557c44be91
Andrey reported a fault in the IPv6 route code:
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 1 PID: 4035 Comm: a.out Not tainted 4.11.0-rc7+ #250
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880069809600 task.stack: ffff880062dc8000
RIP: 0010:ip6_rt_cache_alloc+0xa6/0x560 net/ipv6/route.c:975
RSP: 0018:ffff880062dced30 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8800670561c0 RCX: 0000000000000006
RDX: 0000000000000003 RSI: ffff880062dcfb28 RDI: 0000000000000018
RBP: ffff880062dced68 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff880062dcfb28 R14: dffffc0000000000 R15: 0000000000000000
FS: 00007feebe37e7c0(0000) GS:ffff88006cb00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000205a0fe4 CR3: 000000006b5c9000 CR4: 00000000000006e0
Call Trace:
ip6_pol_route+0x1512/0x1f20 net/ipv6/route.c:1128
ip6_pol_route_output+0x4c/0x60 net/ipv6/route.c:1212
...
Andrey's syzkaller program passes rtmsg.rtmsg_flags with the RTF_PCPU bit
set. Flags passed to the kernel are blindly copied to the allocated
rt6_info by ip6_route_info_create making a newly inserted route appear
as though it is a per-cpu route. ip6_rt_cache_alloc sees the flag set
and expects rt->dst.from to be set - which it is not since it is not
really a per-cpu copy. The subsequent call to __ip6_dst_alloc then
generates the fault.
Fix by checking for the flag and failing with EINVAL.
Fixes: d52d3997f8 ("ipv6: Create percpu rt6_info")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
64 lines
1.8 KiB
C
64 lines
1.8 KiB
C
/*
|
|
* Linux INET6 implementation
|
|
*
|
|
* Authors:
|
|
* Pedro Roque <roque@di.fc.ul.pt>
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*/
|
|
|
|
#ifndef _UAPI_LINUX_IPV6_ROUTE_H
|
|
#define _UAPI_LINUX_IPV6_ROUTE_H
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/in6.h> /* For struct in6_addr. */
|
|
|
|
#define RTF_DEFAULT 0x00010000 /* default - learned via ND */
|
|
#define RTF_ALLONLINK 0x00020000 /* (deprecated and will be removed)
|
|
fallback, no routers on link */
|
|
#define RTF_ADDRCONF 0x00040000 /* addrconf route - RA */
|
|
#define RTF_PREFIX_RT 0x00080000 /* A prefix only route - RA */
|
|
#define RTF_ANYCAST 0x00100000 /* Anycast */
|
|
|
|
#define RTF_NONEXTHOP 0x00200000 /* route with no nexthop */
|
|
#define RTF_EXPIRES 0x00400000
|
|
|
|
#define RTF_ROUTEINFO 0x00800000 /* route information - RA */
|
|
|
|
#define RTF_CACHE 0x01000000 /* cache entry */
|
|
#define RTF_FLOW 0x02000000 /* flow significant route */
|
|
#define RTF_POLICY 0x04000000 /* policy route */
|
|
|
|
#define RTF_PREF(pref) ((pref) << 27)
|
|
#define RTF_PREF_MASK 0x18000000
|
|
|
|
#define RTF_PCPU 0x40000000 /* read-only: can not be set by user */
|
|
#define RTF_LOCAL 0x80000000
|
|
|
|
|
|
struct in6_rtmsg {
|
|
struct in6_addr rtmsg_dst;
|
|
struct in6_addr rtmsg_src;
|
|
struct in6_addr rtmsg_gateway;
|
|
__u32 rtmsg_type;
|
|
__u16 rtmsg_dst_len;
|
|
__u16 rtmsg_src_len;
|
|
__u32 rtmsg_metric;
|
|
unsigned long rtmsg_info;
|
|
__u32 rtmsg_flags;
|
|
int rtmsg_ifindex;
|
|
};
|
|
|
|
#define RTMSG_NEWDEVICE 0x11
|
|
#define RTMSG_DELDEVICE 0x12
|
|
#define RTMSG_NEWROUTE 0x21
|
|
#define RTMSG_DELROUTE 0x22
|
|
|
|
#define IP6_RT_PRIO_USER 1024
|
|
#define IP6_RT_PRIO_ADDRCONF 256
|
|
|
|
#endif /* _UAPI_LINUX_IPV6_ROUTE_H */
|