mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-24 01:09:38 -05:00
2efd4fca70
Syzbot reported a read beyond the end of the skb head when returning IPV6_ORIGDSTADDR: BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242 CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125 kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219 kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261 copy_to_user include/linux/uaccess.h:184 [inline] put_cmsg+0x5ef/0x860 net/core/scm.c:242 ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719 ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733 rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521 [..] This logic and its ipv4 counterpart read the destination port from the packet at skb_transport_offset(skb) + 4. With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a packet that stores headers exactly up to skb_transport_offset(skb) in the head and the remainder in a frag. Call pskb_may_pull before accessing the pointer to ensure that it lies in skb head. Link: http://lkml.kernel.org/r/CAF=yD-LEJwZj5a1-bAAj2Oy_hKmGygV6rsJ_WOrAYnv-fnayiQ@mail.gmail.com Reported-by: syzbot+9adb4b567003cac781f0@syzkaller.appspotmail.com Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| bpfilter | ||
| netfilter | ||
| af_inet.c | ||
| ah4.c | ||
| arp.c | ||
| cipso_ipv4.c | ||
| datagram.c | ||
| devinet.c | ||
| esp4.c | ||
| esp4_offload.c | ||
| fib_frontend.c | ||
| fib_lookup.h | ||
| fib_notifier.c | ||
| fib_rules.c | ||
| fib_semantics.c | ||
| fib_trie.c | ||
| fou.c | ||
| gre_demux.c | ||
| gre_offload.c | ||
| icmp.c | ||
| igmp.c | ||
| inet_connection_sock.c | ||
| inet_diag.c | ||
| inet_fragment.c | ||
| inet_hashtables.c | ||
| inet_timewait_sock.c | ||
| inetpeer.c | ||
| ip_forward.c | ||
| ip_fragment.c | ||
| ip_gre.c | ||
| ip_input.c | ||
| ip_options.c | ||
| ip_output.c | ||
| ip_sockglue.c | ||
| ip_tunnel.c | ||
| ip_tunnel_core.c | ||
| ip_vti.c | ||
| ipcomp.c | ||
| ipconfig.c | ||
| ipip.c | ||
| ipmr.c | ||
| ipmr_base.c | ||
| Kconfig | ||
| Makefile | ||
| metrics.c | ||
| netfilter.c | ||
| netlink.c | ||
| ping.c | ||
| proc.c | ||
| protocol.c | ||
| raw.c | ||
| raw_diag.c | ||
| route.c | ||
| syncookies.c | ||
| sysctl_net_ipv4.c | ||
| tcp.c | ||
| tcp_bbr.c | ||
| tcp_bic.c | ||
| tcp_cdg.c | ||
| tcp_cong.c | ||
| tcp_cubic.c | ||
| tcp_dctcp.c | ||
| tcp_diag.c | ||
| tcp_fastopen.c | ||
| tcp_highspeed.c | ||
| tcp_htcp.c | ||
| tcp_hybla.c | ||
| tcp_illinois.c | ||
| tcp_input.c | ||
| tcp_ipv4.c | ||
| tcp_lp.c | ||
| tcp_metrics.c | ||
| tcp_minisocks.c | ||
| tcp_nv.c | ||
| tcp_offload.c | ||
| tcp_output.c | ||
| tcp_rate.c | ||
| tcp_recovery.c | ||
| tcp_scalable.c | ||
| tcp_timer.c | ||
| tcp_ulp.c | ||
| tcp_vegas.c | ||
| tcp_vegas.h | ||
| tcp_veno.c | ||
| tcp_westwood.c | ||
| tcp_yeah.c | ||
| tunnel4.c | ||
| udp.c | ||
| udp_diag.c | ||
| udp_impl.h | ||
| udp_offload.c | ||
| udp_tunnel.c | ||
| udplite.c | ||
| xfrm4_input.c | ||
| xfrm4_mode_beet.c | ||
| xfrm4_mode_transport.c | ||
| xfrm4_mode_tunnel.c | ||
| xfrm4_output.c | ||
| xfrm4_policy.c | ||
| xfrm4_protocol.c | ||
| xfrm4_state.c | ||
| xfrm4_tunnel.c | ||