Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1241254ybi; Fri, 2 Aug 2019 11:48:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqz1hkKm4gO66OGBLNdzVR2aRFpX42CvWK2WK/4ztcwxNDLSKVVQOYg61tpQU1SsZDya+wXN X-Received: by 2002:a63:4404:: with SMTP id r4mr123540550pga.245.1564771690225; Fri, 02 Aug 2019 11:48:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564771690; cv=none; d=google.com; s=arc-20160816; b=eLcyTbKoK5iz0Auk9yr1yyK6dYL2S76fxplgMim4XQIoN2NaSawimVJNVyTJ2FQeK0 JkWVVtZ7lBoceie+5ErSNGKiDj/GPWm46UYqr7jHg++quRtWAmLg2jrLZprfl9W/HKNq etrahcfWGAcuiDnF8Ah2sUx6UzkZ1rFjbOTdxgYRkVDL3lNBgI1Ks9JwSN+eMQwkzgIx uvB9aZLu4tiVEsCEi7R11jvw6vdZj2KOhtfH021c6fp99GO8EgrJOktG/whG7yCcGD+5 TR+RbKNpv6vJGr0EfZmcjzp/yIhB38sVqe7TwfPvRdD/yzmgzsECO4ntJoz2x+UB0vfG h0pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=a102+q5MxD5OaD7tm+DhF4sW3bMbPcnoV6QyT6xqMYs=; b=SojXdJ45SoLcKnkyS5o0EE6+w3eeH335nnYUEmlz7lahu0wEdudrC4w5A2BS+ncLgF LTcOddYMKaSUm0iPMTJnrs6Q8dKdEsWDUFGFwIb+64x5elu5VknxkzGCiUGnC3oNALHx 4E/FqelqzcB8l6YGFD5m4ajpFHuTnYAn5zYzVUwhr/dgDTmamT6Vu8QWgiVFYVotPvw9 BhlvtRKBqyzYgrgstR5eYa7bH6vx2Wqw9wFlVMPHK6S1LC+w+r2QtX3kCb+25N6xndny 1/6sgSx61P++ShMJlP31rS61H+q7NPN5mUEsSp9cg8uFW45ISg3c5UKgtXnj7M3Bkaro wAaA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AvuwEXJo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 65si35857426plf.368.2019.08.02.11.47.54; Fri, 02 Aug 2019 11:48:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=AvuwEXJo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2406145AbfHBJxF (ORCPT + 99 others); Fri, 2 Aug 2019 05:53:05 -0400 Received: from mail.kernel.org ([198.145.29.99]:58946 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2406136AbfHBJxE (ORCPT ); Fri, 2 Aug 2019 05:53:04 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D71092064A; Fri, 2 Aug 2019 09:53:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1564739583; bh=gRW/TUv2wOdygcATenJ4M9ZSJJ7BWq/OFn9IQuJUfq4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=AvuwEXJoHRaQwliR0Dqs0TV0kM5xsDlkQSjPJNZIVz0Ah8f7iDnqMVKm2zvSm9T0U 6GwrliQMjgRW1LG9jrxx/yQuxjmjDuynIPcMATKQYYVw1b5MfMCrKL9ShKR8tegWXE 2IhdyLe+wF6uwtmC1LK5zBKXimH+tzosOEFKYnXc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xin Long , "David S. Miller" , Sasha Levin Subject: [PATCH 4.9 211/223] ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt Date: Fri, 2 Aug 2019 11:37:16 +0200 Message-Id: <20190802092250.528687530@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190802092238.692035242@linuxfoundation.org> References: <20190802092238.692035242@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 99253eb750fda6a644d5188fb26c43bad8d5a745 ] Commit 5e1859fbcc3c ("ipv4: ipmr: various fixes and cleanups") fixed the issue for ipv4 ipmr: ip_mroute_setsockopt() & ip_mroute_getsockopt() should not access/set raw_sk(sk)->ipmr_table before making sure the socket is a raw socket, and protocol is IGMP The same fix should be done for ipv6 ipmr as well. This patch can fix the panic caused by overwriting the same offset as ipmr_table as in raw_sk(sk) when accessing other type's socket by ip_mroute_setsockopt(). Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/ipv6/ip6mr.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/net/ipv6/ip6mr.c +++ b/net/ipv6/ip6mr.c @@ -1668,6 +1668,10 @@ int ip6_mroute_setsockopt(struct sock *s struct net *net = sock_net(sk); struct mr6_table *mrt; + if (sk->sk_type != SOCK_RAW || + inet_sk(sk)->inet_num != IPPROTO_ICMPV6) + return -EOPNOTSUPP; + mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT); if (!mrt) return -ENOENT; @@ -1679,9 +1683,6 @@ int ip6_mroute_setsockopt(struct sock *s switch (optname) { case MRT6_INIT: - if (sk->sk_type != SOCK_RAW || - inet_sk(sk)->inet_num != IPPROTO_ICMPV6) - return -EOPNOTSUPP; if (optlen < sizeof(int)) return -EINVAL; @@ -1818,6 +1819,10 @@ int ip6_mroute_getsockopt(struct sock *s struct net *net = sock_net(sk); struct mr6_table *mrt; + if (sk->sk_type != SOCK_RAW || + inet_sk(sk)->inet_num != IPPROTO_ICMPV6) + return -EOPNOTSUPP; + mrt = ip6mr_get_table(net, raw6_sk(sk)->ip6mr_table ? : RT6_TABLE_DFLT); if (!mrt) return -ENOENT;