android/android_kernel_samsung_sm8650
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
android_kernel_samsung_sm8650/net/ipv6
History
Eric Dumazet 7d033c9f6a ipv6: fix kernel-infoleak in ipv6_local_error() 
This patch makes sure the flow label in the IPv6 header
forged in ipv6_local_error() is initialized.

BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
CPU: 1 PID: 24675 Comm: syz-executor1 Not tainted 4.20.0-rc7+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x173/0x1d0 lib/dump_stack.c:113
 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
 kmsan_internal_check_memory+0x455/0xb00 mm/kmsan/kmsan.c:675
 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
 copy_to_user include/linux/uaccess.h:177 [inline]
 move_addr_to_user+0x2e9/0x4f0 net/socket.c:227
 ___sys_recvmsg+0x5d7/0x1140 net/socket.c:2284
 __sys_recvmsg net/socket.c:2327 [inline]
 __do_sys_recvmsg net/socket.c:2337 [inline]
 __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334
 __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
RIP: 0033:0x457ec9
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f8750c06c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
RDX: 0000000000002000 RSI: 0000000020000400 RDI: 0000000000000005
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8750c076d4
R13: 00000000004c4a60 R14: 00000000004d8140 R15: 00000000ffffffff

Uninit was stored to memory at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
 kmsan_save_stack mm/kmsan/kmsan.c:219 [inline]
 kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:439
 __msan_chain_origin+0x70/0xe0 mm/kmsan/kmsan_instr.c:200
 ipv6_recv_error+0x1e3f/0x1eb0 net/ipv6/datagram.c:475
 udpv6_recvmsg+0x398/0x2ab0 net/ipv6/udp.c:335
 inet_recvmsg+0x4fb/0x600 net/ipv4/af_inet.c:830
 sock_recvmsg_nosec net/socket.c:794 [inline]
 sock_recvmsg+0x1d1/0x230 net/socket.c:801
 ___sys_recvmsg+0x4d5/0x1140 net/socket.c:2278
 __sys_recvmsg net/socket.c:2327 [inline]
 __do_sys_recvmsg net/socket.c:2337 [inline]
 __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334
 __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
 kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
 kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
 kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
 slab_post_alloc_hook mm/slab.h:446 [inline]
 slab_alloc_node mm/slub.c:2759 [inline]
 __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
 __kmalloc_reserve net/core/skbuff.c:137 [inline]
 __alloc_skb+0x309/0xa20 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:998 [inline]
 ipv6_local_error+0x1a7/0x9e0 net/ipv6/datagram.c:334
 __ip6_append_data+0x129f/0x4fd0 net/ipv6/ip6_output.c:1311
 ip6_make_skb+0x6cc/0xcf0 net/ipv6/ip6_output.c:1775
 udpv6_sendmsg+0x3f8e/0x45d0 net/ipv6/udp.c:1384
 inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg net/socket.c:631 [inline]
 __sys_sendto+0x8c4/0xac0 net/socket.c:1788
 __do_sys_sendto net/socket.c:1800 [inline]
 __se_sys_sendto+0x107/0x130 net/socket.c:1796
 __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
 entry_SYSCALL_64_after_hwframe+0x63/0xe7

Bytes 4-7 of 28 are uninitialized
Memory access of size 28 starts at ffff8881937bfce0
Data copied to user address 0000000020000000

