• Willem de Bruijn's avatar
    ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull · 2efd4fca
    Willem de Bruijn authored
    Syzbot reported a read beyond the end of the skb head when returning
    IPV6_ORIGDSTADDR:
    
      BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242
      CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x185/0x1d0 lib/dump_stack.c:113
        kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125
        kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219
        kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261
        copy_to_user include/linux/uaccess.h:184 [inline]
        put_cmsg+0x5ef/0x860 net/core/scm.c:242
        ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719
        ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733
        rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521
        [..]
    
    This logic and its ipv4 counterpart read the destination port from
    the packet at skb_transport_offset(skb) + 4.
    
    With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a
    packet that stores headers exactly up to skb_transport_offset(skb) in
    the head and the remainder in a frag.
    
    Call pskb_may_pull before accessing the pointer to ensure that it lies
    in skb head.
    
    Link: http://lkml.kernel.org/r/CAF=yD-LEJwZj5a1-bAAj2Oy_hKmGygV6rsJ_WOrAYnv-fnayiQ@mail.gmail.com
    Reported-by: syzbot+9adb4b567003cac781f0@syzkaller.appspotmail.com
    Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    2efd4fca
datagram.c 24.8 KB