| Message ID | 20180723004345.16886-1-willemdebruijn.kernel@gmail.com |
|---|---|
| State | Changes Requested, archived |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net] ip: in cmsg IP(V6)_ORIGDSTADDR do not read beyond headlen | expand |
On 07/22/2018 05:43 PM, Willem de Bruijn wrote: > From: Willem de Bruijn <willemb@google.com> > > Syzbot reported a read beyond the end of the skb head when returning > IPV6_ORIGDSTADDR: > > BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242 > CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x185/0x1d0 lib/dump_stack.c:113 > kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125 > kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219 > kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261 > copy_to_user include/linux/uaccess.h:184 [inline] > put_cmsg+0x5ef/0x860 net/core/scm.c:242 > ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719 > ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733 > rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521 > [..] > > This logic and its ipv4 counterpart read the destination port from > the packet at skb_transport_offset(skb) + 4. > > With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a > packet that stores headers exactly up to skb_transport_offset(skb) in > the head and the remainder in a frag. > > Avoid reading beyond skb->tail by testing skb_headlen(skb) instead of > skb->len when trying to access this field. > > Link: http://lkml.kernel.org/r/CAF=yD-LEJwZj5a1-bAAj2Oy_hKmGygV6rsJ_WOrAYnv-fnayiQ@mail.gmail.com > Reported-by: syzbot+9adb4b567003cac781f0@syzkaller.appspotmail.com > Signed-off-by: Willem de Bruijn <willemb@google.com> > --- > net/ipv4/ip_sockglue.c | 2 +- > net/ipv6/datagram.c | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c > index 64c76dcf7386..5f228d641d9b 100644 > --- a/net/ipv4/ip_sockglue.c > +++ b/net/ipv4/ip_sockglue.c > @@ -152,7 +152,7 @@ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) > const struct iphdr *iph = ip_hdr(skb); > __be16 *ports = (__be16 *)skb_transport_header(skb); > > - if (skb_transport_offset(skb) + 4 > (int)skb->len) > + if (skb_transport_offset(skb) + 4 > (int)skb_headlen(skb)) > return; > This really should call pskb_may_pull() or skb_header_pointer().
On Sun, Jul 22, 2018 at 9:43 PM Eric Dumazet <eric.dumazet@gmail.com> wrote: > > > > On 07/22/2018 05:43 PM, Willem de Bruijn wrote: > > From: Willem de Bruijn <willemb@google.com> > > > > Syzbot reported a read beyond the end of the skb head when returning > > IPV6_ORIGDSTADDR: > > > > BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242 > > CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:77 [inline] > > dump_stack+0x185/0x1d0 lib/dump_stack.c:113 > > kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125 > > kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219 > > kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261 > > copy_to_user include/linux/uaccess.h:184 [inline] > > put_cmsg+0x5ef/0x860 net/core/scm.c:242 > > ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719 > > ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733 > > rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521 > > [..] > > > > This logic and its ipv4 counterpart read the destination port from > > the packet at skb_transport_offset(skb) + 4. > > > > With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a > > packet that stores headers exactly up to skb_transport_offset(skb) in > > the head and the remainder in a frag. > > > > Avoid reading beyond skb->tail by testing skb_headlen(skb) instead of > > skb->len when trying to access this field. > > > > Link: http://lkml.kernel.org/r/CAF=yD-LEJwZj5a1-bAAj2Oy_hKmGygV6rsJ_WOrAYnv-fnayiQ@mail.gmail.com > > Reported-by: syzbot+9adb4b567003cac781f0@syzkaller.appspotmail.com > > Signed-off-by: Willem de Bruijn <willemb@google.com> > > --- > > net/ipv4/ip_sockglue.c | 2 +- > > net/ipv6/datagram.c | 2 +- > > 2 files changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c > > index 64c76dcf7386..5f228d641d9b 100644 > > --- a/net/ipv4/ip_sockglue.c > > +++ b/net/ipv4/ip_sockglue.c > > @@ -152,7 +152,7 @@ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) > > const struct iphdr *iph = ip_hdr(skb); > > __be16 *ports = (__be16 *)skb_transport_header(skb); > > > > - if (skb_transport_offset(skb) + 4 > (int)skb->len) > > + if (skb_transport_offset(skb) + 4 > (int)skb_headlen(skb)) > > return; > > > > This really should call pskb_may_pull() or skb_header_pointer(). Okay. Since in all common cases these bytes do lie in the skb head, pskb_may_pull is pretty cheap. I'll use that. The linked discussion already outlines a rough patch.
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 64c76dcf7386..5f228d641d9b 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -152,7 +152,7 @@ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct sk_buff *skb) const struct iphdr *iph = ip_hdr(skb); __be16 *ports = (__be16 *)skb_transport_header(skb); - if (skb_transport_offset(skb) + 4 > (int)skb->len) + if (skb_transport_offset(skb) + 4 > (int)skb_headlen(skb)) return; /* All current transport protocols have the port numbers in the diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c index 2ee08b6a86a4..fd43810aacd2 100644 --- a/net/ipv6/datagram.c +++ b/net/ipv6/datagram.c @@ -702,7 +702,7 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct msghdr *msg, struct sockaddr_in6 sin6; __be16 *ports = (__be16 *) skb_transport_header(skb); - if (skb_transport_offset(skb) + 4 <= (int)skb->len) { + if (skb_transport_offset(skb) + 4 <= (int)skb_headlen(skb)) { /* All current transport protocols have the port numbers in the * first four bytes of the transport header and this function is * written with this assumption in mind.