083b78a9ed
ip_mc_may_pull() must return 0 if there is a problem, not an errno.
syzbot reported :
BUG: KASAN: use-after-free in br_ip4_multicast_igmp3_report net/bridge/br_multicast.c:947 [inline]
BUG: KASAN: use-after-free in br_multicast_ipv4_rcv net/bridge/br_multicast.c:1631 [inline]
BUG: KASAN: use-after-free in br_multicast_rcv+0x3cd8/0x4440 net/bridge/br_multicast.c:1741
Read of size 4 at addr ffff88820a4084ee by task syz-executor.2/11183
CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.0.0+ #14
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
__asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:131
br_ip4_multicast_igmp3_report net/bridge/br_multicast.c:947 [inline]
br_multicast_ipv4_rcv net/bridge/br_multicast.c:1631 [inline]
br_multicast_rcv+0x3cd8/0x4440 net/bridge/br_multicast.c:1741
br_handle_frame_finish+0xa3a/0x14c0 net/bridge/br_input.c:108
br_nf_hook_thresh+0x2ec/0x380 net/bridge/br_netfilter_hooks.c:1005
br_nf_pre_routing_finish+0x8e2/0x1750 net/bridge/br_netfilter_hooks.c:410
NF_HOOK include/linux/netfilter.h:289 [inline]
NF_HOOK include/linux/netfilter.h:283 [inline]
br_nf_pre_routing+0x7e7/0x13a0 net/bridge/br_netfilter_hooks.c:506
nf_hook_entry_hookfn include/linux/netfilter.h:119 [inline]
nf_hook_slow+0xbf/0x1f0 net/netfilter/core.c:511
nf_hook include/linux/netfilter.h:244 [inline]
NF_HOOK include/linux/netfilter.h:287 [inline]
br_handle_frame+0x95b/0x1450 net/bridge/br_input.c:305
__netif_receive_skb_core+0xa96/0x3040 net/core/dev.c:4902
__netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:4971
__netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
netif_receive_skb_internal+0x117/0x660 net/core/dev.c:5186
netif_receive_skb+0x6e/0x5a0 net/core/dev.c:5261
Fixes: ba5ea61462 ("bridge: simplify ip_mc_check_igmp() and ipv6_mc_check_mld() calls")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: David S. Miller <davem@davemloft.net>
151 lines
4.6 KiB
C
151 lines
4.6 KiB
C
/*
|
|
* Linux NET3: Internet Group Management Protocol [IGMP]
|
|
*
|
|
* Authors:
|
|
* Alan Cox <alan@lxorguk.ukuu.org.uk>
|
|
*
|
|
* Extended to talk the BSD extended IGMP protocol of mrouted 3.6
|
|
*
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License
|
|
* as published by the Free Software Foundation; either version
|
|
* 2 of the License, or (at your option) any later version.
|
|
*/
|
|
#ifndef _LINUX_IGMP_H
|
|
#define _LINUX_IGMP_H
|
|
|
|
#include <linux/skbuff.h>
|
|
#include <linux/timer.h>
|
|
#include <linux/in.h>
|
|
#include <linux/ip.h>
|
|
#include <linux/refcount.h>
|
|
#include <uapi/linux/igmp.h>
|
|
|
|
static inline struct igmphdr *igmp_hdr(const struct sk_buff *skb)
|
|
{
|
|
return (struct igmphdr *)skb_transport_header(skb);
|
|
}
|
|
|
|
static inline struct igmpv3_report *
|
|
igmpv3_report_hdr(const struct sk_buff *skb)
|
|
{
|
|
return (struct igmpv3_report *)skb_transport_header(skb);
|
|
}
|
|
|
|
static inline struct igmpv3_query *
|
|
igmpv3_query_hdr(const struct sk_buff *skb)
|
|
{
|
|
return (struct igmpv3_query *)skb_transport_header(skb);
|
|
}
|
|
|
|
struct ip_sf_socklist {
|
|
unsigned int sl_max;
|
|
unsigned int sl_count;
|
|
struct rcu_head rcu;
|
|
__be32 sl_addr[0];
|
|
};
|
|
|
|
#define IP_SFLSIZE(count) (sizeof(struct ip_sf_socklist) + \
|
|
(count) * sizeof(__be32))
|
|
|
|
#define IP_SFBLOCK 10 /* allocate this many at once */
|
|
|
|
/* ip_mc_socklist is real list now. Speed is not argument;
|
|
this list never used in fast path code
|
|
*/
|
|
|
|
struct ip_mc_socklist {
|
|
