Re: [PATCH] ipv6: ensure message length for raw socket is at least sizeof(ipv6hdr)
From: Alexander Potapenko
Date: Wed Apr 26 2017 - 04:55:06 EST
On Tue, Apr 25, 2017 at 7:55 PM, David Miller <davem@xxxxxxxxxxxxx> wrote:
> From: Alexander Potapenko <glider@xxxxxxxxxx>
> Date: Tue, 25 Apr 2017 15:18:27 +0200
>
>> rawv6_send_hdrinc() expects that the buffer copied from the userspace
>> contains the IPv6 header, so if too few bytes are copied parts of the
>> header may remain uninitialized.
>>
>> This bug has been detected with KMSAN.
>>
>> Signed-off-by: Alexander Potapenko <glider@xxxxxxxxxx>
>
> Hmmm, ipv4 seems to lack this check as well.
>
> I think we need to be careful here and fully understand why KMSAN doesn't
> seem to be triggering in the ipv4 case but for ipv6 it is before I apply
> this.
Maybe I just couldn't come up with a decent test case for ipv4 yet.
syzkaller generated the equivalent of the following program for ipv6:
=======================================
#define _GNU_SOURCE
#include <netinet/in.h>
#include <string.h>
#include <sys/socket.h>
#include <error.h>
int main()
{
int sock = socket(PF_INET6, SOCK_RAW, IPPROTO_RAW);
struct sockaddr_in6 dest_addr;
memset(&dest_addr, 0, sizeof(dest_addr));
dest_addr.sin6_family = AF_INET6;
inet_pton(AF_INET6, "ff00::", &dest_addr.sin6_addr);
int err = sendto(sock, 0, 0, 0, &dest_addr, sizeof(dest_addr));
if (err == -1)
perror("sendto");
return 0;
}
=======================================
I attempted to replace INET6 and such with INET and provide a legal
IPv4 address to inet_pton(), but couldn't trigger the warning.
> Thanks.
--
Alexander Potapenko
Software Engineer
Google Germany GmbH
Erika-Mann-StraÃe, 33
80636 MÃnchen
GeschÃftsfÃhrer: Matthew Scott Sucherman, Paul Terence Manicle
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg