redonkable
/
remarkable-linux
1
0
Fork 0
Code Releases Activity
remarkable-linux/net
History
Taehee Yoo 08fb833b40 ip: frags: fix crash in ip_do_fragment() 
commit 5d407b071d upstream

A kernel crash occurrs when defragmented packet is fragmented
in ip_do_fragment().
In defragment routine, skb_orphan() is called and
skb->ip_defrag_offset is set. but skb->sk and
skb->ip_defrag_offset are same union member. so that
frag->sk is not NULL.
Hence crash occurrs in skb->sk check routine in ip_do_fragment() when
defragmented packet is fragmented.

test commands:
   %iptables -t nat -I POSTROUTING -j MASQUERADE
   %hping3 192.168.4.2 -s 1000 -p 2000 -d 60000

splat looks like:
[  261.069429] kernel BUG at net/ipv4/ip_output.c:636!
[  261.075753] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[  261.083854] CPU: 1 PID: 1349 Comm: hping3 Not tainted 4.19.0-rc2+ #3
[  261.100977] RIP: 0010:ip_do_fragment+0x1613/0x2600
[  261.106945] Code: e8 e2 38 e3 fe 4c 8b 44 24 18 48 8b 74 24 08 e9 92 f6 ff ff 80 3c 02 00 0f 85 da 07 00 00 48 8b b5 d0 00 00 00 e9 25 f6 ff ff <0f> 0b 0f 0b 44 8b 54 24 58 4c 8b 4c 24 18 4c 8b 5c 24 60 4c 8b 6c
[  261.127015] RSP: 0018:ffff8801031cf2c0 EFLAGS: 00010202
[  261.134156] RAX: 1ffff1002297537b RBX: ffffed0020639e6e RCX: 0000000000000004
[  261.142156] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880114ba9bd8
[  261.150157] RBP: ffff880114ba8a40 R08: ffffed0022975395 R09: ffffed0022975395
[  261.158157] R10: 0000000000000001 R11: ffffed0022975394 R12: ffff880114ba9ca4
[  261.166159] R13: 0000000000000010 R14: ffff880114ba9bc0 R15: dffffc0000000000
[  261.174169] FS:  00007fbae2199700(0000) GS:ffff88011b400000(0000) knlGS:0000000000000000
[  261.183012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  261.189013] CR2: 00005579244fe000 CR3: 0000000119bf4000 CR4: 00000000001006e0
[  261.198158] Call Trace:
[  261.199018]  ? dst_output+0x180/0x180
[  261.205011]  ? save_trace+0x300/0x300
[  261.209018]  ? ip_copy_metadata+0xb00/0xb00
[  261.213034]  ? sched_clock_local+0xd4/0x140
[  261.218158]  ? kill_l4proto+0x120/0x120 [nf_conntrack]
[  261.223014]  ? rt_cpu_seq_stop+0x10/0x10
[  261.227014]  ? find_held_lock+0x39/0x1c0
[  261.233008]  ip_finish_output+0x51d/0xb50
[  261.237006]  ? ip_fragment.constprop.56+0x220/0x220
[  261.243011]  ? nf_ct_l4proto_register_one+0x5b0/0x5b0 [nf_conntrack]
[  261.250152]  ? rcu_is_watching+0x77/0x120
[  261.255010]  ? nf_nat_ipv4_out+0x1e/0x2b0 [nf_nat_ipv4]
[  261.261033]  ? nf_hook_slow+0xb1/0x160
[  261.265007]  ip_output+0x1c7/0x710
[  261.269005]  ? ip_mc_output+0x13f0/0x13f0
[  261.273002]  ? __local_bh_enable_ip+0xe9/0x1b0
[  261.278152]  ? ip_fragment.constprop.56+0x220/0x220
[  261.282996]  ? nf_hook_slow+0xb1/0x160
[  261.287007]  raw_sendmsg+0x21f9/0x4420
[  261.291008]  ? dst_output+0x180/0x180
[  261.297003]  ? sched_clock_cpu+0x126/0x170
[  261.301003]  ? find_held_lock+0x39/0x1c0
[  261.306155]  ? stop_critical_timings+0x420/0x420
[  261.311004]  ? check_flags.part.36+0x450/0x450
[  261.315005]  ? _raw_spin_unlock_irq+0x29/0x40
[  261.320995]  ? _raw_spin_unlock_irq+0x29/0x40
[  261.326142]  ? cyc2ns_read_end+0x10/0x10
[  261.330139]  ? raw_bind+0x280/0x280
[  261.334138]  ? sched_clock_cpu+0x126/0x170
[  261.338995]  ? check_flags.part.36+0x450/0x450
[  261.342991]  ? __lock_acquire+0x4500/0x4500
[  261.348994]  ? inet_sendmsg+0x11c/0x500
[  261.352989]  ? dst_output+0x180/0x180
[  261.357012]  inet_sendmsg+0x11c/0x500
[ ... ]

v2:
 - clear skb->sk at reassembly routine.(Eric Dumarzet)

