android/android_kernel_asus_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
android_kernel_asus_sm8350/net/ipv4
History
Eric Dumazet 20ff83f10f ipv4: add sanity checks in ipv4_link_failure() 
Before calling __ip_options_compile(), we need to ensure the network
header is a an IPv4 one, and that it is already pulled in skb->head.

RAW sockets going through a tunnel can end up calling ipv4_link_failure()
with total garbage in the skb, or arbitrary lengthes.

syzbot report :

BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:355 [inline]
BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123
Write of size 69 at addr ffff888096abf068 by task syz-executor.4/9204

CPU: 0 PID: 9204 Comm: syz-executor.4 Not tainted 5.1.0-rc5+ #77
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x123/0x190 mm/kasan/generic.c:191
 memcpy+0x38/0x50 mm/kasan/common.c:133
 memcpy include/linux/string.h:355 [inline]
 __ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123
 __icmp_send+0x725/0x1400 net/ipv4/icmp.c:695
 ipv4_link_failure+0x29f/0x550 net/ipv4/route.c:1204
 dst_link_failure include/net/dst.h:427 [inline]
 vti6_xmit net/ipv6/ip6_vti.c:514 [inline]
 vti6_tnl_xmit+0x10d4/0x1c0c net/ipv6/ip6_vti.c:553
 __netdev_start_xmit include/linux/netdevice.h:4414 [inline]
 netdev_start_xmit include/linux/netdevice.h:4423 [inline]
 xmit_one net/core/dev.c:3292 [inline]
 dev_hard_start_xmit+0x1b2/0x980 net/core/dev.c:3308
 __dev_queue_xmit+0x271d/0x3060 net/core/dev.c:3878
 dev_queue_xmit+0x18/0x20 net/core/dev.c:3911
 neigh_direct_output+0x16/0x20 net/core/neighbour.c:1527
 neigh_output include/net/neighbour.h:508 [inline]
 ip_finish_output2+0x949/0x1740 net/ipv4/ip_output.c:229
 ip_finish_output+0x73c/0xd50 net/ipv4/ip_output.c:317
 NF_HOOK_COND include/linux/netfilter.h:278 [inline]
 ip_output+0x21f/0x670 net/ipv4/ip_output.c:405
 dst_output include/net/dst.h:444 [inline]
 NF_HOOK include/linux/netfilter.h:289 [inline]
 raw_send_hdrinc net/ipv4/raw.c:432 [inline]
 raw_sendmsg+0x1d2b/0x2f20 net/ipv4/raw.c:663
 inet_sendmsg+0x147/0x5d0 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:661
 sock_write_iter+0x27c/0x3e0 net/socket.c:988
 call_write_iter include/linux/fs.h:1866 [inline]
 new_sync_write+0x4c7/0x760 fs/read_write.c:474
 __vfs_write+0xe4/0x110 fs/read_write.c:487
 vfs_write+0x20c/0x580 fs/read_write.c:549
 ksys_write+0x14f/0x2d0 fs/read_write.c:599
 __do_sys_write fs/read_write.c:611 [inline]
 __se_sys_write fs/read_write.c:608 [inline]
 __x64_sys_write+0x73/0xb0 fs/read_write.c:608
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458c29
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f293b44bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458c29
RDX: 0000000000000014 RSI: 00000000200002c0 RDI: 0000000000000003
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f293b44c6d4
R13: 00000000004c8623 R14: 00000000004ded68 R15: 00000000ffffffff

The buggy address belongs to the page:
page:ffffea00025aafc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 ffffffff025a0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888096abef80: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2
 ffff888096abf000: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888096abf080: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
                         ^
 ffff888096abf100: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00
 ffff888096abf180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-24 14:40:41 -07:00
..
