RE: [PATCH v2] net: ipv6: fix skb_over_panic in __ip6_append_data

From: David Laight
Date: Thu Mar 10 2022 - 17:18:27 EST

Next message: Rob Herring: "Re: [PATCH 5/5] dt-bindings: mediatek: mt8195: add mt8195-mt6359-max98390-rt5682 document"
Previous message: Tony Nguyen: "Re: [PATCH net] ice: Fix race condition during interface enslave"
In reply to: Tadeusz Struk: "[PATCH v2] net: ipv6: fix skb_over_panic in __ip6_append_data"
Next in thread: Jakub Kicinski: "Re: [PATCH v2] net: ipv6: fix skb_over_panic in __ip6_append_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tadeusz Struk
> Sent: 10 March 2022 22:13
>
> Syzbot found a kernel bug in the ipv6 stack:
> LINK: https://syzkaller.appspot.com/bug?id=205d6f11d72329ab8d62a610c44c5e7e25415580
> The reproducer triggers it by sending a crafted message via sendmmsg()
> call, which triggers skb_over_panic, and crashes the kernel:
>
> skbuff: skb_over_panic: text:ffffffff84647fb4 len:65575 put:65575
> head:ffff888109ff0000 data:ffff888109ff0088 tail:0x100af end:0xfec0
> dev:<NULL>
>
> Add a check that prevents an invalid packet with MTU equall to the
> fregment header size to eat up all the space for payload.

There probably ought to be a check much earlier that stops
the option that makes the iphdr being to big being accepted
in the first place.

Much better to do the check in the option generation code.

David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Next message: Rob Herring: "Re: [PATCH 5/5] dt-bindings: mediatek: mt8195: add mt8195-mt6359-max98390-rt5682 document"
Previous message: Tony Nguyen: "Re: [PATCH net] ice: Fix race condition during interface enslave"
In reply to: Tadeusz Struk: "[PATCH v2] net: ipv6: fix skb_over_panic in __ip6_append_data"
Next in thread: Jakub Kicinski: "Re: [PATCH v2] net: ipv6: fix skb_over_panic in __ip6_append_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]