• Davide Caratti's avatar
    net/sched: act_tunnel_key: fix OOB write in case of IPv6 ERSPAN tunnels · a7a12b5a
    Davide Caratti authored
    the following command
    
     # tc action add action tunnel_key \
     > set src_ip 2001:db8::1 dst_ip 2001:db8::2 id 10 erspan_opts 1:6789:0:0
    
    generates the following splat:
    
     BUG: KASAN: slab-out-of-bounds in tunnel_key_copy_opts+0xcc9/0x1010 [act_tunnel_key]
     Write of size 4 at addr ffff88813f5f1cc8 by task tc/873
    
     CPU: 2 PID: 873 Comm: tc Not tainted 5.9.0+ #282
     Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014
     Call Trace:
      dump_stack+0x99/0xcb
      print_address_description.constprop.7+0x1e/0x230
      kasan_report.cold.13+0x37/0x7c
      tunnel_key_copy_opts+0xcc9/0x1010 [act_tunnel_key]
      tunnel_key_init+0x160c/0x1f40 [act_tunnel_key]
      tcf_action_init_1+0x5b5/0x850
      tcf_action_init+0x15d/0x370
      tcf_action_add+0xd9/0x2f0
      tc_ctl_action+0x29b/0x3a0
      rtnetlink_rcv_msg+0x341/0x8d0
      netlink_rcv_skb+0x120/0x380
      netlink_unicast+0x439/0x630
      netlink_sendmsg+0x719/0xbf0
      sock_sendmsg+0xe2/0x110
      ____sys_sendmsg+0x5ba/0x890
      ___sys_sendmsg+0xe9/0x160
      __sys_sendmsg+0xd3/0x170
      do_syscall_64+0x33/0x40
      entry_SYSCALL_64_after_hwframe+0x44/0xa9
     RIP: 0033:0x7f872a96b338
     Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55
     RSP: 002b:00007ffffe367518 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
     RAX: ffffffffffffffda RBX: 000000005f8f5aed RCX: 00007f872a96b338
     RDX: 0000000000000000 RSI: 00007ffffe367580 RDI: 0000000000000003
     RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000001c
     R10: 000000000000000b R11: 0000000000000246 R12: 0000000000000001
     R13: 0000000000686760 R14: 0000000000000601 R15: 0000000000000000
    
     Allocated by task 873:
      kasan_save_stack+0x19/0x40
      __kasan_kmalloc.constprop.7+0xc1/0xd0
      __kmalloc+0x151/0x310
      metadata_dst_alloc+0x20/0x40
      tunnel_key_init+0xfff/0x1f40 [act_tunnel_key]
      tcf_action_init_1+0x5b5/0x850
      tcf_action_init+0x15d/0x370
      tcf_action_add+0xd9/0x2f0
      tc_ctl_action+0x29b/0x3a0
      rtnetlink_rcv_msg+0x341/0x8d0
      netlink_rcv_skb+0x120/0x380
      netlink_unicast+0x439/0x630
      netlink_sendmsg+0x719/0xbf0
      sock_sendmsg+0xe2/0x110
      ____sys_sendmsg+0x5ba/0x890
      ___sys_sendmsg+0xe9/0x160
      __sys_sendmsg+0xd3/0x170
      do_syscall_64+0x33/0x40
      entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
     The buggy address belongs to the object at ffff88813f5f1c00
      which belongs to the cache kmalloc-256 of size 256
     The buggy address is located 200 bytes inside of
      256-byte region [ffff88813f5f1c00, ffff88813f5f1d00)
     The buggy address belongs to the page:
     page:0000000011b48a19 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x13f5f0
     head:0000000011b48a19 order:1 compound_mapcount:0
     flags: 0x17ffffc0010200(slab|head)
     raw: 0017ffffc0010200 0000000000000000 0000000d00000001 ffff888107c43400
     raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
     page dumped because: kasan: bad access detected
    
     Memory state around the buggy address:
      ffff88813f5f1b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      ffff88813f5f1c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     >ffff88813f5f1c80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
                                                   ^
      ffff88813f5f1d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      ffff88813f5f1d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    
    using IPv6 tunnels, act_tunnel_key allocates a fixed amount of memory for
    the tunnel metadata, but then it expects additional bytes to store tunnel
    specific metadata with tunnel_key_copy_opts().
    
    Fix the arguments of __ipv6_tun_set_dst(), so that 'md_size' contains the
    size previously computed by tunnel_key_get_opts_len(), like it's done for
    IPv4 tunnels.
    
    Fixes: 0ed5269f ("net/sched: add tunnel option support to act_tunnel_key")
    Reported-by: default avatarShuang Li <shuali@redhat.com>
    Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
    Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
    Link: https://lore.kernel.org/r/36ebe969f6d13ff59912d6464a4356fe6f103766.1603231100.git.dcaratti@redhat.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
    a7a12b5a
act_tunnel_key.c 22 KB