mirrors/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-01-28 18:22:49 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
628185cfddf1dfb701c4efe2cfd72cf5b09f5702
linux/net/ipv6
History
Dave Jones a98f917589 ipv6: handle -EFAULT from skb_copy_bits 
By setting certain socket options on ipv6 raw sockets, we can confuse the
length calculation in rawv6_push_pending_frames triggering a BUG_ON.

RIP: 0010:[<ffffffff817c6390>] [<ffffffff817c6390>] rawv6_sendmsg+0xc30/0xc40
RSP: 0018:ffff881f6c4a7c18  EFLAGS: 00010282
RAX: 00000000fffffff2 RBX: ffff881f6c681680 RCX: 0000000000000002
RDX: ffff881f6c4a7cf8 RSI: 0000000000000030 RDI: ffff881fed0f6a00
RBP: ffff881f6c4a7da8 R08: 0000000000000000 R09: 0000000000000009
R10: ffff881fed0f6a00 R11: 0000000000000009 R12: 0000000000000030
R13: ffff881fed0f6a00 R14: ffff881fee39ba00 R15: ffff881fefa93a80

Call Trace:
 [<ffffffff8118ba23>] ? unmap_page_range+0x693/0x830
 [<ffffffff81772697>] inet_sendmsg+0x67/0xa0
 [<ffffffff816d93f8>] sock_sendmsg+0x38/0x50
 [<ffffffff816d982f>] SYSC_sendto+0xef/0x170
 [<ffffffff816da27e>] SyS_sendto+0xe/0x10
 [<ffffffff81002910>] do_syscall_64+0x50/0xa0
 [<ffffffff817f7cbc>] entry_SYSCALL64_slow_path+0x25/0x25

Handle by jumping to the failure path if skb_copy_bits gets an EFAULT.

Reproducer:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define LEN 504

int main(int argc, char* argv[])
{
	int fd;
	int zero = 0;
	char buf[LEN];

	memset(buf, 0, LEN);

	fd = socket(AF_INET6, SOCK_RAW, 7);

	setsockopt(fd, SOL_IPV6, IPV6_CHECKSUM, &zero, 4);
	setsockopt(fd, SOL_IPV6, IPV6_DSTOPTS, &buf, LEN);

