From patchwork Mon Mar 11 18:41:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Paasch X-Patchwork-Id: 1054872 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=quarantine dis=none) header.from=apple.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=apple.com header.i=@apple.com header.b="IJFPiBDu"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 44J8qs28yFz9s0W for ; Tue, 12 Mar 2019 07:30:33 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728022AbfCKUac (ORCPT ); Mon, 11 Mar 2019 16:30:32 -0400 Received: from nwk-aaemail-lapp03.apple.com ([17.151.62.68]:33572 "EHLO nwk-aaemail-lapp03.apple.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726675AbfCKUab (ORCPT ); Mon, 11 Mar 2019 16:30:31 -0400 X-Greylist: delayed 6384 seconds by postgrey-1.27 at vger.kernel.org; Mon, 11 Mar 2019 16:30:30 EDT Received: from pps.filterd (nwk-aaemail-lapp03.apple.com [127.0.0.1]) by nwk-aaemail-lapp03.apple.com (8.16.0.27/8.16.0.27) with SMTP id x2BIW4wD010629; Mon, 11 Mar 2019 11:44:03 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=content-transfer-encoding : sender : from : to : cc : subject : date : message-id; s=20180706; bh=TCpb+WIy4qS1bLCPWrKxYPlWwtNG2Lk+KV+TdGRBJmg=; b=IJFPiBDutL+5WM+pJ5zkqKrP0SMM+22Ojuh01WGJGZFYQCrmzbrnjEsBykOStyV7mcNj VbdRKNSJXAui875AZQaHgdBAa9zZ9kwpSEjYvzYviAGkpxYXsGFehbRp6NiiJ2Beu7HN cBRcWdaX1jLTlLVLyx7ktSgznreVLW0OHyCSKwS19Vt/22u2hnuqHS2uf6XjqXjjWag2 ZKCSNFEDnMqb/tnbyaXbxFC8sLgF4vxFvFlCutJwIrBA3pKF1uM0rGO6EPVV2agEibab g1iBe0ob+S/6BXlCD8X8gs6Pxd+w+lBmeCFTl/Dk6Ju3Kec/TNqUYx2WuKt+IBikI+XO 2g== Received: from mr2-mtap-s02.rno.apple.com (mr2-mtap-s02.rno.apple.com [17.179.226.134]) by nwk-aaemail-lapp03.apple.com with ESMTP id 2r4x12c622-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 11 Mar 2019 11:44:03 -0700 Content-transfer-encoding: 7BIT Received: from nwk-mmpp-sz10.apple.com (nwk-mmpp-sz10.apple.com [17.128.115.122]) by mr2-mtap-s02.rno.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPS id <0PO7001G7TDAPK10@mr2-mtap-s02.rno.apple.com>; Mon, 11 Mar 2019 11:44:03 -0700 (PDT) Received: from process_milters-daemon.nwk-mmpp-sz10.apple.com by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) id <0PO700E00SQ5EH00@nwk-mmpp-sz10.apple.com>; Mon, 11 Mar 2019 11:44:00 -0700 (PDT) X-Va-A: X-Va-T-CD: 9282bafb218900537fab2921e7776c7e X-Va-E-CD: 9d5e33b2af5c579b5d446960d35c0062 X-Va-R-CD: c5d6ea19498ffe82fc539988dc3c2f98 X-Va-CD: 0 X-Va-ID: 5701dd05-d932-4b80-8ff7-7e3500f228ce X-V-A: X-V-T-CD: 9282bafb218900537fab2921e7776c7e X-V-E-CD: 9d5e33b2af5c579b5d446960d35c0062 X-V-R-CD: c5d6ea19498ffe82fc539988dc3c2f98 X-V-CD: 0 X-V-ID: fcbb92cf-1fda-4fa5-9d29-0255c58f0b5d X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-11_14:,, signatures=0 Received: from localhost ([17.149.209.76]) by nwk-mmpp-sz10.apple.com (Oracle Communications Messaging Server 8.0.2.3.20181024 64bit (built Oct 24 2018)) with ESMTPSA id <0PO700M5ATD5UO80@nwk-mmpp-sz10.apple.com>; Mon, 11 Mar 2019 11:43:53 -0700 (PDT) From: Christoph Paasch To: David Miller Cc: netdev@vger.kernel.org, Eric Dumazet Subject: [PATCH] tcp: Don't access TCP_SKB_CB before initializing it Date: Mon, 11 Mar 2019 11:41:05 -0700 Message-id: <20190311184105.40101-1-cpaasch@apple.com> X-Mailer: git-send-email 2.16.2 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-03-11_14:, , signatures=0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Since commit eeea10b83a13 ("tcp: add tcp_v4_fill_cb()/tcp_v4_restore_cb()"), tcp_vX_fill_cb is only called after tcp_filter(). That means, TCP_SKB_CB(skb)->end_seq still points to the IP-part of the cb. We thus should not mock with it, as this can trigger bugs (thanks syzkaller): [ 12.349396] ================================================================== [ 12.350188] BUG: KASAN: slab-out-of-bounds in ip6_datagram_recv_specific_ctl+0x19b3/0x1a20 [ 12.351035] Read of size 1 at addr ffff88006adbc208 by task test_ip6_datagr/1799 Setting end_seq is actually no more necessary in tcp_filter as it gets initialized later on in tcp_vX_fill_cb. Cc: Eric Dumazet Fixes: eeea10b83a13 ("tcp: add tcp_v4_fill_cb()/tcp_v4_restore_cb()") Signed-off-by: Christoph Paasch Signed-off-by: Eric Dumazet --- net/ipv4/tcp_ipv4.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 831d844a27ca..277d71239d75 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1734,15 +1734,8 @@ EXPORT_SYMBOL(tcp_add_backlog); int tcp_filter(struct sock *sk, struct sk_buff *skb) { struct tcphdr *th = (struct tcphdr *)skb->data; - unsigned int eaten = skb->len; - int err; - err = sk_filter_trim_cap(sk, skb, th->doff * 4); - if (!err) { - eaten -= skb->len; - TCP_SKB_CB(skb)->end_seq -= eaten; - } - return err; + return sk_filter_trim_cap(sk, skb, th->doff * 4); } EXPORT_SYMBOL(tcp_filter);