korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2025-01-24 06:44:23 +08:00
Code Issues Packages Projects Releases Wiki Activity
3fabca5d9c
linux/net
History
Kuniyuki Iwashima 3fabca5d9c icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev(). 
[ Upstream commit 2aaa8a15de ]

With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that
has the link-local address as src and dst IP and will be forwarded to
an external IP in the IPv6 Ext Hdr.

For example, the script below generates a packet whose src IP is the
link-local address and dst is updated to 11::.

  # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done
  # python3
  >>> from socket import *
  >>> from scapy.all import *
  >>>
  >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456"
  >>>
  >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR)
  >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1)
  >>>
  >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW)
  >>> sk.sendto(bytes(pkt), (DST_ADDR, 0))

For such a packet, we call ip6_route_input() to look up a route for the
next destination in these three functions depending on the header type.

  * ipv6_rthdr_rcv()
  * ipv6_rpl_srh_rcv()
  * ipv6_srh_rcv()

If no route is found, ip6_null_entry is set to skb, and the following
dst_input(skb) calls ip6_pkt_drop().

Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev
as the input device is the loopback interface.  Then, we have to check if
skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref
for ip6_null_entry.

BUG: kernel NULL pointer dereference, address: 0000000000000000
 PF: supervisor read access in kernel mode
 PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 157 Comm: python3 Not tainted 6.4.0-11996-gb121d614371c #35
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)
Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01
RSP: 0018:ffffc90000003c70 EFLAGS: 00000286
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0
RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18
RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001
R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10
R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0
FS:  00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0
PKRU: 55555554
Call Trace:
 <IRQ>
 ip6_pkt_drop (net/ipv6/route.c:4513)
 ipv6_rthdr_rcv (net/ipv6/exthdrs.c:640 net/ipv6/exthdrs.c:686)
 ip6_protocol_deliver_rcu (net/ipv6/ip6_input.c:437 (discriminator 5))
 ip6_input_finish (./include/linux/rcupdate.h:781 net/ipv6/ip6_input.c:483)
 __netif_receive_skb_one_core (net/core/dev.c:5455)
 process_backlog (./include/linux/rcupdate.h:781 net/core/dev.c:5895)
 __napi_poll (net/core/dev.c:6460)
 net_rx_action (net/core/dev.c:6529 net/core/dev.c:6660)
 __do_softirq (./arch/x86/include/asm/jump_label.h:27 ./include/linux/jump_label.h:207 ./include/trace/events/irq.h:142 kernel/softirq.c:554)
 do_softirq (kernel/softirq.c:454 kernel/softirq.c:441)
 </IRQ>
 <TASK>
 __local_bh_enable_ip (kernel/softirq.c:381)
 __dev_queue_xmit (net/core/dev.c:4231)
 ip6_finish_output2 (./include/net/neighbour.h:544 net/ipv6/ip6_output.c:135)
 rawv6_sendmsg (./include/net/dst.h:458 ./include/linux/netfilter.h:303 net/ipv6/raw.c:656 net/ipv6/raw.c:914)
 sock_sendmsg (net/socket.c:725 net/socket.c:748)
 __sys_sendto (net/socket.c:2134)
 __x64_sys_sendto (net/socket.c:2146 net/socket.c:2142 net/socket.c:2142)
 do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
 entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)
RIP: 0033:0x7f9dc751baea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffe98712c38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007ffe98712cf8 RCX: 00007f9dc751baea
RDX: 0000000000000060 RSI: 00007f9dc6460b90 RDI: 0000000000000003
RBP: 00007f9dc56e8be0 R08: 00007ffe98712d70 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: ffffffffc4653600 R14: 0000000000000001 R15: 00007f9dc6af5d1b
 </TASK>
Modules linked in:
CR2: 0000000000000000
 ---[ end trace 0000000000000000 ]---
RIP: 0010:icmp6_send (net/ipv6/icmp.c:436 net/ipv6/icmp.c:503)
Code: fe ff ff 48 c7 40 30 c0 86 5d 83 e8 c6 44 1c 00 e9 c8 fc ff ff 49 8b 46 58 48 83 e0 fe 0f 84 4a fb ff ff 48 8b 80 d0 00 00 00 <48> 8b 00 44 8b 88 e0 00 00 00 e9 34 fb ff ff 4d 85 ed 0f 85 69 01
RSP: 0018:ffffc90000003c70 EFLAGS: 00000286
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 00000000000000e0
RDX: 0000000000000021 RSI: 0000000000000000 RDI: ffff888006d72a18
RBP: ffffc90000003d80 R08: 0000000000000000 R09: 0000000000000001
R10: ffffc90000003d98 R11: 0000000000000040 R12: ffff888006d72a10
R13: 0000000000000000 R14: ffff8880057fb800 R15: ffffffff835d86c0
FS:  00007f9dc72ee740(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000057b2000 CR4: 00000000007506f0
PKRU: 55555554
Kernel panic - not syncing: Fatal exception in interrupt
Kernel Offset: disabled

