Re: net: GPF in eth_header

From: Eric Dumazet
Date: Sat Nov 26 2016 - 15:05:23 EST

Next message: Theodore Ts'o: "Re: [PATCH] MAINTAINERS: fscrypto: recommend linux-fsdevel for fscrypto patches"
Previous message: Nicolas Iooss: "[PATCH 1/1] [media] tw686x: silent -Wformat-security warning"
In reply to: Andrey Konovalov: "Re: net: GPF in eth_header"
Next in thread: Eric Dumazet: "Re: net: GPF in eth_header"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Hi Eric,
>
> The crash happens when the kernel tries to access shadow for nonmapped memory.
>
> The issue here is an integer overflow which happens in neigh_resolve_output().
> skb_network_offset(skb) can return negative number, but __skb_pull()
> accepts unsigned int as len.
> As a result, the least significat bit in higher 32 bits of skb->data
> gets set and we get an out-of-bounds with offset of 4 GB.
>
> I've attached a short reproducer, but you either need KASAN or to add
> a BUG_ON to see the crash.
> In this reproducer skb_network_offset() becomes negative after merging
> two ipv6 fragments.
>
> I actually see multiple places where skb_network_offset() is used as
> an argument to skb_pull().
> So I guess every place can potentially be buggy.

Well, I think the intent is to accept a negative number.

This definitely was assumed by commit e1f165032c8bade authors !

I guess they were using a 32bit kernel for their tests.

Next message: Theodore Ts'o: "Re: [PATCH] MAINTAINERS: fscrypto: recommend linux-fsdevel for fscrypto patches"
Previous message: Nicolas Iooss: "[PATCH 1/1] [media] tw686x: silent -Wformat-security warning"
In reply to: Andrey Konovalov: "Re: net: GPF in eth_header"
Next in thread: Eric Dumazet: "Re: net: GPF in eth_header"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]