struct ip_mc_socklist __rcu *next_rcu;
|
|
struct ip_mreqn multi;
|
|
unsigned int sfmode; /* MCAST_{INCLUDE,EXCLUDE} */
|
|
struct ip_sf_socklist __rcu *sflist;
|
|
struct rcu_head rcu;
|
|
};
|
|
|
|
struct ip_sf_list {
|
|
struct ip_sf_list *sf_next;
|
|
__be32 sf_inaddr;
|
|
unsigned long sf_count[2]; /* include/exclude counts */
|
|
unsigned char sf_gsresp; /* include in g & s response? */
|
|
unsigned char sf_oldin; /* change state */
|
|
unsigned char sf_crcount; /* retrans. left to send */
|
|
};
|
|
|
|
struct ip_mc_list {
|
|
struct in_device *interface;
|
|
__be32 multiaddr;
|
|
unsigned int sfmode;
|
|
struct ip_sf_list *sources;
|
|
struct ip_sf_list *tomb;
|
|
unsigned long sfcount[2];
|
|
union {
|
|
struct ip_mc_list *next;
|
|
struct ip_mc_list __rcu *next_rcu;
|
|
};
|
|
struct ip_mc_list __rcu *next_hash;
|
|
struct timer_list timer;
|
|
int users;
|
|
refcount_t refcnt;
|
|
spinlock_t lock;
|
|
char tm_running;
|
|
char reporter;
|
|
char unsolicit_count;
|
|
char loaded;
|
|
unsigned char gsquery; /* check source marks? */
|
|
unsigned char crcount;
|
|
struct rcu_head rcu;
|
|
};
|
|
|
|
/* V3 exponential field decoding */
|
|
#define IGMPV3_MASK(value, nb) ((nb)>=32 ? (value) : ((1<<(nb))-1) & (value))
|
|
#define IGMPV3_EXP(thresh, nbmant, nbexp, value) \
|
|
((value) < (thresh) ? (value) : \
|
|
((IGMPV3_MASK(value, nbmant) | (1<<(nbmant))) << \
|
|
(IGMPV3_MASK((value) >> (nbmant), nbexp) + (nbexp))))
|
|
|
|
#define IGMPV3_QQIC(value) IGMPV3_EXP(0x80, 4, 3, value)
|
|
#define IGMPV3_MRC(value) IGMPV3_EXP(0x80, 4, 3, value)
|
|
|
|
static inline int ip_mc_may_pull(struct sk_buff *skb, unsigned int len)
|
|
{
|
|
if (skb_transport_offset(skb) + ip_transport_len(skb) < len)
|
|
return 0;
|
|
|
|
return pskb_may_pull(skb, len);
|
|
}
|
|
|
|
extern int ip_check_mc_rcu(struct in_device *dev, __be32 mc_addr, __be32 src_addr, u8 proto);
|
|
extern int igmp_rcv(struct sk_buff *);
|
|
extern int ip_mc_join_group(struct sock *sk, struct ip_mreqn *imr);
|
|
extern int ip_mc_join_group_ssm(struct sock *sk, struct ip_mreqn *imr,
|
|
unsigned int mode);
|
|
extern int ip_mc_leave_group(struct sock *sk, struct ip_mreqn *imr);
|
|
extern void ip_mc_drop_socket(struct sock *sk);
|
|
extern int ip_mc_source(int add, int omode, struct sock *sk,
|
|
struct ip_mreq_source *mreqs, int ifindex);
|
|
extern int ip_mc_msfilter(struct sock *sk, struct ip_msfilter *msf,int ifindex);
|
|
extern int ip_mc_msfget(struct sock *sk, struct ip_msfilter *msf,
|
|
struct ip_msfilter __user *optval, int __user *optlen);
|
|
extern int ip_mc_gsfget(struct sock *sk, struct group_filter *gsf,
|
|
struct group_filter __user *optval, int __user *optlen);
|
|
extern int ip_mc_sf_allow(struct sock *sk, __be32 local, __be32 rmt,
|
|
int dif, int sdif);
|
|
extern void ip_mc_init_dev(struct in_device *);
|
|
extern void ip_mc_destroy_dev(struct in_device *);
|
|
extern void ip_mc_up(struct in_device *);
|
|
extern void ip_mc_down(struct in_device *);
|
|
extern void ip_mc_unmap(struct in_device *);
|
|
extern void ip_mc_remap(struct in_device *);
|
|
extern void __ip_mc_dec_group(struct in_device *in_dev, __be32 addr, gfp_t gfp);
|
|
static inline void ip_mc_dec_group(struct in_device *in_dev, __be32 addr)
|
|
{
|
|
return __ip_mc_dec_group(in_dev, addr, GFP_KERNEL);
|
|
}
|
|
extern void __ip_mc_inc_group(struct in_device *in_dev, __be32 addr,
|
|
gfp_t gfp);
|
|
extern void ip_mc_inc_group(struct in_device *in_dev, __be32 addr);
|
|
int ip_mc_check_igmp(struct sk_buff *skb);
|
|
|
|
#endif
|