qiurui
/
Ubuntu-focal-kernel
mirror of https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Ubuntu-focal-kernel/net/ipv6
History
Eric Dumazet f8c942b4e4 ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() 
[ Upstream commit 8d975c15c0cd744000ca386247432d57b21f9df0 ]

syzbot found __ip6_tnl_rcv() could access unitiliazed data [1].

Call pskb_inet_may_pull() to fix this, and initialize ipv6h
variable after this call as it can change skb->head.

[1]
 BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
 BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
 BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321
  __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline]
  INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline]
  IP6_ECN_decapsulate+0x7df/0x1e50 include/net/inet_ecn.h:321
  ip6ip6_dscp_ecn_decapsulate+0x178/0x1b0 net/ipv6/ip6_tunnel.c:727
  __ip6_tnl_rcv+0xd4e/0x1590 net/ipv6/ip6_tunnel.c:845
  ip6_tnl_rcv+0xce/0x100 net/ipv6/ip6_tunnel.c:888
 gre_rcv+0x143f/0x1870
  ip6_protocol_deliver_rcu+0xda6/0x2a60 net/ipv6/ip6_input.c:438
  ip6_input_finish net/ipv6/ip6_input.c:483 [inline]
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ip6_input+0x15d/0x430 net/ipv6/ip6_input.c:492
  ip6_mc_input+0xa7e/0xc80 net/ipv6/ip6_input.c:586
  dst_input include/net/dst.h:461 [inline]
  ip6_rcv_finish+0x5db/0x870 net/ipv6/ip6_input.c:79
  NF_HOOK include/linux/netfilter.h:314 [inline]
  ipv6_rcv+0xda/0x390 net/ipv6/ip6_input.c:310
  __netif_receive_skb_one_core net/core/dev.c:5532 [inline]
  __netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5646
  netif_receive_skb_internal net/core/dev.c:5732 [inline]
  netif_receive_skb+0x58/0x660 net/core/dev.c:5791
  tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
  tun_get_user+0x53af/0x66d0 drivers/net/tun.c:2002
  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
  call_write_iter include/linux/fs.h:2084 [inline]
  new_sync_write fs/read_write.c:497 [inline]
  vfs_write+0x786/0x1200 fs/read_write.c:590
  ksys_write+0x20f/0x4c0 fs/read_write.c:643
  __do_sys_write fs/read_write.c:655 [inline]
  __se_sys_write fs/read_write.c:652 [inline]
  __x64_sys_write+0x93/0xd0 fs/read_write.c:652
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

Uninit was created at:
  slab_post_alloc_hook+0x129/0xa70 mm/slab.h:768
  slab_alloc_node mm/slub.c:3478 [inline]
  kmem_cache_alloc_node+0x5e9/0xb10 mm/slub.c:3523
  kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:560
  __alloc_skb+0x318/0x740 net/core/skbuff.c:651
  alloc_skb include/linux/skbuff.h:1286 [inline]
  alloc_skb_with_frags+0xc8/0xbd0 net/core/skbuff.c:6334
  sock_alloc_send_pskb+0xa80/0xbf0 net/core/sock.c:2787
  tun_alloc_skb drivers/net/tun.c:1531 [inline]
  tun_get_user+0x1e8a/0x66d0 drivers/net/tun.c:1846
  tun_chr_write_iter+0x3af/0x5d0 drivers/net/tun.c:2048
  call_write_iter include/linux/fs.h:2084 [inline]
  new_sync_write fs/read_write.c:497 [inline]
  vfs_write+0x786/0x1200 fs/read_write.c:590
  ksys_write+0x20f/0x4c0 fs/read_write.c:643
  __do_sys_write fs/read_write.c:655 [inline]
  __se_sys_write fs/read_write.c:652 [inline]
  __x64_sys_write+0x93/0xd0 fs/read_write.c:652
  do_syscall_x64 arch/x86/entry/common.c:52 [inline]
  do_syscall_64+0x6d/0x140 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

CPU: 0 PID: 5034 Comm: syz-executor331 Not tainted 6.7.0-syzkaller-00562-g9f8413c4a66f #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/17/2023

Fixes: 0d3c703a9d ("ipv6: Cleanup IPv6 tunnel receive path")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20240125170557.2663942-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

