bonding/alb: properly access headers in bond_alb_xmit()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

syzbot managed to send an IPX packet through bond_alb_xmit()
and af_packet and triggered a use-after-free.

First, bond_alb_xmit() was using ipx_hdr() helper to reach
the IPX header, but ipx_hdr() was using the transport offset
instead of the network offset. In the particular syzbot
report transport offset was 0xFFFF

This patch removes ipx_hdr() since it was only (mis)used from bonding.

Then we need to make sure IPv4/IPv6/IPX headers are pulled
in skb->head before dereferencing anything.

BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108
(if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) ...)

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
[<ffffffff8441fc42>] __dump_stack lib/dump_stack.c:17 [inline]
[<ffffffff8441fc42>] dump_stack+0x14d/0x20b lib/dump_stack.c:53
[<ffffffff81a7dec4>] print_address_description+0x6f/0x20b mm/kasan/report.c:282
[<ffffffff81a7e0ec>] kasan_report_error mm/kasan/report.c:380 [inline]
[<ffffffff81a7e0ec>] kasan_report mm/kasan/report.c:438 [inline]
[<ffffffff81a7e0ec>] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422
[<ffffffff81a7dc4f>] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469
[<ffffffff82c8c00a>] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
[<ffffffff82c60c74>] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline]
[<ffffffff82c60c74>] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224
[<ffffffff83baa558>] __netdev_start_xmit include/linux/netdevice.h:4525 [inline]
[<ffffffff83baa558>] netdev_start_xmit include/linux/netdevice.h:4539 [inline]
[<ffffffff83baa558>] xmit_one net/core/dev.c:3611 [inline]
[<ffffffff83baa558>] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627
[<ffffffff83bacf35>] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238
[<ffffffff83bae3a8>] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278
[<ffffffff84339189>] packet_snd net/packet/af_packet.c:3226 [inline]
[<ffffffff84339189>] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252
[<ffffffff83b1ac0c>] sock_sendmsg_nosec net/socket.c:673 [inline]
[<ffffffff83b1ac0c>] sock_sendmsg+0x12c/0x160 net/socket.c:684
[<ffffffff83b1f5a2>] __sys_sendto+0x262/0x380 net/socket.c:1996
[<ffffffff83b1f700>] SYSC_sendto net/socket.c:2008 [inline]
[<ffffffff83b1f700>] SyS_sendto+0x40/0x60 net/socket.c:2004

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Jay Vosburgh <j.vosburgh@gmail.com>
Cc: Veaceslav Falico <vfalico@gmail.com>
Cc: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Eric Dumazet and committed by

David S. Miller 6 years ago 38f88c45 d5b90e99

+32 -17

2 changed files

expand all

drivers

net

bonding

bond_alb.c

include

net

ipx.h

+32 -12

drivers/net/bonding/bond_alb.c

··· 1383 1383 bool do_tx_balance = true; 1384 1384 u32 hash_index = 0; 1385 1385 const u8 *hash_start = NULL; 1386 - struct ipv6hdr *ip6hdr; 1387 1386 1388 1387 skb_reset_mac_header(skb); 1389 1388 eth_data = eth_hdr(skb); 1390 1389 1391 1390 switch (ntohs(skb->protocol)) { 1392 1391 case ETH_P_IP: { 1393 - const struct iphdr *iph = ip_hdr(skb); 1392 + const struct iphdr *iph; 1394 1393 1395 1394 if (is_broadcast_ether_addr(eth_data->h_dest) || 1396 - iph->daddr == ip_bcast || 1397 - iph->protocol == IPPROTO_IGMP) { 1395 + !pskb_network_may_pull(skb, sizeof(*iph))) { 1396 + do_tx_balance = false; 1397 + break; 1398 + } 1399 + iph = ip_hdr(skb); 1400 + if (iph->daddr == ip_bcast || iph->protocol == IPPROTO_IGMP) { 1398 1401 do_tx_balance = false; 1399 1402 break; 1400 1403 } 1401 1404 hash_start = (char *)&(iph->daddr); 1402 1405 hash_size = sizeof(iph->daddr); 1403 - } 1404 1406 break; 1405 - case ETH_P_IPV6: 1407 + } 1408 + case ETH_P_IPV6: { 1409 + const struct ipv6hdr *ip6hdr; 1410 + 1406 1411 /* IPv6 doesn't really use broadcast mac address, but leave 1407 1412 * that here just in case. 1408 1413 */ ··· 1424 1419 break; 1425 1420 } 1426 1421 1427 - /* Additianally, DAD probes should not be tx-balanced as that 1422 + if (!pskb_network_may_pull(skb, sizeof(*ip6hdr))) { 1423 + do_tx_balance = false; 1424 + break; 1425 + } 1426 + /* Additionally, DAD probes should not be tx-balanced as that 1428 1427 * will lead to false positives for duplicate addresses and 1429 1428 * prevent address configuration from working. 1430 1429 */ ··· 1438 1429 break; 1439 1430 } 1440 1431 1441 - hash_start = (char *)&(ipv6_hdr(skb)->daddr); 1442 - hash_size = sizeof(ipv6_hdr(skb)->daddr); 1432 + hash_start = (char *)&ip6hdr->daddr; 1433 + hash_size = sizeof(ip6hdr->daddr); 1443 1434 break; 1444 - case ETH_P_IPX: 1445 - if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) { 1435 + } 1436 + case ETH_P_IPX: { 1437 + const struct ipxhdr *ipxhdr; 1438 + 1439 + if (pskb_network_may_pull(skb, sizeof(*ipxhdr))) { 1440 + do_tx_balance = false; 1441 + break; 1442 + } 1443 + ipxhdr = (struct ipxhdr *)skb_network_header(skb); 1444 + 1445 + if (ipxhdr->ipx_checksum != IPX_NO_CHECKSUM) { 1446 1446 /* something is wrong with this packet */ 1447 1447 do_tx_balance = false; 1448 1448 break; 1449 1449 } 1450 1450 1451 - if (ipx_hdr(skb)->ipx_type != IPX_TYPE_NCP) { 1451 + if (ipxhdr->ipx_type != IPX_TYPE_NCP) { 1452 1452 /* The only protocol worth balancing in 1453 1453 * this family since it has an "ARP" like 1454 1454 * mechanism ··· 1466 1448 break; 1467 1449 } 1468 1450 1451 + eth_data = eth_hdr(skb); 1469 1452 hash_start = (char *)eth_data->h_dest; 1470 1453 hash_size = ETH_ALEN; 1471 1454 break; 1455 + } 1472 1456 case ETH_P_ARP: 1473 1457 do_tx_balance = false; 1474 1458 if (bond_info->rlb_enabled)

-5

include/net/ipx.h

··· 47 47 /* From af_ipx.c */ 48 48 extern int sysctl_ipx_pprop_broadcasting; 49 49 50 - static __inline__ struct ipxhdr *ipx_hdr(struct sk_buff *skb) 51 - { 52 - return (struct ipxhdr *)skb_transport_header(skb); 53 - } 54 - 55 50 struct ipx_interface { 56 51 /* IPX address */ 57 52 __be32 if_netnum;