From patchwork Mon Mar 20 05:25:00 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 740791
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3vmkst05PSz9s2x
	for <patchwork-incoming@ozlabs.org>;
	Mon, 20 Mar 2017 16:25:06 +1100 (AEDT)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="GBj8fJbh"; dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752665AbdCTFZF (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 20 Mar 2017 01:25:05 -0400
Received: from mail-pf0-f196.google.com ([209.85.192.196]:34401 "EHLO
	mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752514AbdCTFZD (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 20 Mar 2017 01:25:03 -0400
Received: by mail-pf0-f196.google.com with SMTP id o126so15565333pfb.1
	for <netdev@vger.kernel.org>; Sun, 19 Mar 2017 22:25:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=message-id:subject:from:to:cc:date:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=dz4FzY1WUn1VaSeZyH2QNKrZ9zgvQAEMd2wyORXyY8I=;
	b=GBj8fJbhHJlUaCMy9VStnBD5NnEw1bMwU4czquestACkjCJXOa20MlgbC0W1CiJtlR
	GWPcA3BzZ8pFTPGa+5l908r0wGsNU6RmsS3iNnacpLsDWVFPjTvvCAUHWVdfWsjaKg4x
	eQ+ON68rp9XDfKD5mIDNy7t0CaG32Qp7zsgr/mIjXoLgiw7j0a5mbQ/000HFNht16K1I
	DuJu2MgBNywi6z0MVhBYkxoSqM5jRxGQ0wvpvBl0bVBtd5bm/zqNe04mqW1jiW4CoVMU
	2GjR75zpNvPAz3BE4+UjLtCJ2k8QayXrr0Ge5ikZpfu0oglh/Tj6f9GWA/faPsZVOLZ1
	TCuA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=dz4FzY1WUn1VaSeZyH2QNKrZ9zgvQAEMd2wyORXyY8I=;
	b=ALWerrUooeN/sg+bm8SDAswWeumWwadlQ7yuPvAP/qQ5FVo3jaVV/SImbpzDW8nvUi
	WUzb+RBl1FYhraNwBr/vpqEZnAtLpBNBU1Bbg6uDXj2FGvunp8UNIEpQCV5p3cZGe4ie
	Bh5Crqzj921ooQ1oX0p/QUFYPCZcDY5CsMNBVQGq5iNy6imQMTWvXntU6ibV/qELe9H9
	G4KdyLMb+2UESujmdrLKtSaXAWlLZclAN34Z6i4hHL2Qni3eZPys7NwKfNHJNc202Jlg
	M8+cEMoShXvO6dEBDYR8Bm511cvhjYqOVfB56h4H41p6TrOuZCqpYCmWjbW3V7pluk6U
	Gzhw==
X-Gm-Message-State: 
 AFeK/H1wMf7McECC+Gi3a1phCcoIsq32Dg3o0Sl+8wlKq8hFtzqfJ11iqONZeJSFhJs4FQ==
X-Received: by 10.99.142.67 with SMTP id k64mr23335350pge.31.1489987502378;
	Sun, 19 Mar 2017 22:25:02 -0700 (PDT)
Received: from [192.168.86.171] (c-73-231-122-98.hsd1.ca.comcast.net.
	[73.231.122.98]) by smtp.googlemail.com with ESMTPSA id
	i15sm30077645pfj.0.2017.03.19.22.25.00
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sun, 19 Mar 2017 22:25:01 -0700 (PDT)
Message-ID: <1489987500.16816.19.camel@edumazet-glaptop3.roam.corp.google.com>
Subject: Re: PROBLEM: null-ptr deref in ip_options_echo may lead to denial
	of service
From: Eric Dumazet <eric.dumazet@gmail.com>
To: Anarcheuz Fritz <anarcheuz@gmail.com>,
	Ben Hutchings <ben@decadent.org.uk>
Cc: davem@davemloft.net, security@kernel.org, netdev@vger.kernel.org
Date: Sun, 19 Mar 2017 22:25:00 -0700
In-Reply-To: 
 <CAC9A2PqFcJ2k5Nm8QyxbOrO6rQnfHxcPvsnkzPMGUuJ5hCXM1Q@mail.gmail.com>
References: 
 <CAC9A2PqFcJ2k5Nm8QyxbOrO6rQnfHxcPvsnkzPMGUuJ5hCXM1Q@mail.gmail.com>
X-Mailer: Evolution 3.10.4-0ubuntu2 
Mime-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Mon, 2017-03-20 at 12:59 +0800, Anarcheuz Fritz wrote:
> Hi David,
> 
> 
> While working on some legacy kernel I stumbled upon a null-ptr deref in
> ip_options_echo. The bug has been verified on the latest version
> 3.2.87 from the supported long-term branch.
> 

Fixed in commit 34b2cef20f19c87999fff3da4071e66937db9644
("ipv4: keep skb->dst around in presence of IP options")

For 3.2, since d826eb14ecef was not backported, following patch should
do it.

(Bug origin was f84af32cbca70 ("net: ip_queue_rcv_skb() helper"))

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index b3648bbef0da..a6e1eeb02267 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1009,7 +1009,8 @@ e_inval:
  */
 int ip_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
-	if (!(inet_sk(sk)->cmsg_flags & IP_CMSG_PKTINFO))
+	if (!(inet_sk(sk)->cmsg_flags & IP_CMSG_PKTINFO) &&
+	    !IPCB(skb)->opt.optlen)
 		skb_dst_drop(skb);
 	return sock_queue_rcv_skb(sk, skb);
 }