mirrors/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-01-12 06:33:42 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
03aef17bb79b3dc02b1352ee2f55fca799dbad7f
linux/include/net
History
William Tu b423d13c08 net: erspan: fix use-after-free 
When building the erspan header for either v1 or v2, the eth_hdr()
does not point to the right inner packet's eth_hdr,
causing kasan report use-after-free and slab-out-of-bouds read.

The patch fixes the following syzkaller issues:
[1] BUG: KASAN: slab-out-of-bounds in erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
[2] BUG: KASAN: slab-out-of-bounds in erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
[3] BUG: KASAN: use-after-free in erspan_xmit+0x22d4/0x2430 net/ipv4/ip_gre.c:735
[4] BUG: KASAN: use-after-free in erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698

[2] CPU: 0 PID: 3654 Comm: syzkaller377964 Not tainted 4.15.0-rc9+ #185
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:440
 erspan_build_header+0x3bf/0x3d0 net/ipv4/ip_gre.c:698
 erspan_xmit+0x3b8/0x13b0 net/ipv4/ip_gre.c:740
 __netdev_start_xmit include/linux/netdevice.h:4042 [inline]
 netdev_start_xmit include/linux/netdevice.h:4051 [inline]
 packet_direct_xmit+0x315/0x6b0 net/packet/af_packet.c:266
 packet_snd net/packet/af_packet.c:2943 [inline]
 packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2968
 sock_sendmsg_nosec net/socket.c:638 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:648
 SYSC_sendto+0x361/0x5c0 net/socket.c:1729
 SyS_sendto+0x40/0x50 net/socket.c:1697
 do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
 do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
 entry_SYSENTER_compat+0x54/0x63 arch/x86/entry/entry_64_compat.S:129
RIP: 0023:0xf7fcfc79
RSP: 002b:00000000ffc6976c EFLAGS: 00000286 ORIG_RAX: 0000000000000171
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 0000000020011000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020008000
RBP: 000000000000001c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Fixes: f551c91de2 ("net: erspan: introduce erspan v2 for ip_gre")
Fixes: 84e54fe0a5 ("gre: introduce native tunnel support for ERSPAN")
Reported-by: syzbot+9723f2d288e49b492cf0@syzkaller.appspotmail.com
Reported-by: syzbot+f0ddeb2b032a8e1d9098@syzkaller.appspotmail.com
Reported-by: syzbot+f14b3703cd8d7670203f@syzkaller.appspotmail.com
Reported-by: syzbot+eefa384efad8d7997f20@syzkaller.appspotmail.com
Signed-off-by: William Tu <u9012063@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-01-24 16:53:17 -05:00
..
9p
9p: Implement show_options
2017-07-11 06:08:58 -04:00
bluetooth
Bluetooth: Use bt_dev_err and bt_dev_info when possible
2017-10-30 12:25:45 +02:00
caif
caif: reduce stack size with KASAN
2018-01-19 14:02:12 -05:00
iucv
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
netfilter
netfilter: nf_tables: allocate handle and delete objects via handle
2018-01-19 14:00:46 +01:00
netns
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
2018-01-21 11:35:34 -05:00
nfc
NFC: Add nfc_dbg() macro
2017-04-05 10:15:20 +02:00
phonet
net: phonet: mark phonet_protocol as const
2017-10-07 23:15:08 +01:00
sctp
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-01-09 10:37:00 -05:00
tc_act
net/sched: act_csum: don't use spinlock in the fast path
2018-01-23 19:51:46 -05:00
6lowpan.h
6lowpan: Fix IID format for Bluetooth
2017-04-12 22:02:36 +02:00
act_api.h
net_sched: switch to exit_batch for action pernet ops
2017-12-13 13:58:41 -05:00
addrconf.h
rtnetlink: ipv6: convert remaining users to rtnl_register_module
2017-12-04 13:35:36 -05:00
af_ieee802154.h
af_rxrpc.h
rxrpc: Provide functions for allowing cleaner handling of signals
2017-10-18 11:42:48 +01:00
af_unix.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
af_vsock.h
VSOCK: use TCP state constants for sk_state
2017-10-05 18:44:17 -07:00
ah.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
arp.h
ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY
2018-01-15 14:53:43 -05:00
atmclip.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ax25.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ax88796.h
bond_3ad.h
bonding: 3ad: apply ad_actor settings changes immediately
2016-02-09 04:45:49 -05:00
bond_alb.h
bond_options.h
bonding: Prevent duplicate userspace notification
2017-05-27 18:51:41 -04:00
bonding.h
bonding: remove rtmsg_ifinfo called after bond_lower_state_changed
2017-10-25 10:54:39 +09:00
busy_poll.h
net: fix compilation when busy poll is not enabled
2017-08-11 14:59:24 -07:00
calipso.h
net, calipso: convert calipso_doi.refcount from atomic_t to refcount_t
2017-07-04 22:35:16 +01:00
cfg80211-wext.h
cfg80211.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2018-01-17 00:10:42 -05:00
cfg802154.h
ieee802154: add netns support
2016-07-08 12:20:57 +02:00
checksum.h
csum: eliminate sparse warning in remcsum_unadjust()
2017-01-20 12:12:13 -05:00
cipso_ipv4.h
net, ipv4: convert cipso_v4_doi.refcount from atomic_t to refcount_t
2017-07-04 01:29:04 -07:00
cls_cgroup.h
cls_cgroup: get sk_classid only from full sockets
2016-04-19 20:09:25 -04:00
codel_impl.h
codel: split into multiple files
2016-04-25 16:44:27 -04:00
codel_qdisc.h
net_sched: fq_codel: cache skb->truesize into skb->cb
2016-06-25 12:19:35 -04:00
codel.h
codel: split into multiple files
2016-04-25 16:44:27 -04:00
compat.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
datalink.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
dcbevent.h
dcbnl.h
devlink.h
devlink: Add relation between dpipe and resource
2018-01-16 14:15:34 -05:00
dn_dev.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
dn_fib.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
dn_neigh.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
dn_nsp.h
net/decnet: Convert timers to use timer_setup()
2017-10-18 12:39:36 +01:00
dn_route.h
decnet: Move dn_next into decnet route structure.
