• William Tu's avatar
    net: erspan: fix use-after-free · 1d629bf9
    William Tu authored
    commit b423d13c08a656c719fa56324a8f4279c835d90c upstream.
    
    When building the erspan header for either v1 or v2, the eth_hdr()
    does not point to the right inner packet's eth_hdr,
    causing kasan report use-after-free and slab-out-of-bouds read.
    
    The patch fixes the following syzkaller issues:
    [1] BUG: KASAN: slab-out-of-bounds in erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
    [2] BUG: KASAN: slab-out-of-bounds in erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
    [3] BUG: KASAN: use-after-free in erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
    [4] BUG: KASAN: use-after-free in erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
    
    [2] CPU: 0 PID: 3654 Comm: syzkaller377964 Not tainted 4.15.0-rc9+ #185
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
     __dump_stack lib/dump_stack.c:17 [inline]
     dump_stack+0x194/0x257 lib/dump_stack.c:53
     print_address_description+0x73/0x250 mm/kasan/report.c:252
     kasan_report_error mm/kasan/report.c:351 [inline]
     kasan_report+0x25b/0x340 mm/kasan/report.c:409
     __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
     erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
     erspan_xmit+0x3b8/0x13b0 net/ipv4/ip_gre.c:740
     __netdev_start_xmit include/linux/netdevice.h:4042 [inline]
     netdev_start_xmit include/linux/netdevice.h:4051 [inline]
     packet_direct_xmit+0x315/0x6b0 net/packet/af_packet.c:266
     packet_snd net/packet/af_packet.c:2943 [inline]
     packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2968
     sock_sendmsg_nosec net/socket.c:638 [inline]
     sock_sendmsg+0xca/0x110 net/socket.c:648
     SYSC_sendto+0x361/0x5c0 net/socket.c:1729
     SyS_sendto+0x40/0x50 net/socket.c:1697
     do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
     do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
     entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129
    RIP: 0023:0xf7fcfc79
    RSP: 002b:00000000ffc6976c EFLAGS: 00000286 ORIG_RAX: 0000000000000171
    RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020011000
    RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020008000
    RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
    R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
    
    Fixes: f551c91de262 ("net: erspan: introduce erspan v2 for ip_gre")
    Fixes: 84e54fe0 ("gre: introduce native tunnel support for ERSPAN")
    Reported-by: syzbot+9723f2d288e49b492cf0@syzkaller.appspotmail.com
    Reported-by: syzbot+f0ddeb2b032a8e1d9098@syzkaller.appspotmail.com
    Reported-by: syzbot+f14b3703cd8d7670203f@syzkaller.appspotmail.com
    Reported-by: syzbot+eefa384efad8d7997f20@syzkaller.appspotmail.com
    Signed-off-by: 's avatarWilliam Tu <u9012063@gmail.com>
    Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: 's avatarChristoph Paasch <cpaasch@apple.com>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    1d629bf9
Name
Last commit
Last update
..
netfilter Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...
af_inet.c Loading commit data...
ah4.c Loading commit data...
arp.c Loading commit data...
cipso_ipv4.c Loading commit data...
datagram.c Loading commit data...
devinet.c Loading commit data...
esp4.c Loading commit data...
esp4_offload.c Loading commit data...
fib_frontend.c Loading commit data...
fib_lookup.h Loading commit data...
fib_notifier.c Loading commit data...
fib_rules.c Loading commit data...
fib_semantics.c Loading commit data...
fib_trie.c Loading commit data...
fou.c Loading commit data...
gre_demux.c Loading commit data...
gre_offload.c Loading commit data...
icmp.c Loading commit data...
igmp.c Loading commit data...
inet_connection_sock.c Loading commit data...
inet_diag.c Loading commit data...
inet_fragment.c Loading commit data...
inet_hashtables.c Loading commit data...
inet_timewait_sock.c Loading commit data...
inetpeer.c Loading commit data...
ip_forward.c Loading commit data...
ip_fragment.c Loading commit data...
ip_gre.c Loading commit data...
ip_input.c Loading commit data...
ip_options.c Loading commit data...
ip_output.c Loading commit data...
ip_sockglue.c Loading commit data...
ip_tunnel.c Loading commit data...
ip_tunnel_core.c Loading commit data...
ip_vti.c Loading commit data...
ipcomp.c Loading commit data...
ipconfig.c Loading commit data...
ipip.c Loading commit data...
ipmr.c Loading commit data...
netfilter.c Loading commit data...
ping.c Loading commit data...
proc.c Loading commit data...
protocol.c Loading commit data...
raw.c Loading commit data...
raw_diag.c Loading commit data...
route.c Loading commit data...
syncookies.c Loading commit data...
sysctl_net_ipv4.c Loading commit data...
tcp.c Loading commit data...
tcp_bbr.c Loading commit data...
tcp_bic.c Loading commit data...
tcp_cdg.c Loading commit data...
tcp_cong.c Loading commit data...
tcp_cubic.c Loading commit data...
tcp_dctcp.c Loading commit data...
tcp_diag.c Loading commit data...
tcp_fastopen.c Loading commit data...
tcp_highspeed.c Loading commit data...
tcp_htcp.c Loading commit data...
tcp_hybla.c Loading commit data...
tcp_illinois.c Loading commit data...
tcp_input.c Loading commit data...
tcp_ipv4.c Loading commit data...
tcp_lp.c Loading commit data...
tcp_metrics.c Loading commit data...
tcp_minisocks.c Loading commit data...
tcp_nv.c Loading commit data...
tcp_offload.c Loading commit data...
tcp_output.c Loading commit data...
tcp_probe.c Loading commit data...
tcp_rate.c Loading commit data...
tcp_recovery.c Loading commit data...
tcp_scalable.c Loading commit data...
tcp_timer.c Loading commit data...
tcp_ulp.c Loading commit data...
tcp_vegas.c Loading commit data...
tcp_vegas.h Loading commit data...
tcp_veno.c Loading commit data...
tcp_westwood.c Loading commit data...
tcp_yeah.c Loading commit data...
tunnel4.c Loading commit data...
udp.c Loading commit data...
udp_diag.c Loading commit data...
udp_impl.h Loading commit data...
udp_offload.c Loading commit data...
udp_tunnel.c Loading commit data...
udplite.c Loading commit data...
xfrm4_input.c Loading commit data...
xfrm4_mode_beet.c Loading commit data...
xfrm4_mode_transport.c Loading commit data...
xfrm4_mode_tunnel.c Loading commit data...
xfrm4_output.c Loading commit data...
xfrm4_policy.c Loading commit data...
xfrm4_protocol.c Loading commit data...
xfrm4_state.c Loading commit data...
xfrm4_tunnel.c Loading commit data...