Fixes: 4832c30d54 ("net: ipv6: put host and anycast routes on device with address")
Reported-by: Wang Yufen <wangyufen@huawei.com>
Closes: https://lore.kernel.org/netdev/c41403a9-c2f6-3b7e-0c96-e1901e605cd0@huawei.com/
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2023-07-23 13:47:41 +02:00
..
6lowpan
9p 9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition 2023-04-20 12:13:53 +02:00
802 mrp: introduce active flags to prevent UAF when applicant uninit 2022-12-31 13:14:42 +01:00
8021q vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() 2023-05-24 17:36:52 +01:00
appletalk
atm atm: hide unused procfs functions 2023-06-09 10:32:26 +02:00
ax25 net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg 2022-06-22 14:22:01 +02:00
batman-adv batman-adv: Broken sync while rescheduling delayed work 2023-06-14 11:13:04 +02:00
bluetooth Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk 2023-06-14 11:13:06 +02:00
bpf bpf: Move skb->len == 0 checks into __bpf_redirect 2022-12-31 13:14:11 +01:00
bpfilter
bridge net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode 2023-07-23 13:47:29 +02:00
caif net: caif: Fix use-after-free in cfusbl_device_notify() 2023-03-17 08:48:54 +01:00
can can: isotp: isotp_sendmsg(): fix return error fix on TX path 2023-07-05 18:25:05 +01:00
ceph libceph: fix potential use-after-free on linger ping and resends 2022-05-25 09:57:28 +02:00
core net: prevent skb corruption on frag list segmentation 2023-07-23 13:47:41 +02:00
dcb net: dcb: disable softirqs in dcbnl_flush_dev() 2022-03-08 19:12:52 +01:00
dccp dccp: Call inet6_destroy_sock() via sk->sk_destruct(). 2023-04-26 13:51:54 +02:00
dns_resolver
dsa net: dsa: tag_sja1105: fix MAC DA patching from meta frames 2023-07-23 13:47:30 +02:00
ethernet
ethtool ethtool: Fix uninitialized number of lanes 2023-05-17 11:50:18 +02:00
hsr hsr: ratelimit only when errors are printed 2023-04-05 11:25:02 +02:00
ieee802154 net: ieee802154: fix error return code in dgram_bind() 2022-11-03 23:59:14 +09:00
ife
ipv4 tcp: annotate data races in __tcp_oow_rate_limited() 2023-07-23 13:47:29 +02:00
ipv6 icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev(). 2023-07-23 13:47:41 +02:00
iucv net/iucv: Fix size of interrupt data 2023-03-22 13:31:28 +01:00
kcm kcm: close race conditions on sk_receive_queue 2022-11-26 09:24:50 +01:00
key af_key: Reject optional tunnel/BEET mode templates in outbound policies 2023-05-24 17:36:49 +01:00
l2tp inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy(). 2023-04-26 13:51:54 +02:00
l3mdev l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu 2022-04-27 14:38:53 +02:00
lapb
llc net: deal with most data-races in sk_wait_event() 2023-05-24 17:36:42 +01:00
mac80211 wifi: mac80211: simplify chanctx allocation 2023-06-09 10:32:25 +02:00
mac802154 mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() 2022-12-14 11:37:25 +01:00