	sendto(fd, buf, 1, 0, (struct sockaddr *) buf, 110);
}

Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-12-23 12:20:39 -05:00
..
ila
ila: Fix crash caused by rhashtable changes
2016-11-02 15:26:02 -04:00
netfilter
netfilter: nft_fib: convert htonl to ntohl properly
2016-12-06 21:42:20 +01:00
addrconf_core.c
ipv6: change ipv6_stub_impl.ipv6_dst_lookup to take net argument
2015-07-31 15:21:30 -07:00
addrconf.c
ipv6 addrconf: Implemented enhanced DAD (RFC7527)
2016-12-03 23:21:37 -05:00
addrlabel.c
ipv6/addrlabel: fix ip6addrlbl_get()
2015-12-22 15:57:54 -05:00
af_inet6.c
bpf: Add new cgroup attach type to enable sock modifications
2016-12-02 13:46:08 -05:00
ah6.c
net: inet: Support UID-based routing in IP protocols.
2016-11-04 14:45:23 -04:00
anycast.c
ipv6: coding style: comparison for equality with NULL
2015-03-31 13:51:54 -04:00
calipso.c
calipso: fix resource leak on calipso_genopt failure
2016-08-13 14:56:17 -07:00
datagram.c
inet: fix IP(V6)_RECVORIGDSTADDR for udp sockets
2016-12-23 12:19:18 -05:00
esp6.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-12-03 12:29:53 -05:00
exthdrs_core.c
ipv6: constify the skb pointer of ipv6_find_tlv().
2016-06-27 15:06:15 -04:00
exthdrs_offload.c
ipv6: fix exthdrs offload registration in out_rt path
2015-09-02 15:31:00 -07:00
exthdrs.c
ipv6: sr: add support for SRH injection through setsockopt
2016-11-09 20:40:06 -05:00
fib6_rules.c
net: flow: Add l3mdev flow update
2016-09-10 23:12:51 -07:00
fou6.c
fou: add Kconfig options for IPv6 support
2016-05-29 22:24:21 -07:00
icmp.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-12-03 12:29:53 -05:00
inet6_connection_sock.c
inet: Fix get port to handle zero port number with soreuseport set
2016-12-17 11:13:19 -05:00
inet6_hashtables.c
inet: Fix missing return value in inet6_hash
2016-10-29 12:01:49 -04:00
ip6_checksum.c
ipv6: fix checksum annotation in udp6_csum_init
2016-06-14 15:26:42 -04:00
ip6_fib.c
ipv6: report NLM_F_CREATE and NLM_F_EXCL flags in RTM_NEWROUTE events
2016-09-09 16:50:23 -07:00
ip6_flowlabel.c
ipv6: add new struct ipcm6_cookie
2016-05-03 16:08:14 -04:00
ip6_gre.c
netns: make struct pernet_operations::id unsigned int
2016-11-18 10:59:15 -05:00
ip6_icmp.c
ipv6: icmp: add a force_saddr param to icmp6_send()
2016-06-18 22:11:38 -07:00
ip6_input.c
net: vrf: ipv6 support for local traffic to local addresses
2016-06-08 00:25:38 -07:00
ip6_offload.c
ip6_offload: check segs for NULL in ipv6_gso_segment.
2016-12-02 13:34:58 -05:00
ip6_offload.h
udp: Add GRO functions to UDP socket
2016-04-07 16:53:29 -04:00
ip6_output.c
net: ipv4, ipv6: run cgroup eBPF egress programs
2016-11-25 16:26:04 -05:00
ip6_tunnel.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-12-03 12:29:53 -05:00
ip6_udp_tunnel.c
ip6_udp_tunnel: remove unused IPCB related codes
2016-11-02 15:18:36 -04:00
ip6_vti.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-12-03 12:29:53 -05:00
ip6mr.c
net: pim: add all RFC7761 message types
2016-10-31 16:18:30 -04:00
ipcomp6.c
net: inet: Support UID-based routing in IP protocols.
2016-11-04 14:45:23 -04:00
ipv6_sockglue.c
ipv6: sr: add support for SRH injection through setsockopt
2016-11-09 20:40:06 -05:00
Kconfig
ipv6: sr: add option to control lwtunnel support
2016-11-16 11:29:46 -05:00
Makefile
ipv6: sr: add option to control lwtunnel support
2016-11-16 11:29:46 -05:00
mcast_snoop.c
net: fix wrong skb_get() usage / crash in IGMP/MLD parsing code
2015-08-13 17:08:39 -07:00
mcast.c
ipv6: fix a potential deadlock in do_ipv6_setsockopt()
2016-10-21 11:29:02 -04:00
mip6.c
ipv6: use ktime_t for internal timestamps
2015-10-05 03:16:47 -07:00
ndisc.c
ipv6 addrconf: Implemented enhanced DAD (RFC7527)
2016-12-03 23:21:37 -05:00
netfilter.c
net: inet: Support UID-based routing in IP protocols.
2016-11-04 14:45:23 -04:00
output_core.c
ipv6: Set skb->protocol properly for local output
2016-12-02 12:34:22 -05:00
ping.c
net: inet: Support UID-based routing in IP protocols.
2016-11-04 14:45:23 -04:00
proc.c
proc: Reduce cache miss in snmp6_seq_show
2016-09-30 01:50:44 -04:00
protocol.c
net: Export inet_offloads and inet6_offloads
2014-09-19 17:15:31 -04:00
raw.c
ipv6: handle -EFAULT from skb_copy_bits
2016-12-23 12:20:39 -05:00
reassembly.c
ipv6: on reassembly, record frag_max_size
2016-11-03 15:41:11 -04:00
route.c
net: ipv6: check route protocol when deleting routes
2016-12-17 21:37:06 -05:00
seg6_hmac.c
ipv6: sr: add core files for SR HMAC support
2016-11-09 20:40:06 -05:00
seg6_iptunnel.c
ipv6: sr: add calls to verify and insert HMAC signatures
2016-11-09 20:40:06 -05:00
seg6.c
ipv6: sr: add option to control lwtunnel support
2016-11-16 11:29:46 -05:00
sit.c
netns: make struct pernet_operations::id unsigned int
2016-11-18 10:59:15 -05:00
syncookies.c
tcp: randomize tcp timestamp offsets for each connection
2016-12-02 12:49:59 -05:00
sysctl_net_ipv6.c
calipso: Add a label cache.
2016-06-27 15:06:17 -04:00
tcp_ipv6.c
tcp: tsq: move tsq_flags close to sk_wmem_alloc
2016-12-05 13:32:24 -05:00
tcpv6_offload.c
tcp: cleanup static functions
2015-02-28 16:56:51 -05:00
tunnel6.c
ipv6: fix tunnel error handling
2015-11-03 10:52:13 -05:00
udp_impl.h
udplite: call proper backlog handlers
2016-11-24 15:32:14 -05:00
udp_offload.c
gso: Remove arbitrary checks for unsupported GSO
2016-05-20 18:03:15 -04:00
udp.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-11-26 23:42:21 -05:00
udplite.c
udplite: call proper backlog handlers
2016-11-24 15:32:14 -05:00
xfrm6_input.c
vti6: fix input path
2016-09-21 10:09:14 +02:00
xfrm6_mode_beet.c
xfrm: simplify xfrm_address_t use
2015-03-31 13:58:35 -04:00
xfrm6_mode_ro.c
ipv4/ipv6: Fix FSF address in file headers
2013-12-06 12:37:56 -05:00
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
ipv6: update skb->csum when CE mark is propagated
2016-01-15 15:07:23 -05:00
xfrm6_output.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2015-10-24 06:54:12 -07:00
xfrm6_policy.c
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
2016-09-12 15:52:44 -07:00
xfrm6_protocol.c
xfrm6: Properly handle unsupported protocols
2014-05-06 07:08:38 +02:00
xfrm6_state.c
ipv6: White-space cleansing : Line Layouts
2014-08-24 22:37:52 -07:00
xfrm6_tunnel.c
netns: make struct pernet_operations::id unsigned int
2016-11-18 10:59:15 -05:00