CVE-2024-26641
(backported from commit a9bc32879a08f23cdb80a48c738017e39aea1080 linux-5.10.y)
[mpellizzer: backported resolving merge conflict due to variable declarations]
Signed-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>
Acked-by: Koichiro Den <koichiro.den@canonical.com>
Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
 		2024-09-27 10:50:35 +02:00
..
ila ila: call nf_unregister_net_hooks() sooner 2024-09-27 10:50:31 +02:00
netfilter inet: inet_defrag: prevent sk release while still in use 2024-08-02 16:16:08 +02:00
Kconfig net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC 2020-11-09 14:47:10 +01:00
Makefile
addrconf.c ipv6: take care of scope when choosing the src addr 2024-09-27 10:50:14 +02:00
addrconf_core.c ipv6: Ensure natural alignment of const ipv6 loopback and router addresses 2024-03-28 15:18:39 +01:00
addrlabel.c ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network 2023-02-01 15:20:57 +01:00
af_inet6.c ipv6: init the accept_queue's spinlocks in inet6_create 2024-04-26 10:54:11 +02:00
ah6.c
anycast.c
calipso.c
datagram.c ipv6: Fix datagram socket connection with DSCP. 2023-04-18 17:21:04 +02:00
esp6.c net: ipv6: fix return value check in esp_remove_trailer 2024-01-05 14:29:56 +01:00
esp6_offload.c xfrm: Linearize the skb after offloading if needed. 2023-10-02 12:11:57 +02:00
exthdrs.c
exthdrs_core.c ipv6: Fix out-of-bounds access in ipv6_find_tlv() 2023-08-09 12:25:35 +02:00
exthdrs_offload.c
fib6_notifier.c
fib6_rules.c ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action() 2024-07-05 10:51:53 +02:00
fou6.c
icmp.c icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev(). 2023-10-02 12:12:10 +02:00
inet6_connection_sock.c
inet6_hashtables.c secure_seq: use the 64 bits of the siphash for port offset calculation 2022-08-26 11:06:57 +02:00
ip6_checksum.c
ip6_fib.c ipv6: fix possible race in __fib6_drop_pcpu_from() 2024-08-02 16:16:10 +02:00
ip6_flowlabel.c treewide: Remove uninitialized_var() usage 2023-08-09 12:25:41 +02:00
ip6_gre.c erspan: make sure erspan_base_hdr is present in skb->head 2024-06-07 15:01:40 +02:00
ip6_icmp.c
ip6_input.c tcp/udp: Make early_demux back namespacified. 2023-01-06 08:44:44 -08:00
ip6_offload.c
ip6_offload.h
ip6_output.c ipv6: prevent UAF in ip6_send_skb() 2024-09-27 10:50:26 +02:00
ip6_tunnel.c ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() 2024-09-27 10:50:35 +02:00
ip6_udp_tunnel.c
ip6_vti.c ip6_vti: fix slab-use-after-free in decode_session6 2023-10-30 11:41:58 +01:00
ip6mr.c ip6mr: Fix skb_under_panic in ip6mr_cache_report() 2023-10-30 11:41:49 +01:00
ipcomp6.c
ipv6_sockglue.c udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM). 2023-08-09 12:25:12 +02:00
mcast.c
mcast_snoop.c net: bridge: mcast: fix broken length + header check for MRDv6 Adv. 2021-05-26 15:39:24 +02:00
mip6.c
ndisc.c ipv6: fix ndisc_is_useropt() handling for PIO 2024-09-27 10:50:18 +02:00
netfilter.c
output_core.c
ping.c ping6: Fix send to link-local addresses with VRF. 2023-09-01 14:48:45 +02:00
proc.c
protocol.c
raw.c ipv{4,6}/raw: fix output xfrm lookup wrt protocol 2023-08-09 12:25:36 +02:00
reassembly.c
route.c ipv6: prevent possible NULL dereference in rt6_probe() 2024-08-02 16:16:18 +02:00
seg6.c ipv6: sr: fix invalid unregister error path 2024-07-05 10:51:58 +02:00
seg6_hmac.c ipv6: sr: fix memleak in seg6_hmac_init_algo 2024-07-05 10:52:01 +02:00
seg6_iptunnel.c ipv6: sr: block BH in seg6_output_core() and seg6_input_core() 2024-08-02 16:16:09 +02:00
seg6_local.c seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors 2022-09-16 10:59:22 +02:00
sit.c sit: update dev->needed_headroom in ipip6_tunnel_bind_dev() 2023-08-09 12:25:24 +02:00
syncookies.c dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. 2024-02-02 14:13:06 +01:00
sysctl_net_ipv6.c
tcp_ipv6.c tcp: fix race in tcp_v6_syn_recv_sock() 2024-08-02 16:16:14 +02:00
tcpv6_offload.c
tunnel6.c
udp.c udp: preserve the connected status if only UDP cmsg 2024-06-07 15:01:47 +02:00
udp_impl.h tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct(). 2023-08-09 12:25:12 +02:00
udp_offload.c
udplite.c udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). 2023-08-09 12:25:34 +02:00
xfrm6_input.c xfrm: Preserve vlan tags for transport mode software GRO 2024-07-05 10:51:53 +02:00
xfrm6_output.c
xfrm6_policy.c xfrm6: check ip6_dst_idev() return value in xfrm6_get_saddr() 2024-08-02 16:16:19 +02:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c