renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-19 02:34:01 +08:00
Code
38f88c4540
linux-next/drivers/net
History
Eric Dumazet 38f88c4540 bonding/alb: properly access headers in bond_alb_xmit() 
syzbot managed to send an IPX packet through bond_alb_xmit()
and af_packet and triggered a use-after-free.

First, bond_alb_xmit() was using ipx_hdr() helper to reach
the IPX header, but ipx_hdr() was using the transport offset
instead of the network offset. In the particular syzbot
report transport offset was 0xFFFF

This patch removes ipx_hdr() since it was only (mis)used from bonding.

Then we need to make sure IPv4/IPv6/IPX headers are pulled
in skb->head before dereferencing anything.

BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108
 (if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) ...)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 [<ffffffff8441fc42>] __dump_stack lib/dump_stack.c:17 [inline]
 [<ffffffff8441fc42>] dump_stack+0x14d/0x20b lib/dump_stack.c:53
 [<ffffffff81a7dec4>] print_address_description+0x6f/0x20b mm/kasan/report.c:282
 [<ffffffff81a7e0ec>] kasan_report_error mm/kasan/report.c:380 [inline]
 [<ffffffff81a7e0ec>] kasan_report mm/kasan/report.c:438 [inline]
 [<ffffffff81a7e0ec>] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422
 [<ffffffff81a7dc4f>] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469
 [<ffffffff82c8c00a>] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
 [<ffffffff82c60c74>] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline]
 [<ffffffff82c60c74>] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224
 [<ffffffff83baa558>] __netdev_start_xmit include/linux/netdevice.h:4525 [inline]
 [<ffffffff83baa558>] netdev_start_xmit include/linux/netdevice.h:4539 [inline]
 [<ffffffff83baa558>] xmit_one net/core/dev.c:3611 [inline]
 [<ffffffff83baa558>] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627
 [<ffffffff83bacf35>] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238
 [<ffffffff83bae3a8>] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278
 [<ffffffff84339189>] packet_snd net/packet/af_packet.c:3226 [inline]
 [<ffffffff84339189>] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252
 [<ffffffff83b1ac0c>] sock_sendmsg_nosec net/socket.c:673 [inline]
 [<ffffffff83b1ac0c>] sock_sendmsg+0x12c/0x160 net/socket.c:684
 [<ffffffff83b1f5a2>] __sys_sendto+0x262/0x380 net/socket.c:1996
 [<ffffffff83b1f700>] SYSC_sendto net/socket.c:2008 [inline]
 [<ffffffff83b1f700>] SyS_sendto+0x40/0x60 net/socket.c:2004

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Jay Vosburgh <j.vosburgh@gmail.com>
Cc: Veaceslav Falico <vfalico@gmail.com>
Cc: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-02-05 14:28:09 +01:00
..
appletalk
arcnet
bonding bonding/alb: properly access headers in bond_alb_xmit() 2020-02-05 14:28:09 +01:00
caif
can ioremap changes for 5.6 2020-01-27 13:03:00 -08:00
dsa net: dsa: mv88e6xxx: Add SERDES stats counters to all 6390 family members 2020-01-20 10:32:03 +01:00
ethernet net: ethernet: dec: tulip: Fix length mask in receive length calculation 2020-02-05 14:21:31 +01:00
fddi Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-01-28 16:02:33 -08:00
fjes Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-01-28 16:02:33 -08:00
hamradio Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-12-22 15:15:05 -08:00
hippi
hyperv hv_netvsc: Add XDP support 2020-01-25 10:43:19 +01:00
ieee802154
ipvlan
netdevsim netdevsim: fix ptr_ret.cocci warnings 2020-02-05 13:55:32 +01:00
phy Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-02-04 13:32:20 +00:00
plip
ppp pptp: support sockets bound to an interface 2020-01-15 23:13:09 +01:00
slip Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-01-26 10:40:21 +01:00
team
usb r8152: Add MAC passthrough support to new device 2020-02-04 11:58:10 +01:00
vmxnet3 vmxnet3: Remove always false conditional statement 2020-01-08 16:07:21 -08:00
wan Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-01-28 16:02:33 -08:00
wimax
wireguard wireguard: noise: reject peers with low order public keys 2020-02-05 14:14:18 +01:00
wireless proc: convert everything to "struct proc_ops" 2020-02-04 03:05:26 +00:00
xen-netback net: xen-netback: hash.c: Use built-in RCU list checking 2020-01-17 10:57:22 +01:00
dummy.c
eql.c
geneve.c
gtp.c gtp: use __GFP_NOWARN to avoid memalloc warning 2020-02-04 12:38:50 +01:00
ifb.c
Kconfig USB/Thunderbolt/PHY driver updates for 5.6-rc1 2020-01-29 10:09:44 -08:00
LICENSE.SRC
loopback.c
macsec.c net: macsec: PN wrap callback 2020-01-14 11:31:41 -08:00
macvlan.c Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net 2020-01-19 22:10:04 +01:00
macvtap.c
Makefile USB/Thunderbolt/PHY driver updates for 5.6-rc1 2020-01-29 10:09:44 -08:00
mdio.c
mii.c
net_failover.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c net: tap: use skb_list_walk_safe helper for gso segments 2020-01-08 15:19:55 -08:00
thunderbolt.c
tun.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-01-26 10:40:21 +01:00
veth.c bpf, xdp: Remove no longer required rcu_read_{un}lock() 2020-01-27 11:16:25 +01:00
virtio_net.c bpf, xdp: virtio_net use access ptr macro for xdp enable check 2020-01-27 11:16:25 +01:00
vrf.c
vsockmon.c
vxlan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-01-09 12:13:43 -08:00
xen-netfront.c