linux/net/ipv6
Ahmed Abdelsalam bb986a5042 seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds
The seg6_validate_srh() is used to validate SRH for three cases:

case1: SRH of data-plane SRv6 packets to be processed by the Linux kernel.
Case2: SRH of the netlink message received  from user-space (iproute2)
Case3: SRH injected into packets through setsockopt

In case1, the SRH can be encoded in the Reduced way (i.e., first SID is
carried in DA only and not represented as SID in the SRH) and the
seg6_validate_srh() now handles this case correctly.

In case2 and case3, the SRH shouldn’t be encoded in the Reduced way
otherwise we lose the first segment (i.e., the first hop).

The current implementation of the seg6_validate_srh() allow SRH of case2
and case3 to be encoded in the Reduced way. This leads a slab-out-of-bounds
problem.

This patch verifies SRH of case1, case2 and case3. Allowing case1 to be
reduced while preventing SRH of case2 and case3 from being reduced .

Reported-by: syzbot+e8c028b62439eac42073@syzkaller.appspotmail.com
Reported-by: YueHaibing <yuehaibing@huawei.com>
Fixes: 0cb7498f23 ("seg6: fix SRH processing to comply with RFC8754")
Signed-off-by: Ahmed Abdelsalam <ahabdels@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-06-04 15:39:32 -07:00
..
ila ila: remove unused inline function ila_addr_is_ila 2020-04-29 12:01:31 -07:00
netfilter netfilter: Replace zero-length array with flexible-array member 2020-03-15 15:20:16 +01:00
addrconf_core.c net: ipv6: new arg skip_notify to ip6_rt_del 2020-04-28 12:50:37 -07:00
addrconf.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next 2020-06-03 16:27:18 -07:00
addrlabel.c netlink: make validation more configurable for future strictness 2019-04-27 17:07:21 -04:00
af_inet6.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2020-05-29 13:02:33 -07:00
ah6.c xfrm: add support for UDPv6 encapsulation of ESP 2020-04-28 11:28:36 +02:00
anycast.c net: ipv6: new arg skip_notify to ip6_rt_del 2020-04-28 12:50:37 -07:00
calipso.c netlabel: cope with NULL catmap 2020-05-12 18:12:40 -07:00
datagram.c net: ipv6: add net argument to ip6_dst_lookup_flow 2019-12-04 12:27:12 -08:00
esp6_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
esp6.c xfrm: add IPv6 support for espintcp 2020-04-28 11:28:36 +02:00
exthdrs_core.c ipv6: remove printk 2019-07-27 14:23:48 -07:00
exthdrs_offload.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
exthdrs.c net: ipv6: add support for rpl sr exthdr 2020-03-29 22:30:57 -07:00
fib6_notifier.c net: fib_notifier: propagate extack down to the notifier block callback 2019-10-04 11:10:56 -07:00
fib6_rules.c net: fib_notifier: propagate extack down to the notifier block callback 2019-10-04 11:10:56 -07:00
fou6.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
icmp.c net: icmp6: do not select saddr from iif when route has prefsrc set 2020-04-07 18:25:10 -07:00
inet6_connection_sock.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2019-12-24 22:28:54 -08:00
inet6_hashtables.c net: annotate accesses to sk->sk_incoming_cpu 2019-10-30 13:24:25 -07:00
ip6_checksum.c net: udp: fix handling of CHECKSUM_COMPLETE packets 2018-10-24 14:18:16 -07:00
ip6_fib.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-24 13:47:27 -07:00
ip6_flowlabel.c ipv6: fix static key imbalance in fl_create() 2019-07-11 14:43:25 -07:00
ip6_gre.c net: ip6_gre: Distribute switch variables for initialization 2020-02-20 10:00:19 -08:00
ip6_icmp.c icmp: introduce helper for nat'd source address in network device context 2020-02-13 14:19:00 -08:00