bpfilter
net: bpfilter: disallow to remove bpfilter module while being used
2019-01-11 18:05:41 -08:00
netfilter
netfilter: nf_tables: merge ipv4 and ipv6 nat chain types
2019-03-01 14:36:59 +01:00
af_inet.c
gso: validate gso_type on ipip style tunnels
2019-02-20 11:24:27 -08:00
ah4.c
net-ipv4: remove 2 always zero parameters from ipv4_redirect()
2018-09-26 20:30:55 -07:00
arp.c
net: Evict neighbor entries on carrier down
2018-10-12 09:47:39 -07:00
cipso_ipv4.c
netlabel: fix out-of-bounds memory accesses
2019-02-27 21:45:24 -08:00
datagram.c
ipv4: Allow sending multicast packets on specific i/f using VRF socket
2018-10-02 22:28:17 -07:00
devinet.c
net: ignore sysctl_devconf_inherit_init_net without SYSCTL
2019-03-04 13:14:34 -08:00
esp4_offload.c
net: use skb_sec_path helper in more places
2018-12-19 11:21:37 -08:00
esp4.c
esp: Skip TX bytes accounting when sending from a request socket
2019-01-28 11:20:58 +01:00
fib_frontend.c
ipv4: Return error for RTA_VIA attribute
2019-02-26 13:23:17 -08:00
fib_lookup.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
fib_notifier.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
fib_rules.c
ipv4: fib_rules: Fix possible infinite loop in fib_empty_table
2018-12-30 12:57:04 -08:00
fib_semantics.c
ipv4: fib: use struct_size() in kzalloc()
2019-02-01 15:12:29 -08:00
fib_trie.c
net: ipv4: Fix memory leak in network namespace dismantle
2019-01-15 13:33:44 -08:00
fou.c
net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv
2019-04-10 23:02:23 -07:00
gre_demux.c
net: ip_gre: use erspan key field for tunnel lookup
2019-01-22 11:52:17 -08:00
gre_offload.c
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net
2018-07-03 10:29:26 +09:00
icmp.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2019-03-02 12:54:35 -08:00
igmp.c
net: remove unneeded switch fall-through
2019-02-21 13:48:00 -08:00
inet_connection_sock.c
inet: minor optimization for backlog setting in listen(2)
2018-11-07 22:31:07 -08:00
inet_diag.c
inet_diag: fix reporting cgroup classid and fallback to priority
2019-02-12 13:35:57 -05:00
inet_fragment.c
net: remove unused struct inet_frag_queue.fragments field
2019-02-26 08:27:05 -08:00
inet_hashtables.c
net: dccp: fix kernel crash on module load
2018-12-24 15:27:56 -08:00
inet_timewait_sock.c
soreuseport: initialise timewait reuseport field
2018-04-07 22:32:32 -04:00
inetpeer.c
net: ipv4: use a dedicated counter for icmp_v4 redirect packets
2019-02-08 21:50:15 -08:00
ip_forward.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-12-20 11:53:36 -08:00
ip_fragment.c
net: remove unused struct inet_frag_queue.fragments field
2019-02-26 08:27:05 -08:00
ip_gre.c
net: ip_gre: fix possible use-after-free in erspan_rcv
2019-04-08 16:16:47 -07:00
ip_input.c
vrf: check accept_source_route on the original netdevice
2019-04-01 10:44:58 -07:00
ip_options.c
vrf: check accept_source_route on the original netdevice
2019-04-01 10:44:58 -07:00
ip_output.c
sk_buff: add skb extension infrastructure
2018-12-19 11:21:37 -08:00
ip_sockglue.c
ip: on queued skb use skb_header_pointer instead of pskb_may_pull
2019-01-10 09:27:20 -05:00
ip_tunnel_core.c
