Re: KASAN: use-after-free Read in __dev_queue_xmit

From: Eric Dumazet
Date: Thu Jan 04 2018 - 01:53:24 EST


On Wed, 2018-01-03 at 21:13 -0800, Eric Dumazet wrote:
> Note: all commands must start from beginning of the line in the email body.
>
> I guess skb_probe_transport_header() should be hardened to reject malicious
> packets given by user space, instead of being gentle.

Although bug triggered for this particular repro is in flow dissector
:/

I will test :

diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 15ce300637650e17fcab7e378b20fe7972686d46..544bddf08e13c7f6e47aadc737244c9ba5af56b2 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -976,8 +976,8 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
Âout_good:
ÂÂÂÂÂÂÂÂret = true;
Â
-ÂÂÂÂÂÂÂkey_control->thoff = (u16)nhoff;
Âout:
+ÂÂÂÂÂÂÂkey_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen);
ÂÂÂÂÂÂÂÂkey_basic->n_proto = proto;
ÂÂÂÂÂÂÂÂkey_basic->ip_proto = ip_proto;
Â
@@ -985,7 +985,6 @@ bool __skb_flow_dissect(const struct sk_buff *skb,
Â
Âout_bad:
ÂÂÂÂÂÂÂÂret = false;
-ÂÂÂÂÂÂÂkey_control->thoff = min_t(u16, nhoff, skb ? skb->len : hlen);
ÂÂÂÂÂÂÂÂgoto out;
Â}
ÂEXPORT_SYMBOL(__skb_flow_dissect);