num != IPPROTO_ICMPV6) + return -EOPNOTSUPP; + mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT); if (!mrt) return -ENOENT;