ip_tunnel: Add dst_cache support in lwtunnel_state of ip tunnel
2019-02-24 22:13:49 -08:00
ip_tunnel.c
iptunnel: NULL pointer deref for ip_md_tunnel_xmit
2019-03-06 10:43:06 -08:00
ip_vti.c
vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel
2019-01-09 14:00:37 +01:00
ipcomp.c
net-ipv4: remove 2 always zero parameters from ipv4_redirect()
2018-09-26 20:30:55 -07:00
ipconfig.c
ipconfig: add carrier_timeout kernel parameter
2019-02-01 15:24:13 -08:00
ipip.c
ip_tunnel: Add tnl_update_pmtu in ip_md_tunnel_xmit
2019-01-26 09:43:03 -08:00
ipmr_base.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-10-19 11:03:06 -07:00
ipmr.c
ipmr: ip6mr: Create new sockopt to clear mfc cache or vifs
2019-02-21 13:05:05 -08:00
Kconfig
net: remove blank lines at end of file
2018-07-24 14:10:43 -07:00
Makefile
bpf, sockmap: convert to generic sk_msg interface
2018-10-15 12:23:19 -07:00
metrics.c
net: Add extack argument to ip_fib_metrics_init
2018-11-06 15:00:45 -08:00
netfilter.c
netfilter: ipv4: remove useless export_symbol
2019-01-28 11:32:58 +01:00
netlink.c
ipv4: Add ICMPv6 support when parse route ipproto
2019-03-01 16:41:27 -08:00
ping.c
ipv4: Allow sending multicast packets on specific i/f using VRF socket
2018-10-02 22:28:17 -07:00
proc.c
tcp: implement coalescing on backlog queue
2018-11-30 13:26:54 -08:00
protocol.c
fou, fou6: ICMP error handlers for FoU and GUE
2018-11-08 17:13:08 -08:00
raw_diag.c
net: ipv6: add second dif to raw socket lookups
2017-08-07 11:39:22 -07:00
raw.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-12-20 11:53:36 -08:00
route.c
ipv4: add sanity checks in ipv4_link_failure()
2019-04-24 14:40:41 -07:00
syncookies.c
tcp: handle inet_csk_reqsk_queue_add() failures
2019-03-08 16:05:10 -08:00
sysctl_net_ipv4.c
ipv4: set the tcp_min_rtt_wlen range from 0 to one day
2019-04-17 13:57:11 -07:00
tcp_bbr.c
tcp_bbr: adapt cwnd based on ack aggregation estimation
2019-01-24 22:27:27 -08:00
tcp_bic.c
tcp: consolidate congestion control undo functions
2017-08-06 21:25:10 -07:00
tcp_bpf.c
bpf: sk_msg, sock{map|hash} redirect through ULP
2018-12-20 23:47:09 +01:00
tcp_cdg.c
tcp: cdg: use tcp high resolution clock cache
2018-10-15 22:56:42 -07:00
tcp_cong.c
tcp: Namespace-ify sysctl_tcp_default_congestion_control
2017-11-15 14:09:52 +09:00
tcp_cubic.c
tcp: consolidate congestion control undo functions
2017-08-06 21:25:10 -07:00
tcp_dctcp.c
dctcp: more accurate tracking of packets delivery
2019-04-11 21:31:03 -07:00
tcp_dctcp.h
tcp: refactor DCTCP ECN ACK handling
2018-10-10 22:26:00 -07:00
tcp_diag.c
net: sock: replace sk_state_load with inet_sk_state_load and remove sk_state_store
2017-12-20 14:00:25 -05:00
tcp_fastopen.c
tcp: pause Fast Open globally after third consecutive timeout
2017-12-13 15:51:12 -05:00
tcp_highspeed.c
tcp: consolidate congestion control undo functions
2017-08-06 21:25:10 -07:00
tcp_htcp.c
tcp: fix cwnd undo in Reno and HTCP congestion controls
2017-08-06 21:25:10 -07:00
tcp_hybla.c
tcp: make undo_cwnd mandatory for congestion modules
2016-11-21 13:20:17 -05:00
tcp_illinois.c
net/tcp/illinois: replace broken algorithm reference link
2018-02-28 12:03:47 -05:00
tcp_input.c
