Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp751925pxp; Fri, 11 Mar 2022 14:11:14 -0800 (PST) X-Google-Smtp-Source: ABdhPJx/LBhlxzP93STxJEUtrw/T2mw0PTpyk74zoGA3POdPNFRyPbnbmP2oFE7DIzbn4+yv9nwm X-Received: by 2002:a17:90a:4214:b0:1bf:6ae9:f62a with SMTP id o20-20020a17090a421400b001bf6ae9f62amr23584503pjg.64.1647036674635; Fri, 11 Mar 2022 14:11:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647036674; cv=none; d=google.com; s=arc-20160816; b=Th7wIGEumcyiNM+CE3QZgvOwfiryr7LkWFVMce3X5uxs6ky0TIBstEmBKiWF03Sb3O AvQ4YzZngoF0dHcG8ivBSo8DFCGUNN2nyXKCtAlHeuDMrRZ4sIiST2XSSEgyWi8ysBIm BpwUXSBvqjNEL9P1DI2yS6VuSyh6m5LOyMgqWD9YIaZRCyfwuRt7RWv4iGCr5hKx5qij 2vSRWDS+3vjpx1bfkY9MINkfWn7TJzVUwd8q+G4PhXcbyaYx8eFZm54kPA/fssBs6zdQ U01pa5QFahaHGcXa6cPmvb7mpepGww8Iy1a6qMVkjERLX5s/x7OCvXHe7KWP2Lecx6vb oneQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=wYmIXqGoP18VRv8GkXhEyrdmBAb5Sj51YjCRhrfnyCU=; b=0h2ygMZsiwyV9jl8fSYdXIeYkOtqAQcdMsDtbd+iVFfWtEnSnytkIsHe98xljZZwTr i8M5XBuGLZNsgw+BuFkz9HR8BzqelKDBcTBOPd8Rnul4QEH3hjp831ziJvIMuMMctYEm 1dzpguiFvZJkvl8MFdqyrPLrd/5KvhkkfUXmOXAdb1+cOROVsH4Jxc+BaHr3iHW2RW21 Z7UUoNY8EjSmFNdiPFHKJu7jM6sXTbJk7ZsHi3pk7FS+KhV7CSLEEhmw+tJgZYWtxFCk cFC5Gh8ONEifo42mO3hmpdMosH4gkLJCFxP6Rk+IcJytzOQl99rMjHnu+YQr2GzrxQeY qyNw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=UGR4hg7J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id k3-20020a170902ce0300b00151b264828asi8952344plg.339.2022.03.11.14.11.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Mar 2022 14:11:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=UGR4hg7J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 9766130BED2; Fri, 11 Mar 2022 13:26:51 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345493AbiCKB6N (ORCPT + 99 others); Thu, 10 Mar 2022 20:58:13 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41154 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1345582AbiCKB6L (ORCPT ); Thu, 10 Mar 2022 20:58:11 -0500 Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2C30119D624 for ; Thu, 10 Mar 2022 17:57:01 -0800 (PST) Received: by mail-oi1-x22d.google.com with SMTP id b188so7869245oia.13 for ; Thu, 10 Mar 2022 17:57:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wYmIXqGoP18VRv8GkXhEyrdmBAb5Sj51YjCRhrfnyCU=; b=UGR4hg7JGEyj5FStkRpY9WIuMMQwsLO5XjqKrJ1IytrD2WEwb++4ThYnP+bPWy7K3n 3nId0tS8PoBY1seJ/fDAoaNW5D2HeT5+Em4agfYD+yNRJufAIMxeGLefO1S/OfQTti3q GjxxVD+ufIDzBKGHuuwzUoqPMetmNybncnfP02labX0KUJARz/SD4GO5NEbE9R8XC4K5 DFt4aOlH8LuuCw67BbnkrLm4IqgrJ/fjvILsP2AgW553tjl7Es1IzCIqI7L96LZhOlIE pKTErC3wrOLUUk2SNMoZve4WaUha0cCMLh4xhhPe8Qy6c35MYo14OgoBo3AY1Nzat9B7 GSvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wYmIXqGoP18VRv8GkXhEyrdmBAb5Sj51YjCRhrfnyCU=; b=6HgvSNPciQQ3J1ZghegKjQJDLZ6QbP55z1q9m3YjiUe9Wc/5vD1B4R5wZPJcEAhTuo mwvK9ritctk9AdYGW/4czSy9V9KJJA3ny9NFG/kDdYYnzS5lD6sEFJNvXqcF+hJkaeBO wKKOAhACiNth6/2UJL3B9+uUeTj6M0qHfPxsX+sC6SdGr0vXRG6xJg53pt4WUFAdLUAL