[net] net-timestamp: avoid use-after-free in ip_recv_error

Submitted by Willem de Bruijn on April 12, 2017, 11:24 p.m.

Details

Message ID 20170412232435.80455-1-willemdebruijn.kernel@gmail.com
State Accepted
Delegated to: David Miller
Headers show

Commit Message

Willem de Bruijn April 12, 2017, 11:24 p.m.
From: Willem de Bruijn <willemb@google.com>

Syzkaller reported a use-after-free in ip_recv_error at line

    info->ipi_ifindex = skb->dev->ifindex;

This function is called on dequeue from the error queue, at which
point the device pointer may no longer be valid.

Save ifindex on enqueue in __skb_complete_tx_timestamp, when the
pointer is valid or NULL. Store it in temporary storage skb->cb.

It is safe to reference skb->dev here, as called from device drivers
or dev_queue_xmit. The exception is when called from tcp_ack_tstamp;
in that case it is NULL and ifindex is set to 0 (invalid).

Do not return a pktinfo cmsg if ifindex is 0. This maintains the
current behavior of not returning a cmsg if skb->dev was NULL.

On dequeue, the ipv4 path will cast from sock_exterr_skb to
in_pktinfo. Both have ifindex as their first element, so no explicit
conversion is needed. This is by design, introduced in commit
0b922b7a829c ("net: original ingress device index in PKTINFO"). For
ipv6 ip6_datagram_support_cmsg converts to in6_pktinfo.

Fixes: 829ae9d61165 ("net-timestamp: allow reading recv cmsg on errqueue with origin tstamp")

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
 net/core/skbuff.c      |  1 +
 net/ipv4/ip_sockglue.c |  9 ++++-----
 net/ipv6/datagram.c    | 10 +---------
 3 files changed, 6 insertions(+), 14 deletions(-)

Comments

David Miller April 17, 2017, 5 p.m.
From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Date: Wed, 12 Apr 2017 19:24:35 -0400

> From: Willem de Bruijn <willemb@google.com>
> 
> Syzkaller reported a use-after-free in ip_recv_error at line
> 
>     info->ipi_ifindex = skb->dev->ifindex;
> 
> This function is called on dequeue from the error queue, at which
> point the device pointer may no longer be valid.
> 
> Save ifindex on enqueue in __skb_complete_tx_timestamp, when the
> pointer is valid or NULL. Store it in temporary storage skb->cb.
> 
> It is safe to reference skb->dev here, as called from device drivers
> or dev_queue_xmit. The exception is when called from tcp_ack_tstamp;
> in that case it is NULL and ifindex is set to 0 (invalid).
> 
> Do not return a pktinfo cmsg if ifindex is 0. This maintains the
> current behavior of not returning a cmsg if skb->dev was NULL.
> 
> On dequeue, the ipv4 path will cast from sock_exterr_skb to
> in_pktinfo. Both have ifindex as their first element, so no explicit
> conversion is needed. This is by design, introduced in commit
> 0b922b7a829c ("net: original ingress device index in PKTINFO"). For
> ipv6 ip6_datagram_support_cmsg converts to in6_pktinfo.
> 
> Fixes: 829ae9d61165 ("net-timestamp: allow reading recv cmsg on errqueue with origin tstamp")
> 
> Reported-by: Andrey Konovalov <andreyknvl@google.com>
> Signed-off-by: Willem de Bruijn <willemb@google.com>

Applied and queued up for -stable, thanks.

In the future please don't insert empty lines between the Fixes: and
other tags.

Thanks.

Patch hide | download patch | download mbox

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 9f781092fda9..35c1e2460206 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3807,6 +3807,7 @@  static void __skb_complete_tx_timestamp(struct sk_buff *skb,
 	serr->ee.ee_origin = SO_EE_ORIGIN_TIMESTAMPING;
 	serr->ee.ee_info = tstype;
 	serr->opt_stats = opt_stats;
+	serr->header.h4.iif = skb->dev ? skb->dev->ifindex : 0;
 	if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) {
 		serr->ee.ee_data = skb_shinfo(skb)->tskey;
 		if (sk->sk_protocol == IPPROTO_TCP &&
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index ebd953bc5607..35076792caa5 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -488,16 +488,15 @@  static bool ipv4_datagram_support_cmsg(const struct sock *sk,
 		return false;
 
 	/* Support IP_PKTINFO on tstamp packets if requested, to correlate
-	 * timestamp with egress dev. Not possible for packets without dev
+	 * timestamp with egress dev. Not possible for packets without iif
 	 * or without payload (SOF_TIMESTAMPING_OPT_TSONLY).
 	 */
-	if ((!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_CMSG)) ||
-	    (!skb->dev))
+	info = PKTINFO_SKB_CB(skb);
+	if (!(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_CMSG) ||
+	    !info->ipi_ifindex)
 		return false;
 
-	info = PKTINFO_SKB_CB(skb);
 	info->ipi_spec_dst.s_addr = ip_hdr(skb)->saddr;
-	info->ipi_ifindex = skb->dev->ifindex;
 	return true;
 }
 
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index eec27f87efac..e011122ebd43 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -405,9 +405,6 @@  static inline bool ipv6_datagram_support_addr(struct sock_exterr_skb *serr)
  * At one point, excluding local errors was a quick test to identify icmp/icmp6
  * errors. This is no longer true, but the test remained, so the v6 stack,
  * unlike v4, also honors cmsg requests on all wifi and timestamp errors.
- *
- * Timestamp code paths do not initialize the fields expected by cmsg:
- * the PKTINFO fields in skb->cb[]. Fill those in here.
  */
 static bool ip6_datagram_support_cmsg(struct sk_buff *skb,
 				      struct sock_exterr_skb *serr)
@@ -419,14 +416,9 @@  static bool ip6_datagram_support_cmsg(struct sk_buff *skb,
 	if (serr->ee.ee_origin == SO_EE_ORIGIN_LOCAL)
 		return false;
 
-	if (!skb->dev)
+	if (!IP6CB(skb)->iif)
 		return false;
 
-	if (skb->protocol == htons(ETH_P_IPV6))
-		IP6CB(skb)->iif = skb->dev->ifindex;
-	else
-		PKTINFO_SKB_CB(skb)->ipi_ifindex = skb->dev->ifindex;
-
 	return true;
 }