From patchwork Fri Jan 4 19:00:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 1020886 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=google.com header.i=@google.com header.b="djbhM1Ww"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43WYy73WQLz9s55 for ; Sat, 5 Jan 2019 06:00:15 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726010AbfADTAH (ORCPT ); Fri, 4 Jan 2019 14:00:07 -0500 Received: from mail-pf1-f195.google.com ([209.85.210.195]:43823 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725916AbfADTAG (ORCPT ); Fri, 4 Jan 2019 14:00:06 -0500 Received: by mail-pf1-f195.google.com with SMTP id w73so18688787pfk.10 for ; Fri, 04 Jan 2019 11:00:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=uB5v5GIvT2ihvkAASHsiMGPjllaejMftjYpGG9DNdB4=; b=djbhM1WwnE+vnvKvV7t57dYn2XSdGsU0A9fd2TOAubpiwxPknaOc7Z3zxESfBWBPqb TZxfqegI86VOJxb+ndF9tgqLeFuKJZEkO4kmSg4r9oMIuFbldbJfK0nAgffCos2u+136 Ca7OCFtcP1CJUb2PZb6n2zGXYzKlLWgbgFSz4n1QS69YNRMEclpyfNvU3HpdyGG8W/Kk 92MTnEWJxGyiMV1BMZEmeHmEZaiZcJVmtwJ8/CSu50B8sVqVwopuHbC6LS0Y8n7M3AdH j0r/NjzUUMRh7zXXtAbExd3ahO7dCw5odQs6GSek1e3kFF0Cagd62K6jfjlXNGH8W3no G4yw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=uB5v5GIvT2ihvkAASHsiMGPjllaejMftjYpGG9DNdB4=; b=edJxQUXNiW+XkPVSJwVH+tLaxy6Ov4OP/i9BgcBPrUhra6/GbLv5VXsC/C9DLEDzWR L2h05RkQ4gZUzXV6nwzF+0ox1C76VeNXFwIjd/Ybvw2H6OY67dNI+l+gei37TnldBI4f 3bdTpzkx3AyiKHyKHJG9XGu49JNyvDx2O+reGRXGwPpF7RF1EAp97P1qJvaELMPBREJM 80no/HZDmThZBJ84waeutfCmsMCk70M5CDgpQrBMS+tpvTfpy9C04XHEWCmpJQIRy/Vd sDXyabJbrMKI4hSspHA+kVb3zAlaXd/WIKnXPgSUu3D0iZ/kQICMDYtSUUOoQcF/Rhsc INgA== X-Gm-Message-State: AJcUukdImwp4NqDUpM60VS+1MWDV9w7RVj0FbJik1dOjPIIHE5IBvtz5 H42wkvMJVKgcf+m1LQ1swqNnFg== X-Google-Smtp-Source: ALg8bN4thUGi2GVryvn6b7eAw8bZT9Ph/7grelfpAKDEOfGSWfla5nV7HBnu0WgXDL3g9ZAvCVYU2w== X-Received: by 2002:a63:5761:: with SMTP id h33mr2599606pgm.283.1546628404529; Fri, 04 Jan 2019 11:00:04 -0800 (PST) Received: from localhost ([2620:15c:2c4:201:f5a:7eca:440a:3ead]) by smtp.gmail.com with ESMTPSA id q195sm76557580pgq.7.2019.01.04.11.00.03 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 04 Jan 2019 11:00:03 -0800 (PST) From: Eric Dumazet To: "David S . Miller" Cc: netdev , Eric Dumazet , Eric Dumazet , Piotr Sawicki , Casey Schaufler , syzbot Subject: [PATCH net] ipv6: make icmp6_send() robust against null skb->dev Date: Fri, 4 Jan 2019 11:00:00 -0800 Message-Id: <20190104190000.91387-1-edumazet@google.com> X-Mailer: git-send-email 2.20.1.97.g81188d93c3-goog MIME-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org syzbot was able to crash one host with the following stack trace : kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 8625 Comm: syz-executor4 Not tainted 4.20.0+ #8 RIP: 0010:dev_net include/linux/netdevice.h:2169 [inline] RIP: 0010:icmp6_send+0x116/0x2d30 net/ipv6/icmp.c:426 icmpv6_send smack_socket_sock_rcv_skb security_sock_rcv_skb sk_filter_trim_cap __sk_receive_skb dccp_v6_do_rcv release_sock This is because a RX packet found socket owned by user and was stored into socket backlog. Before leaving RCU protected section, skb->dev was cleared in __sk_receive_skb(). When socket backlog was finally handled at release_sock() time, skb was fed to smack_socket_sock_rcv_skb() then icmp6_send() We could fix the bug in smack_socket_sock_rcv_skb(), or simply make icmp6_send() more robust against such possibility. In the future we might provide to icmp6_send() the net pointer instead of infering it. Fixes: d66a8acbda92 ("Smack: Inform peer that IPv6 traffic has been blocked") Signed-off-by: Eric Dumazet Cc: Piotr Sawicki Cc: Casey Schaufler Reported-by: syzbot Acked-by: Casey Schaufler --- net/ipv6/icmp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index 5d7aa2c2770ca2b4981d2dd211c3cf0a79a6f9e2..bbcdfd2996926a78c3ea0b274adfa9b5f297efbc 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -423,10 +423,10 @@ static int icmp6_iif(const struct sk_buff *skb) static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, const struct in6_addr *force_saddr) { - struct net *net = dev_net(skb->dev); struct inet6_dev *idev = NULL; struct ipv6hdr *hdr = ipv6_hdr(skb); struct sock *sk; + struct net *net; struct ipv6_pinfo *np; const struct in6_addr *saddr = NULL; struct dst_entry *dst; @@ -437,12 +437,16 @@ static void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, int iif = 0; int addr_type = 0; int len; - u32 mark = IP6_REPLY_MARK(net, skb->mark); + u32 mark; if ((u8 *)hdr < skb->head || (skb_network_header(skb) + sizeof(*hdr)) > skb_tail_pointer(skb)) return; + if (!skb->dev) + return; + net = dev_net(skb->dev); + mark = IP6_REPLY_MARK(net, skb->mark); /* * Make sure we respect the rules * i.e. RFC 1885 2.4(e)