2017-11-30 09:54:25 -05:00
dn.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
dsa.h
net: dsa: Allow compiling out legacy support
2017-12-07 14:14:54 -05:00
dsfield.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
dst_cache.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
dst_metadata.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
dst_ops.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
dst.h
net: Remove dst->next
2017-11-30 09:54:27 -05:00
erspan.h
net: erspan: fix use-after-free
2018-01-24 16:53:17 -05:00
esp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ethoc.h
fib_notifier.h
net: Add extack to fib_notifier_info
2017-11-01 11:50:43 +09:00
fib_rules.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
firewire.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
flow_dissector.h
tipc: improve link resiliency when rps is activated
2017-11-11 15:36:05 +09:00
flow.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
fou.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
fq_impl.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-10-30 21:09:24 +09:00
fq.h
fq: support filtering a given tin
2017-10-11 09:49:34 +02:00
garp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
gen_stats.h
net: sched: add support for TCQ_F_NOLOCK subqueues to sch_mq
2017-12-08 13:32:26 -05:00
genetlink.h
genetlink: fix genlmsg_nlhdr()
2017-11-16 10:49:00 +09:00
geneve.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
gre.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
gro_cells.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
gtp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
gue.h
fou: fix some member types in guehdr
2017-12-11 14:10:06 -05:00
hwbm.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
icmp.h
net: snmp: kill STATS_BH macros
2016-04-27 22:48:25 -04:00
ieee80211_radiotap.h
wireless: radiotap: rewrite the radiotap header file
2017-01-25 16:00:33 +01:00
ieee802154_netdev.h
mac802154: constify ieee802154_llsec_ops structure
2016-01-04 20:40:41 +01:00
if_inet6.h
net, ipv6: convert ifacaddr6.aca_refcnt from atomic_t to refcount_t
2017-07-04 01:29:04 -07:00
ife.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ila.h
ila: Add generic ILA translation facility
2015-12-15 23:25:20 -05:00
inet6_connection_sock.h
inet: drop ->bind_conflict
2017-01-18 13:04:28 -05:00
inet6_hashtables.h
net: ipv6: add second dif to inet6 socket lookups
2017-08-07 11:39:22 -07:00
inet_common.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
inet_connection_sock.h
inet: Add a 2nd listener hashtable (port+addr)
2017-12-03 10:18:28 -05:00
inet_ecn.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
inet_frag.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
inet_hashtables.h
inet: Add a 2nd listener hashtable (port+addr)
2017-12-03 10:18:28 -05:00
inet_sock.h
net: sock: replace sk_state_load with inet_sk_state_load and remove sk_state_store
2017-12-20 14:00:25 -05:00
inet_timewait_sock.h
tcp/dccp: avoid one atomic operation for timewait hashdance
2017-12-13 14:33:10 -05:00
inetpeer.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ip6_checksum.h
ipv6: Pass proto to csum_ipv6_magic as __u8 instead of unsigned short
2016-03-13 23:55:13 -04:00
ip6_fib.h
ipv6: Add support for non-equal-cost multipath
2018-01-10 15:14:44 -05:00
ip6_route.h
ipv6: Calculate hash thresholds for IPv6 nexthops
2018-01-10 15:14:44 -05:00
ip6_tunnel.h
ip6_gre: add erspan v2 support
2017-12-15 12:34:00 -05:00
ip_fib.h
net: ipv4: remove fib_weight
2017-09-29 06:19:32 +01:00
ip_tunnels.h
net: erspan: introduce erspan v2 for ip_gre
2017-12-15 12:34:00 -05:00
ip_vs.h
netfilter: ipvs: Remove useless ipvsh param of frag_safe_skb_hp
2018-01-08 18:01:02 +01:00
ip.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-12-16 22:11:55 -05:00
ipcomp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ipconfig.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ipv6.h
netfilter: flow table support for IPv6
2018-01-08 18:11:08 +01:00
ipx.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
iw_handler.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
kcm.h
kcm: Use stream parser
2016-08-17 19:36:23 -04:00
l3mdev.h
net: ipv4: Do not drop to make_route if oif is l3mdev
2016-10-13 12:05:26 -04:00
lapb.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
lib80211.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
llc_c_ac.h
net: LLC: Convert timers to use timer_setup()
2017-10-25 12:06:25 +09:00
llc_c_ev.h
llc_c_st.h
llc_conn.h
llc_if.h
llc_pdu.h
llc_s_ac.h
llc_s_ev.h
llc_s_st.h
llc_sap.h
llc.h
net, llc: convert llc_sap.refcnt from atomic_t to refcount_t
2017-07-04 22:35:15 +01:00
lwtunnel.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