Fixes: fa0f527358 ("ip: use rb trees for IP frag queue.")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2018-09-19 22:43:48 +02:00
..
6lowpan License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
9p net/9p: fix error path of p9_virtio_probe 2018-09-15 09:45:29 +02:00
802 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
8021q net: fix use-after-free in GRO with ESP 2018-07-22 14:28:44 +02:00
appletalk License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
atm atm: Preserve value of skb->truesize when accounting to vcc 2018-07-22 14:28:43 +02:00
ax25 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
batman-adv batman-adv: Fix multicast TT issues with bogus ROAM flags 2018-08-24 13:09:05 +02:00
bluetooth Bluetooth: hidp: Fix handling of strncpy for hid->name information 2018-09-19 22:43:42 +02:00
bpf bpf: Align packet data properly in program testing framework. 2017-05-02 11:46:28 -04:00
bridge netfilter: ebtables: reject non-bridge targets 2018-07-22 14:28:49 +02:00
caif net: caif: Add a missing rcu_read_unlock() in caif_flow_cb 2018-09-05 09:26:27 +02:00
can can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once 2018-01-23 19:58:17 +01:00
ceph libceph, ceph: avoid memory leak when specifying same option several times 2018-05-30 07:52:04 +02:00
core net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends 2018-09-19 22:43:47 +02:00
dcb net: dcb: For wild-card lookups, use priority -1, not 0 2018-09-19 22:43:43 +02:00
dccp dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() 2018-08-22 07:46:08 +02:00
decnet dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock 2018-02-25 11:07:52 +01:00
dns_resolver KEYS: DNS: fix parsing multiple options 2018-07-22 14:28:49 +02:00
dsa net: dsa: Do not suspend/resume closed slave_dev 2018-08-06 16:20:48 +02:00
ethernet networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
hsr net/hsr: Check skb_put_padto() return value 2017-08-22 13:40:23 -07:00
ieee802154 inet: frags: fix ip6frag_low_thresh boundary 2018-09-19 22:43:47 +02:00
ife net: sched: ife: check on metadata length 2018-04-29 11:33:13 +02:00
ipv4 ip: frags: fix crash in ip_do_fragment() 2018-09-19 22:43:48 +02:00
ipv6 ip: frags: fix crash in ip_do_fragment() 2018-09-19 22:43:48 +02:00
ipx License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iucv net/iucv: Free memory obtained by kzalloc 2018-03-31 18:10:41 +02:00
kcm kcm: Fix use-after-free caused by clonned sockets 2018-06-11 22:49:19 +02:00
key af_key: Always verify length of provided sadb_key 2018-06-16 09:45:14 +02:00
l2tp l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache 2018-08-22 07:46:08 +02:00
l3mdev
lapb net, lapb: convert lapb_cb.refcnt from atomic_t to refcount_t 2017-07-04 22:35:16 +01:00
llc llc: use refcount_inc_not_zero() for llc_sap_find() 2018-08-22 07:46:08 +02:00
mac80211 mac80211: add stations tied to AP_VLANs during hw reconfig 2018-09-05 09:26:23 +02:00
mac802154 net: mac802154: tx: expand tailroom if necessary 2018-09-09 19:55:52 +02:00
mpls mpls, nospec: Sanitize array index in mpls_label_ok() 2018-02-22 15:42:28 +01:00
ncsi net/ncsi: Fix length of GVI response packet 2017-10-21 01:56:38 +01:00
netfilter netfilter: fix memory leaks on netlink_dump_start error 2018-09-15 09:45:28 +02:00
netlabel netlabel: If PF_INET6, check sk_buff ip header version 2018-05-30 07:52:40 +02:00
netlink netlink: Don't shift on 64 for ngroups 2018-08-09 12:16:38 +02:00
netrom net, netrom: convert nr_node.refcount from atomic_t to refcount_t 2017-07-04 22:35:17 +01:00
nfc net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL. 2018-07-22 14:28:49 +02:00
nsh nsh: set mac len based on inner packet 2018-07-22 14:28:49 +02:00
openvswitch openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found 2018-05-19 10:20:24 +02:00
packet packet: refine ring v3 block size test to hold one frame 2018-08-24 13:09:22 +02:00
phonet License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
psample MAINTAINERS: Update Yotam's E-mail 2017-11-01 12:19:03 +09:00
qrtr net: qrtr: Broadcast messages only from control port 2018-08-24 13:09:13 +02:00
rds RDS: IB: fix 'passing zero to ERR_PTR()' warning 2018-09-15 09:45:31 +02:00
rfkill rfkill: gpio: fix memory leak in probe error path 2018-05-16 10:10:26 +02:00
rose
rxrpc rxrpc: Fix user call ID check in rxrpc_service_prealloc_one 2018-08-06 16:20:48 +02:00
sched net: add rb_to_skb() and other rb tree helpers 2018-09-19 22:43:47 +02:00
sctp sctp: hold transport before accessing its asoc in sctp_transport_get_next 2018-09-15 09:45:25 +02:00
smc net/smc: no shutdown in state SMC_LISTEN 2018-08-24 13:09:22 +02:00
strparser strparser: Remove early eaten to fix full tcp receive buffer stall 2018-07-22 14:28:47 +02:00
sunrpc sunrpc: Don't use stack buffer with scatterlist 2018-09-15 09:45:26 +02:00
switchdev net: switchdev: Remove bridge bypass support from switchdev 2017-08-07 14:48:48 -07:00
tipc tipc: fix a missing rhashtable_walk_exit() 2018-09-15 09:45:25 +02:00
tls tcp, ulp: add alias for all ulp modules 2018-09-15 09:45:29 +02:00
unix License cleanup: add SPDX license identifiers to some files 2017-11-02 10:04:46 -07:00
vmw_vsock vsock: split dwork to avoid reinitializations 2018-08-22 07:46:08 +02:00
wimax License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
wireless nl80211: Add a missing break in parse_station_flags 2018-09-05 09:26:24 +02:00
x25 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfrm xfrm: free skb if nlsk pointer is NULL 2018-09-05 09:26:23 +02:00
Kconfig net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros. 2017-09-04 13:25:20 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
compat.c net: support compat 64-bit time in {s,g}etsockopt 2018-05-19 10:20:24 +02:00
socket.c net: socket: fix potential spectre v1 gadget in socketcall 2018-08-06 16:20:48 +02:00
sysctl_net.c sysctl: Remove dead register_sysctl_root 2017-04-16 23:42:49 -05:00