lm/LLq2PIa82qJeTWX6HUh4Nj4G0pem3bF0/pqYG1wsfPqQoRqIl1gC4PSkogZhsl4X1 kax8ykj05yqN1/p3loilxVFIOTtpKYayRXrJBALYwBezZb+2yO4M8+G71WujS9FK7wgd I+YA== X-Gm-Message-State: AOAM531E94G7WuK6LPQFjGHlUfcbwQQusCE36GvqJX20sTpHTi0sqHeO k0YM315h23MbfOQMtcOwF18fPoJQSPA= X-Received: by 2002:a05:6808:d51:b0:2d5:3fbe:7d43 with SMTP id w17-20020a0568080d5100b002d53fbe7d43mr11666035oik.118.1646963820470; Thu, 10 Mar 2022 17:57:00 -0800 (PST) Received: from mail-ot1-f43.google.com (mail-ot1-f43.google.com. [209.85.210.43]) by smtp.gmail.com with ESMTPSA id dv1-20020a056870d88100b000d9e83cacf8sm2917358oab.9.2022.03.10.17.57.00 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 10 Mar 2022 17:57:00 -0800 (PST) Received: by mail-ot1-f43.google.com with SMTP id s35-20020a0568302aa300b005b2463a41faso5338106otu.10 for ; Thu, 10 Mar 2022 17:57:00 -0800 (PST) X-Received: by 2002:a81:6357:0:b0:2d7:2af4:6e12 with SMTP id x84-20020a816357000000b002d72af46e12mr6731354ywb.317.1646963397784; Thu, 10 Mar 2022 17:49:57 -0800 (PST) MIME-Version: 1.0 References: <20220310232538.1044947-1-tadeusz.struk@linaro.org> In-Reply-To: <20220310232538.1044947-1-tadeusz.struk@linaro.org> From: Willem de Bruijn Date: Thu, 10 Mar 2022 20:49:21 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3] net: ipv6: fix skb_over_panic in __ip6_append_data To: Tadeusz Struk Cc: kuba@kernel.org, Willem de Bruijn , "David S . Miller" , Hideaki YOSHIFUJI , David Ahern , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , John Fastabend , KP Singh , netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 10, 2022 at 6:26 PM Tadeusz Struk wrote: > > Syzbot found a kernel bug in the ipv6 stack: > LINK: https://syzkaller.appspot.com/bug?id=205d6f11d72329ab8d62a610c44c5e7e25415580 > The reproducer triggers it by sending a crafted message via sendmmsg() > call, which triggers skb_over_panic, and crashes the kernel: > > skbuff: skb_over_panic: text:ffffffff84647fb4 len:65575 put:65575 > head:ffff888109ff0000 data:ffff888109ff0088 tail:0x100af end:0xfec0 > dev: > > Update the check that prevents an invalid packet with MTU equall to the > fregment header size to eat up all the space for payload. > > The reproducer can be found here: > LINK: https://syzkaller.appspot.com/text?tag=ReproC&x=1648c83fb00000 > > Cc: Willem de Bruijn > Cc: David S. Miller > Cc: Hideaki YOSHIFUJI > Cc: David Ahern > Cc: Jakub Kicinski > Cc: Alexei Starovoitov > Cc: Daniel Borkmann > Cc: Andrii Nakryiko > Cc: Martin KaFai Lau > Cc: Song Liu > Cc: Yonghong Song > Cc: John Fastabend > Cc: KP Singh > Cc: netdev@vger.kernel.org > Cc: bpf@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: stable@vger.kernel.org > > Reported-by: syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com > Signed-off-by: Tadeusz Struk Acked-by: Willem de Bruijn small nit: "equal to the fragment" and all these Cc:s aren't really needed in the commit message. I don't think we'll find a commit for a Fixes tag. This goes ways back.