mac80211.h
Revert "mac80211: Add TXQ scheduling API"
2017-12-19 10:12:48 +01:00
mac802154.h
ieee802154: cleanup WARN_ON for fc fetch
2016-07-08 13:23:12 +02:00
mip6.h
mld.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
mpls_iptunnel.h
net: mpls: Increase max number of labels for lwt encap
2017-04-01 20:21:44 -07:00
mpls.h
openvswitch: use mpls_hdr
2016-10-03 02:00:22 -04:00
mrp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ncsi.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ndisc.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
neighbour.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
net_namespace.h
net: Convert atomic_t net::count to refcount_t
2018-01-15 14:23:42 -05:00
net_ratelimit.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
netevent.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-11-04 09:26:51 +09:00
netlabel.h
net: convert netlbl_lsm_cache.refcount from atomic_t to refcount_t
2017-07-01 07:39:09 -07:00
netlink.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
netprio_cgroup.h
net: wrap sock->sk_cgrp_prioidx and ->sk_classid inside a struct
2015-12-08 22:02:33 -05:00
netrom.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
nexthop.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
nl802154.h
ieee802154: add netns support
2016-07-08 12:20:57 +02:00
nsh.h
openvswitch: enable NSH support
2017-11-08 16:12:33 +09:00
p8022.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
ping.h
net: ping: make ping_v6_sendmsg static
2016-03-23 22:09:58 -04:00
pkt_cls.h
net: sched: remove tc_cls_common_offload_init_deprecated()
2018-01-24 16:01:11 -05:00
pkt_sched.h
net: remove prototype of qdisc_lookup_class()
2018-01-16 14:56:54 -05:00
pptp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
protocol.h
IPv4: early demux can return an error code
2017-10-01 03:55:47 +01:00
psample.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
psnap.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
raw.h
net: ipv4: add second dif to raw socket lookups
2017-08-07 11:39:21 -07:00
rawv6.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
red.h
net_sched: red: Avoid illegal values
2017-12-05 14:37:13 -05:00
regulatory.h
request_sock.h
tcp: socket option to set TCP fast open key
2017-10-20 13:21:36 +01:00
rose.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
route.h
udp: perform source validation for mcast early demux
2017-10-01 03:55:47 +01:00
rtnetlink.h
rtnetlink: remove __rtnl_register
2017-12-04 11:32:53 -05:00
sch_generic.h
net: sched: propagate extack to cls->destroy callbacks
2018-01-24 16:01:09 -05:00
scm.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
secure_seq.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
seg6_hmac.h
ipv6: sr: add core files for SR HMAC support
2016-11-09 20:40:06 -05:00
seg6.h
ipv6: sr: add support for ip4ip6 encapsulation
2017-08-25 17:10:23 -07:00
slhc_vj.h
smc.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
snmp.h
net: snmp: fix 64bit stats on 32bit arches
2016-04-28 11:49:45 -04:00
sock_reuseport.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
sock.h
net: ipv6: Allow connect to linklocal address from socket bound to vrf
2018-01-08 14:11:18 -05:00
Space.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
stp.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
strparser.h
strparser: Use delayed work instead of timer for msg timeout
2017-10-25 10:37:11 +09:00
switchdev.h
net: bridge: Add/del switchdev object on host join/leave
2017-11-10 13:41:40 +09:00
tcp_states.h
tcp.h
tcp: avoid min RTT bloat by skipping RTT from delayed-ACK in BBR
2018-01-19 15:39:30 -05:00
timewait_sock.h
tipc.h
tipc: improve link resiliency when rps is activated
2017-11-11 15:36:05 +09:00
tls.h
net/tls: Fix inverted error codes to avoid endless loop
2018-01-15 14:21:57 -05:00
transp_v6.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
tso.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
tun_proto.h
vxlan: factor out VXLAN-GPE next protocol
2017-08-29 15:16:52 -07:00
udp_tunnel.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
udp.h
IPv4: early demux can return an error code
2017-10-01 03:55:47 +01:00
udplite.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
vsock_addr.h
vxlan.h
vxlan: Fix trailing semicolon
2018-01-17 16:07:24 -05:00
wext.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
wimax.h
x25.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
x25device.h
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
2017-11-02 11:10:55 +01:00
xdp.h
xdp/qede: setup xdp_rxq_info and intro xdp_rxq_info_is_reg
2018-01-05 15:21:21 -08:00
xfrm.h
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2017-12-29 15:42:26 -05:00