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-01-10 09:36:41 -05:00
..
ila
ila: remove blank lines at EOF
2018-07-24 14:10:42 -07:00
netfilter
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2018-12-20 18:20:26 -08:00
addrconf_core.c
net/ipv6: Add helper to return path MTU based on fib result
2018-05-22 10:51:09 +02:00
addrconf.c
netlink: fixup regression in RTM_GETADDR
2019-01-04 12:47:06 -08:00
addrlabel.c
net/ipv6: Update ip6addrlbl_dump for strict data checking
2018-10-08 10:39:05 -07:00
af_inet6.c
ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses
2019-01-05 14:17:07 -08:00
ah6.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2017-11-15 11:56:19 -08:00
anycast.c
net/ipv6: compute anycast address hash only if dev is null
2018-11-08 17:04:43 -08:00
calipso.c
ipv6: make ipv6_renew_options() interrupt/kernel safe
2018-07-05 20:15:26 +09:00
datagram.c
ipv6: fix kernel-infoleak in ipv6_local_error()
2019-01-10 09:36:41 -05:00
esp6_offload.c
net: use skb_sec_path helper in more places
2018-12-19 11:21:37 -08:00
esp6.c
net: use skb_sec_path helper in more places
2018-12-19 11:21:37 -08:00
exthdrs_core.c
net: ipv6: Fix typo in ipv6_find_hdr() documentation
2018-05-07 23:50:27 -04:00
exthdrs_offload.c
ipv6: fix exthdrs offload registration in out_rt path
2015-09-02 15:31:00 -07:00
exthdrs.c
ipv6: make ipv6_renew_options() interrupt/kernel safe
2018-07-05 20:15:26 +09:00
fib6_notifier.c
net: Add module reference to FIB notifiers
2017-09-01 20:33:42 -07:00
fib6_rules.c
net/ipv6: Add fib6_lookup
2018-05-11 00:10:56 +02:00
fou6.c
fou6: Prevent unbounded recursion in GUE error handler
2019-01-04 13:06:07 -08:00
icmp.c
ipv6: make icmp6_send() robust against null skb->dev
2019-01-04 13:40:03 -08:00
inet6_connection_sock.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-01-28 10:33:06 -05:00
inet6_hashtables.c
net: tcp6: prefer listeners bound to an address
2018-12-14 15:55:20 -08:00
ip6_checksum.c
net: udp: fix handling of CHECKSUM_COMPLETE packets
2018-10-24 14:18:16 -07:00
ip6_fib.c
ipv6: Fix dump of specific table with strict checking
2019-01-02 20:15:43 -08:00
ip6_flowlabel.c
ipv6: fold sockcm_cookie into ipcm6_cookie
2018-07-07 10:58:49 +09:00
ip6_gre.c
ip: validate header length on virtual device xmit
2019-01-01 12:05:02 -08:00
ip6_icmp.c
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ip6_input.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-12-09 21:43:31 -08:00
ip6_offload.c
net: use indirect call wrappers at GRO transport layer
2018-12-15 13:23:02 -08:00
ip6_offload.h
udp: Add GRO functions to UDP socket
2016-04-07 16:53:29 -04:00
ip6_output.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-12-20 11:53:36 -08:00
ip6_tunnel.c
ip: validate header length on virtual device xmit
2019-01-01 12:05:02 -08:00
ip6_udp_tunnel.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-12-20 11:53:36 -08:00
ip6_vti.c
ip: validate header length on virtual device xmit
2019-01-01 12:05:02 -08:00
ip6mr.c
ip: validate header length on virtual device xmit
2019-01-01 12:05:02 -08:00
ipcomp6.c
net: inet: Support UID-based routing in IP protocols.
2016-11-04 14:45:23 -04:00
ipv6_sockglue.c
ipv6: allow ping to link-local address in VRF
2018-11-07 16:12:39 -08:00
Kconfig
net: remove blank lines at end of file
2018-07-24 14:10:43 -07:00
Makefile
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
mcast_snoop.c
net: fix wrong skb_get() usage / crash in IGMP/MLD parsing code
2015-08-13 17:08:39 -07:00
mcast.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-10-19 11:03:06 -07:00
mip6.c
ktime: Get rid of ktime_equal()
2016-12-25 17:21:23 +01:00
ndisc.c
ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called
2018-10-26 15:58:06 -07:00
netfilter.c
netfilter: ipv6: Preserve link scope traffic original oif
2018-11-27 00:12:20 +01:00
output_core.c
net: accept UFO datagrams from tuntap and packet
2017-11-24 01:37:35 +09:00
ping.c
ipv6: fold sockcm_cookie into ipcm6_cookie
2018-07-07 10:58:49 +09:00
proc.c
proc: introduce proc_create_net_single
2018-05-16 07:24:30 +02:00
protocol.c
net: Add sysctl to toggle early demux for tcp and udp
2017-03-24 13:17:07 -07:00
raw.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-12-20 11:53:36 -08:00
reassembly.c
ipv6: fix typo in net/ipv6/reassembly.c
2018-12-30 13:02:46 -08:00
route.c
ipv6: route: Fix return value of ip6_neigh_lookup() on neigh_create() error
2019-01-02 10:29:20 -08:00
seg6_hmac.c
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net
2018-07-03 10:29:26 +09:00
seg6_iptunnel.c
ipv6: sr: properly initialize flowi6 prior passing to ip6_route_output
2018-12-07 12:22:39 -08:00
seg6_local.c
bpf: add End.DT6 action to bpf_lwt_seg6_action helper
2018-07-31 09:22:48 +02:00
seg6.c
rhashtable: split rhashtable.h
2018-06-22 13:43:27 +09:00
sit.c
ip: validate header length on virtual device xmit
2019-01-01 12:05:02 -08:00
syncookies.c
net/ipv4: disable SMC TCP option with SYN Cookies
2018-03-25 20:53:54 -04:00
sysctl_net_ipv6.c
ipv6: sr: Compute flowlabel for outer IPv6 header of seg6 encap mode
2018-04-25 13:02:15 -04:00
tcp_ipv6.c
ipv6: Fix handling of LLA with VRF and sockets bound to VRF
2018-12-15 11:36:14 -08:00
tcpv6_offload.c
net: use indirect call wrappers at GRO transport layer
2018-12-15 13:23:02 -08:00
tunnel6.c
net: Convert protocol error handlers from void to int
2018-11-08 17:13:08 -08:00
udp_impl.h
net: Convert protocol error handlers from void to int
2018-11-08 17:13:08 -08:00
udp_offload.c
net: use indirect call wrappers at GRO transport layer
2018-12-15 13:23:02 -08:00
udp.c
bpf: Fix [::] -> [::1] rewrite in sys_sendmsg
2019-01-04 20:23:33 -08:00
udplite.c
net: Convert protocol error handlers from void to int
2018-11-08 17:13:08 -08:00
xfrm6_input.c
net: use skb_sec_path helper in more places
2018-12-19 11:21:37 -08:00
xfrm6_mode_beet.c
networking: make skb_pull & friends return void pointers
2017-06-16 11:48:39 -04:00
xfrm6_mode_ro.c
ipv6: xfrm: use 64-bit timestamps
2018-07-11 15:26:35 +02:00
xfrm6_mode_transport.c
xfrm: reset transport header back to network header after all input transforms ahave been applied
2018-09-04 10:26:30 +02:00
xfrm6_mode_tunnel.c
xfrm: Verify MAC header exists before overwriting eth_hdr(skb)->h_proto
2018-03-07 10:54:29 +01:00
xfrm6_output.c
xfrm6: call kfree_skb when skb is toobig
2018-09-03 07:37:57 +02:00
xfrm6_policy.c
xfrm6: remove BUG_ON from xfrm6_dst_ifdown
2018-11-22 07:55:48 +01:00
xfrm6_protocol.c
net: Convert protocol error handlers from void to int
2018-11-08 17:13:08 -08:00
xfrm6_state.c
xfrm: remove VLA usage in __xfrm6_sort()
2018-04-26 07:51:48 +02:00
xfrm6_tunnel.c
xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi
2018-12-19 12:33:17 +01:00