From patchwork Sat Mar 9 22:43:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 1053886 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="Ycsut+p7"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44Gztl4mqDz9s5c for ; Sun, 10 Mar 2019 09:43:59 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726402AbfCIWny (ORCPT ); Sat, 9 Mar 2019 17:43:54 -0500 Received: from mail-io1-f74.google.com ([209.85.166.74]:54282 "EHLO mail-io1-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726340AbfCIWny (ORCPT ); Sat, 9 Mar 2019 17:43:54 -0500 Received: by mail-io1-f74.google.com with SMTP id i24so1101746iol.21 for ; Sat, 09 Mar 2019 14:43:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc :content-transfer-encoding; bh=QK70zIGNMdSVOWarYF9PITSEUth4pZr8KgTvztT9xIA=; b=Ycsut+p77bGR7vFSgJUP8eplRWo9DwLYwT3TNUYnLyNUXYnjlEcceApf0dnXI/EBaH ZpQns3QUKyo14Tao1egNdNwuuATkH7tP2/9capXsCuCTTb8Ten4cBIgEfV0oN7n0RJQa gUmldWG935aK8Z0ARS6E7TkHpNxgWFcajcmpB7F3VVJ08CHTzsyNo7eAFVYJig05anBX /CjanZ8Ry6+elNDHlK0w4iHrlg374tIOkPe4pA05ziHVtiYlKwQcPZJkqX0gPK2WoKKy e1W+jzd97Loi4uWRgoL9fIO1fZLyaOCP2HPHOZ8RK19mELyGuKRXXCkPAdLnR3dhfxLL qlyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc :content-transfer-encoding; bh=QK70zIGNMdSVOWarYF9PITSEUth4pZr8KgTvztT9xIA=; b=pcs6BIcDOS7v1vrTkOYB1Kcy56moCuw57RB1t0m/IzJMHmuCccwehRdsCJWlmw208f FGhucnpOSzT4iFiimi1i2fsMyPISsc48L7DlZJ1gYM9xl09LVB1qSdkp04ZA+ARzJcEL p0atIq0f/PHG3quJzb2RS7sM1jG0UIQSq6APK8fLtyqDi+GXdhNGYPdc5VlKGvNHqi1i KSDBTK+oYinTafjFMgQ4MGxHwC/Eu8mmLDXb03MiGh6KAfbe8F9mfHLNDlEjYGKaZ0/1 Pr1Kp3dn3qe9EOSRIwc/3bXIZJ0+SGaSve61Fvq+azVBDUhIILOK4TN0AGpiJB6BwIuc Lm8A== X-Gm-Message-State: APjAAAU6Y+mwjKHl+gGUXBz/Ly12MTCKmP1Zd7bfY3bKJIF7hmf+TMp+ KgpMPnFL9CSsATqW9QoNRV8jefzeWx2wCQ== X-Google-Smtp-Source: APXvYqyGopi2sKy4srxi+9YIqlzu3Ircxk1Z9o5gYIzgugJb55qfWWsn+VlXitgB3i76GLb3X1UVWKDYxZsTig== X-Received: by 2002:a05:660c:484:: with SMTP id a4mr16145507itk.15.1552171433417; Sat, 09 Mar 2019 14:43:53 -0800 (PST) Date: Sat, 9 Mar 2019 14:43:38 -0800 Message-Id: <20190309224338.60907-1-edumazet@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.21.0.360.g471c308f928-goog Subject: [PATCH net] ip: fix ip_mc_may_pull() return value From: Eric Dumazet To: "David S . Miller" Cc: netdev , Eric Dumazet , Eric Dumazet , syzbot , "=?UTF-8?q?Linus=20L=C3=BCssing?=" Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org ip_mc_may_pull() must return 0 if there is a problem, not an errno. syzbot reported : BUG: KASAN: use-after-free in br_ip4_multicast_igmp3_report net/bridge/br_multicast.c:947 [inline] BUG: KASAN: use-after-free in br_multicast_ipv4_rcv net/bridge/br_multicast.c:1631 [inline] BUG: KASAN: use-after-free in br_multicast_rcv+0x3cd8/0x4440 net/bridge/br_multicast.c:1741 Read of size 4 at addr ffff88820a4084ee by task syz-executor.2/11183 CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.0.0+ #14 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131 br_ip4_multicast_igmp3_report net/bridge/br_multicast.c:947 [inline] br_multicast_ipv4_rcv net/bridge/br_multicast.c:1631 [inline] br_multicast_rcv+0x3cd8/0x4440 net/bridge/br_multicast.c:1741 br_handle_frame_finish+0xa3a/0x14c0 net/bridge/br_input.c:108 br_nf_hook_thresh+0x2ec/0x380 net/bridge/br_netfilter_hooks.c:1005 br_nf_pre_routing_finish+0x8e2/0x1750 net/bridge/br_netfilter_hooks.c:410 NF_HOOK include/linux/netfilter.h:289 [inline] NF_HOOK include/linux/netfilter.h:283 [inline] br_nf_pre_routing+0x7e7/0x13a0 net/bridge/br_netfilter_hooks.c:506 nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline] nf_hook_slow+0xbf/0x1f0 net/netfilter/core.c:511 nf_hook include/linux/netfilter.h:244 [inline] NF_HOOK include/linux/netfilter.h:287 [inline] br_handle_frame+0x95b/0x1450 net/bridge/br_input.c:305 __netif_receive_skb_core+0xa96/0x3040 net/core/dev.c:4902 __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:4971 __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083 netif_receive_skb_internal+0x117/0x660 net/core/dev.c:5186 netif_receive_skb+0x6e/0x5a0 net/core/dev.c:5261 Fixes: ba5ea614622d ("bridge: simplify ip_mc_check_igmp() and ipv6_mc_check_mld() calls") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Linus Lüssing --- include/linux/igmp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/igmp.h b/include/linux/igmp.h index cc85f4524dbfab28d03723c2fcb65c23730dee54..9c94b2ea789ceb9a06d9da0d8b07d28801732930 100644 --- a/include/linux/igmp.h +++ b/include/linux/igmp.h @@ -110,7 +110,7 @@ struct ip_mc_list { static inline int ip_mc_may_pull(struct sk_buff *skb, unsigned int len) { if (skb_transport_offset(skb) + ip_transport_len(skb) < len) - return -EINVAL; + return 0; return pskb_may_pull(skb, len); }