mctp net: mctp: purge receive queues on sk destruction 2023-02-06 07:59:02 +01:00
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-02-22 12:57:09 +01:00
mptcp mptcp: consolidate fallback and non fallback state machine 2023-07-05 18:25:04 +01:00
ncsi net/ncsi: clear Tx enable mode when handling a Config required AEN 2023-05-17 11:50:16 +02:00
netfilter netfilter: nf_tables: prevent OOB access in nft_byteorder_eval 2023-07-23 13:47:37 +02:00
netlabel netlabel: fix out-of-bounds memory accesses 2022-04-13 20:59:10 +02:00
netlink netlink: Add __sock_i_ino() for __netlink_diag_dump(). 2023-07-23 13:46:56 +02:00
netrom netrom: fix info-leak in nr_write_internal() 2023-06-09 10:32:16 +02:00
nfc net: nfc: Fix use-after-free caused by nfc_llcp_find_local 2023-07-23 13:46:56 +02:00
nsh net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() 2023-05-24 17:36:51 +01:00
openvswitch net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() 2023-02-22 12:57:09 +01:00
packet af_packet: do not use READ_ONCE() in packet_bind() 2023-06-09 10:32:17 +02:00
phonet phonet: refcount leak in pep_sock_accep 2022-01-11 15:35:16 +01:00
psample
qrtr net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() 2023-04-20 12:13:53 +02:00
rds rds: rds_rm_zerocopy_callback() correct order for list_add_tail() 2023-03-10 09:39:16 +01:00
rfkill rfkill: make new event layout opt-in 2022-04-08 14:23:00 +02:00
rose net/rose: Fix to not accept on connected socket 2023-02-22 12:57:02 +01:00
rxrpc rxrpc: Fix hard call timeout units 2023-05-17 11:50:17 +02:00
sched net/sched: cls_fw: Fix improper refcount update leads to use-after-free 2023-07-23 13:47:41 +02:00
sctp sctp: fix potential deadlock on &net->sctp.addr_wq_lock 2023-07-23 13:47:27 +02:00
smc net/smc: Avoid to access invalid RMBs' MRs in SMCRv1 ADD LINK CONT 2023-06-14 11:13:01 +02:00
strparser bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding 2021-11-18 19:17:11 +01:00
sunrpc SUNRPC: Fix UAF in svc_tcp_listen_data_ready() 2023-07-23 13:47:20 +02:00
switchdev
tipc net: tipc: resize nlattr array to correct size 2023-06-21 15:59:18 +02:00
tls net: deal with most data-races in sk_wait_event() 2023-05-24 17:36:42 +01:00
unix af_unix: Fix data races around sk->sk_shutdown. 2023-05-24 17:36:42 +01:00
vmw_vsock vsock: avoid to close connected socket after the timeout 2023-05-24 17:36:49 +01:00
wireless wifi: cfg80211: rewrite merging of inherited elements 2023-07-23 13:46:53 +02:00
x25 net/x25: Fix to not accept on connected socket 2023-02-09 11:26:40 +01:00
xdp xsk: Honor SO_BINDTODEVICE on bind 2023-07-23 13:47:29 +02:00
xfrm xfrm: Ensure policies always checked on XFRM-I input path 2023-06-28 10:29:45 +02:00
compat.c
devres.c
Kconfig Remove DECnet support from kernel 2023-06-21 15:59:15 +02:00
Makefile Remove DECnet support from kernel 2023-06-21 15:59:15 +02:00
socket.c net: annotate sk->sk_err write from do_recvmmsg() 2023-05-24 17:36:42 +01:00
sysctl_net.c