Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp181806pxp; Fri, 11 Mar 2022 02:00:44 -0800 (PST) X-Google-Smtp-Source: ABdhPJwnbaKd4oym8J/w2dtJKJCX9T8ifgacAIePqhwo0m15D9c2APDLNPoGTkZkUhpK/1GfetME X-Received: by 2002:a05:6402:3589:b0:416:7de7:cdde with SMTP id y9-20020a056402358900b004167de7cddemr8159804edc.218.1646992843419; Fri, 11 Mar 2022 02:00:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1646992843; cv=none; d=google.com; s=arc-20160816; b=i1jqwyACg+MWZWsQdZEb8op2wK0XxBHHNFje7V4NcRNIJTlGsQJbzfcuuDgeDMoG27 vfpR1QgkNQVgTeISBUlvdBzI72gjwThsqLjMPtxZV0L7UyUJ7q+xu8qXtQRpLYk13cdm ubZAhahjtBWkA3QBfrNpL1R3qbDun+6WbRYzTGYvdK7zZy08pJOtu/O9Y6zMu30O7Aqb INOEZIFUVULkD8JNy47Xey6G4jMHIK0W5qZuyMRKgOsLXeQhOxOLV4Huzgoh6tcelnB1 AsJSLMs/ZRIi/RC37FeSbGfmty99/hRfoKjDgNH+Rw/ACPOwZZdIRciV8IXOLHvA+GoP gKPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=ejJjmdbNGVk0Ojn9gs31SAw6IuTYvfqq7ug7NCCkkt4=; b=E+NoYtEuXyuQvlchmnsiOps4llSwhZxU4VjtCEeIIN++/xXce/GKnvLmp2nKbEEks8 T4eAfKoUlGh/C4z6TlQaPn6aB7ptOiDLsYVJ5T+tpRZ42BPeo4mQXI6IWZcj8NhPp8NG ujXEE+4Q8sWufbf+Se2qYMWNMG4cBprU0KFqwptMRmGqeGinXcRtNeQ5HYK1E8OQreDt 4pFGD9Wn2WctHj+zv7DatZEQ5FiyfeGl4brvdg0d3MNjwjZWZsicAGBhcIO+NwozxJHG AFrgBP/gy36jd21ahfcI0yZC4rL6pgCxeR/G0Dk1bkgf94LUjAohjtZGOyA3eTfcGvAi tzJA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=onIx2e9X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z18-20020a05640240d200b004166042c9absi4882749edb.596.2022.03.11.02.00.14; Fri, 11 Mar 2022 02:00:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=onIx2e9X; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344658AbiCJX07 (ORCPT + 99 others); Thu, 10 Mar 2022 18:26:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55966 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1344086AbiCJX05 (ORCPT ); Thu, 10 Mar 2022 18:26:57 -0500 Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1FEE19ABD5 for ; Thu, 10 Mar 2022 15:25:55 -0800 (PST) Received: by mail-pg1-x52d.google.com with SMTP id bc27so5990595pgb.4 for ; Thu, 10 Mar 2022 15:25:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ejJjmdbNGVk0Ojn9gs31SAw6IuTYvfqq7ug7NCCkkt4=; b=onIx2e9X0TzzdYS9bDwjnzCQL6eZTBbf+XJonIjFE7H559YPkcY+EhmcsSUTYccP7P SJhQkA9/eitkZ6RjDtU8Casbh0s5w49mbQFTWLMchOLcU7UVtTkD54CeHJL02skXriet PElVeFd230TUHFlwda1A5LSJhaSTD+Bxgbibu/IKEXmZ3J+nggAKvfIS3QhoOtknOwKs QKEIoTVTIi/ZmcjBt6AMvlUYOomvLKkOEmN2AJpl/yhf31HAVBpWthxNzm7juMSUt8dw DXE48U7DiDyM87kNgix+yq6u8HeLPvQ6BLJxv/YvFub9TgJMoM1intVwQvSH9rQM+b2Q 9MVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ejJjmdbNGVk0Ojn9gs31SAw6IuTYvfqq7ug7NCCkkt4=; b=JeUlvMZnVAPVvsCbjF7XaTuB/Lyu78HeG+uWOlvZbPtX58sO5bT4E7uWXs+L5j7JSQ 5vLOzmTBCt2ylNtxcJ/HnUIt0h6oGTOvSlYoYgYVxOxZYQq3sx39g0vlwrrzB0t+UbyB vjJijodMAWOx8TAzAv0NJDXJsrZGB1enTEh6cmI7mRcZhS2H6Xj72MGziwsZ7yrO/Wnc L7i+Mm+1MaWXh7HnmcU3t13Ygf/qGHNUOrswiCShNAffikwXBp5SC5Z5q9B4iNjVJ9EJ MFeJ5UV7cFu1UpLShvurbiLrdN466/WIwnezkYYthxFdEWMHjl5+Ajy6rNJzEcYnXFfq ZDow== X-Gm-Message-State: AOAM531aS3iwMbgHC9qbN+8w65RC/0epoA+UmCGGWF0cnm4E/SNND/rH vQUlHKA8kosdaPolPOiEkyMhmw== X-Received: by 2002:a05:6a02:10a:b0:37f:f691:b094 with SMTP id bg10-20020a056a02010a00b0037ff691b094mr5995278pgb.184.1646954755255; Thu, 10 Mar 2022 15:25:55 -0800 (PST) Received: from localhost.localdomain ([50.39.160.154]) by smtp.gmail.com with ESMTPSA id k62-20020a17090a4cc400b001bf0d92e1c7sm6995703pjh.41.2022.03.10.15.25.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 10 Mar 2022 15:25:54 -0800 (PST) From: Tadeusz Struk To: kuba@kernel.org Cc: Tadeusz Struk , Willem de Bruijn , "David S . Miller" , Hideaki YOSHIFUJI , David Ahern , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com Subject: [PATCH v3] net: ipv6: fix skb_over_panic in __ip6_append_data Date: Thu, 10 Mar 2022 15:25:38 -0800 Message-Id: <20220310232538.1044947-1-tadeusz.struk@linaro.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Syzbot found a kernel bug in the ipv6 stack: LINK: https://syzkaller.appspot.com/bug?id=205d6f11d72329ab8d62a610c44c5e7e25415580 The reproducer triggers it by sending a crafted message via sendmmsg() call, which triggers skb_over_panic, and crashes the kernel: skbuff: skb_over_panic: text:ffffffff84647fb4 len:65575 put:65575 head:ffff888109ff0000 data:ffff888109ff0088 tail:0x100af end:0xfec0 dev: Update the check that prevents an invalid packet with MTU equall to the fregment header size to eat up all the space for payload. The reproducer can be found here: LINK: https://syzkaller.appspot.com/text?tag=ReproC&x=1648c83fb00000 Cc: Willem de Bruijn Cc: David S. Miller Cc: Hideaki YOSHIFUJI Cc: David Ahern Cc: Jakub Kicinski Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: Andrii Nakryiko Cc: Martin KaFai Lau Cc: Song Liu Cc: Yonghong Song Cc: John Fastabend Cc: KP Singh Cc: netdev@vger.kernel.org Cc: bpf@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Reported-by: syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com Signed-off-by: Tadeusz Struk --- v2: Instead of updating the alloclen add a check that prevents an invalid packet with MTU equall to the fregment header size to eat up all the space for payload. Fix suggested by Willem de Bruijn v3: Update existing check outside of the while loop. --- net/ipv6/ip6_output.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 4788f6b37053..194832663d85 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -1476,8 +1476,8 @@ static int __ip6_append_data(struct sock *sk, sizeof(struct frag_hdr) : 0) + rt->rt6i_nfheader_len; - if (mtu < fragheaderlen || - ((mtu - fragheaderlen) & ~7) + fragheaderlen < sizeof(struct frag_hdr)) + if (mtu <= fragheaderlen || + ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr)) goto emsgsize; maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - -- 2.35.1