tcp: tcp_grow_window() needs to respect tcp_space()
2019-04-16 21:47:39 -07:00
tcp_ipv4.c
tcp: fix a potential NULL pointer dereference in tcp_sk_exit
2019-04-01 10:11:41 -07:00
tcp_lp.c
tcp: switch TCP TS option (RFC 7323) to 1ms clock
2017-05-17 16:06:01 -04:00
tcp_metrics.c
mm: convert totalram_pages and totalhigh_pages variables to atomic
2018-12-28 12:11:47 -08:00
tcp_minisocks.c
tcp: use tcp_md5_needed for timewait sockets
2019-02-26 13:16:03 -08:00
tcp_nv.c
tcp_nv: fix potential integer overflow in tcpnv_acked
2018-01-31 10:26:30 -05:00
tcp_offload.c
net: use indirect call wrappers at GRO transport layer
2018-12-15 13:23:02 -08:00
tcp_output.c
tcp: remove tcp_queue argument from tso_fragment()
2019-02-26 13:16:03 -08:00
tcp_rate.c
tcp: introduce tcp_skb_timestamp_us() helper
2018-09-21 19:37:59 -07:00
tcp_recovery.c
tcp: introduce tcp_skb_timestamp_us() helper
2018-09-21 19:37:59 -07:00
tcp_scalable.c
tcp: consolidate congestion control undo functions
2017-08-06 21:25:10 -07:00
tcp_timer.c
tcp: Refactor pingpong code
2019-01-27 13:29:43 -08:00
tcp_ulp.c
tcp, ulp: remove socket lock assertion on ULP cleanup
2018-10-16 12:38:41 -07:00
tcp_vegas.c
tcp: fix under-evaluated ssthresh in TCP Vegas
2017-09-29 06:07:00 +01:00
tcp_vegas.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
tcp_veno.c
tcp: consolidate congestion control undo functions
2017-08-06 21:25:10 -07:00
tcp_westwood.c
tcp: Revert "tcp: remove CA_ACK_SLOWPATH"
2017-08-30 11:20:08 -07:00
tcp_yeah.c
tcp: consolidate congestion control undo functions
2017-08-06 21:25:10 -07:00
tcp.c
tcp: do not report TCP_CM_INQ of 0 for closed connections
2019-03-06 11:00:50 -08:00
tunnel4.c
net: Convert protocol error handlers from void to int
2018-11-08 17:13:08 -08:00
udp_diag.c
net: diag: document swapped src/dst in udp_dump_one.
2018-10-28 19:27:21 -07:00
udp_impl.h
udp: add missing rehash callback to udplite
2019-01-17 15:01:08 -08:00
udp_offload.c
udp: use indirect call wrappers for GRO socket lookup
2018-12-15 13:23:02 -08:00
udp_tunnel.c
net/ipv4/udp_tunnel: prefer SO_BINDTOIFINDEX over SO_BINDTODEVICE
2019-01-17 14:55:52 -08:00
udp.c
udp: fix possible user after free in error handler
2019-02-22 16:05:11 -08:00
udplite.c
udp: add missing rehash callback to udplite
2019-01-17 15:01:08 -08:00
xfrm4_input.c
xfrm: reset transport header back to network header after all input transforms ahave been applied
2018-09-04 10:26:30 +02:00
xfrm4_mode_beet.c
networking: make skb_pull & friends return void pointers
2017-06-16 11:48:39 -04:00
xfrm4_mode_transport.c
xfrm: reset transport header back to network header after all input transforms ahave been applied
2018-09-04 10:26:30 +02:00
xfrm4_mode_tunnel.c
xfrm: Verify MAC header exists before overwriting eth_hdr(skb)->h_proto
2018-03-07 10:54:29 +01:00
xfrm4_output.c
net: xfrm: use skb_gso_validate_network_len() to check gso sizes
2018-03-04 17:49:17 -05:00
xfrm4_policy.c
net: Drop pernet_operations::async
2018-03-27 13:18:09 -04:00
xfrm4_protocol.c
net: Convert protocol error handlers from void to int
2018-11-08 17:13:08 -08:00
xfrm4_state.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
xfrm4_tunnel.c