From patchwork Tue Apr 25 13:18:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Alexander Potapenko X-Patchwork-Id: 754824 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3wC3h10ntpz9s7s for ; Tue, 25 Apr 2017 23:18:57 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="ihZZyt8e"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1428471AbdDYNSg (ORCPT ); Tue, 25 Apr 2017 09:18:36 -0400 Received: from mail-wr0-f182.google.com ([209.85.128.182]:35717 "EHLO mail-wr0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1176717AbdDYNSc (ORCPT ); Tue, 25 Apr 2017 09:18:32 -0400 Received: by mail-wr0-f182.google.com with SMTP id z52so67322257wrc.2 for ; Tue, 25 Apr 2017 06:18:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=kthHYqMiz3neTqz+bXuoTTAgAk1roxkVmRAK7oD/luU=; b=ihZZyt8eNNg91SjiPnVYDywJV+Ya8uCp+Cg/BQeeuIwu5Nwxm8YsPd3YIDKMLa+JbL AnvHxWxqs3U/MXrOH2Po0PXZFY6ByCqiEEGJU6JdyxwgW6HZHeygeUii27lmSNI7TGYT iIZ2GxkIVyutrfvbFK3/xakhoyT41iF8H4P84WIhFr28+uUWlHcMNoeBsSmbfULctZDs K/0XpEh7NLsrKMdaEoG6r7EXw6bD7jayA0GATvcNKKmA3H+Q8PLoCrKBihsYuA52db/U hIXIDyecKxzh1L3RTOk8g1IkItDM8hG4b+ocmG1luJ6OpZl21QIv9RBaGnrHwA4lVdV5 hHmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=kthHYqMiz3neTqz+bXuoTTAgAk1roxkVmRAK7oD/luU=; b=tW8NQglAbb+fSe7vvgBzrqmGeBpJ3cOjHvKm+LXeHq3Ks+WPjTb3BU3J+dZlrN+hhy L5sspyTUFBAjBzVGw6bDENR75s+mwczhP6x+xFYjTbttTnX9Wl5b1fMnJG+vFTWasdMB JpJNkZ0Oc/cUdWXjIh5DVHEDdWGurEWfRVfrqTekuULiVq7EKHdmhnZ1efizyci5/hRf b630Gz06ur7NaD65Gur9YOrC9dTGqQ89p4XqoS477SiSPDrjAobsncbPvRBPpvsoyGc6 QwG+soHRPUwcWpI8n7h+eVoaESx3oo5qf3UFmvWGEMHs4FgPNowt5Mxe10bDnoaNqK98 ef1g== X-Gm-Message-State: AN3rC/7R1fSISptE0y59pfpNz4GyV7AN9AoI5wXaaHTMcr+LZrZi3xk0 0rxlfeqBDjuvomR0 X-Received: by 10.223.168.97 with SMTP id l88mr10175407wrc.54.1493126310979; Tue, 25 Apr 2017 06:18:30 -0700 (PDT) Received: from glider0.muc.corp.google.com ([100.105.28.21]) by smtp.gmail.com with ESMTPSA id j26sm26258146wrb.19.2017.04.25.06.18.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 25 Apr 2017 06:18:30 -0700 (PDT) From: Alexander Potapenko To: dvyukov@google.com, kcc@google.com, edumazet@google.com, davem@davemloft.net, kuznet@ms2.inr.ac.ru Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH] ipv6: ensure message length for raw socket is at least sizeof(ipv6hdr) Date: Tue, 25 Apr 2017 15:18:27 +0200 Message-Id: <20170425131827.66498-1-glider@google.com> X-Mailer: git-send-email 2.13.0.rc0.306.g87b477812d-goog Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org rawv6_send_hdrinc() expects that the buffer copied from the userspace contains the IPv6 header, so if too few bytes are copied parts of the header may remain uninitialized. This bug has been detected with KMSAN. Signed-off-by: Alexander Potapenko --- For the record, the KMSAN report: ================================================================== BUG: KMSAN: use of unitialized memory in nf_ct_frag6_gather+0xf5a/0x44a0 inter: 0 CPU: 0 PID: 1036 Comm: probe Not tainted 4.11.0-rc5+ #2455 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x143/0x1b0 lib/dump_stack.c:52 kmsan_report+0x16b/0x1e0 mm/kmsan/kmsan.c:1078 __kmsan_warning_32+0x5c/0xa0 mm/kmsan/kmsan_instr.c:510 nf_ct_frag6_gather+0xf5a/0x44a0 net/ipv6/netfilter/nf_conntrack_reasm.c:577 ipv6_defrag+0x1d9/0x280 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68 nf_hook_entry_hookfn ./include/linux/netfilter.h:102 nf_hook_slow+0x13f/0x3c0 net/netfilter/core.c:310 nf_hook ./include/linux/netfilter.h:212 NF_HOOK ./include/linux/netfilter.h:255 rawv6_send_hdrinc net/ipv6/raw.c:673 rawv6_sendmsg+0x2fcb/0x41a0 net/ipv6/raw.c:919 inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 sock_sendmsg net/socket.c:643 SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696 SyS_sendto+0xbc/0xe0 net/socket.c:1664 do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285 entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.S:246 RIP: 0033:0x436e03 RSP: 002b:00007ffce48baf38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000004002b0 RCX: 0000000000436e03 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00007ffce48baf90 R08: 00007ffce48baf50 R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000401790 R14: 0000000000401820 R15: 0000000000000000 origin: 00000000d9400053 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:362 kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:257 kmsan_poison_shadow+0x6d/0xc0 mm/kmsan/kmsan.c:270 slab_alloc_node mm/slub.c:2735 __kmalloc_node_track_caller+0x1f4/0x390 mm/slub.c:4341 __kmalloc_reserve net/core/skbuff.c:138 __alloc_skb+0x2cd/0x740 net/core/skbuff.c:231 alloc_skb ./include/linux/skbuff.h:933 alloc_skb_with_frags+0x209/0xbc0 net/core/skbuff.c:4678 sock_alloc_send_pskb+0x9ff/0xe00 net/core/sock.c:1903 sock_alloc_send_skb+0xe4/0x100 net/core/sock.c:1920 rawv6_send_hdrinc net/ipv6/raw.c:638 rawv6_sendmsg+0x2918/0x41a0 net/ipv6/raw.c:919 inet_sendmsg+0x3f8/0x6d0 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 sock_sendmsg net/socket.c:643 SYSC_sendto+0x6a5/0x7c0 net/socket.c:1696 SyS_sendto+0xbc/0xe0 net/socket.c:1664 do_syscall_64+0x72/0xa0 arch/x86/entry/common.c:285 return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.S:246 ================================================================== , triggered by the following syscalls: socket(PF_INET6, SOCK_RAW, IPPROTO_RAW) = 3 sendto(3, NULL, 0, 0, {sa_family=AF_INET6, sin6_port=htons(0), inet_pton(AF_INET6, "ff00::", &sin6_addr), sin6_flowinfo=0, sin6_scope_id=0}, 28) = -1 EPERM --- net/ipv6/raw.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c index f174e76e6505..805464668bd8 100644 --- a/net/ipv6/raw.c +++ b/net/ipv6/raw.c @@ -632,6 +632,8 @@ static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length, ipv6_local_error(sk, EMSGSIZE, fl6, rt->dst.dev->mtu); return -EMSGSIZE; } + if (length < sizeof(struct ipv6hdr)) + return -EINVAL; if (flags&MSG_PROBE) goto out;