ip6_input.c bpf: Add socket assign support 2020-03-30 13:45:04 -07:00
ip6_offload.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ip6_offload.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
ip6_output.c net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc. 2020-02-24 13:31:42 -08:00
ip6_tunnel.c ip6_tunnel: add generic MPLS receive support 2020-05-22 15:49:31 -07:00
ip6_udp_tunnel.c net: Make locking in sock_bindtoindex optional 2020-06-01 14:57:14 -07:00
ip6_vti.c xfrm: add support for UDPv6 encapsulation of ESP 2020-04-28 11:28:36 +02:00
ip6mr.c net: don't return invalid table id error when we fall back to PF_UNSPEC 2020-05-21 17:25:50 -07:00
ipcomp6.c xfrm: add support for UDPv6 encapsulation of ESP 2020-04-28 11:28:36 +02:00
ipv6_sockglue.c seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds 2020-06-04 15:39:32 -07:00
Kconfig Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2020-05-29 13:02:33 -07:00
Makefile net: ipv6: add rpl sr tunnel 2020-03-29 22:30:57 -07:00
mcast_snoop.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 343 2019-06-05 17:37:07 +02:00
mcast.c ip6_mc_msfilter(): pass the address list separately 2020-05-20 20:31:29 -04:00
mip6.c xfrm: remove type and offload_type map from xfrm_state_afinfo 2019-06-06 08:34:50 +02:00
ndisc.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2020-05-01 17:02:27 -07:00
netfilter.c net: ensure correct skb->tstamp in various fragmenters 2019-10-18 10:02:37 -07:00
output_core.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
ping.c ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' 2019-09-12 11:20:33 +01:00
proc.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-07 11:00:14 -07:00
protocol.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
raw.c ipv6: move SIOCADDRT and SIOCDELRT handling into ->compat_ioctl 2020-05-18 17:35:02 -07:00
reassembly.c inet: frags: re-introduce skb coalescing for local delivery 2019-08-08 15:55:10 -07:00
route.c nexthop: support for fdb ecmp nexthops 2020-05-22 14:00:38 -07:00
rpl_iptunnel.c net: ipv6: rpl_iptunnel: remove redundant assignments to variable err 2020-04-02 06:57:34 -07:00
rpl.c ipv6: rpl: fix full address compression 2020-04-18 15:04:27 -07:00
seg6_hmac.c crypto: lib/sha1 - remove unnecessary includes of linux/cryptohash.h 2020-05-08 15:32:17 +10:00
seg6_iptunnel.c seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds 2020-06-04 15:39:32 -07:00
seg6_local.c seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds 2020-06-04 15:39:32 -07:00
seg6.c seg6: fix seg6_validate_srh() to avoid slab-out-of-bounds 2020-06-04 15:39:32 -07:00
sit.c sit: impement ->ndo_tunnel_ctl 2020-05-19 15:45:12 -07:00
syncookies.c mptcp: handle tcp fallback when using syn cookies 2020-01-29 17:45:20 +01:00
sysctl_net_ipv6.c sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
tcp_ipv6.c crypto/chtls: IPv6 support for inline TLS 2020-06-01 15:51:25 -07:00
tcpv6_offload.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
tunnel6.c tunnel6: support for IPPROTO_MPLS 2020-05-22 15:49:30 -07:00
udp_impl.h udp6: add missing rehash callback to udplite 2019-01-17 15:01:08 -08:00
udp_offload.c udp: Support UDP fraglist GRO/GSO. 2020-01-27 11:00:21 +01:00
udp.c net: Track socket refcounts in skb_steal_sock() 2020-03-30 13:45:04 -07:00
udplite.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
xfrm6_input.c xfrm: state: remove extract_input indirection from xfrm_state_afinfo 2020-05-06 09:40:08 +02:00
xfrm6_output.c xfrm: remove output_finish indirection from xfrm_state_afinfo 2020-05-06 09:40:08 +02:00
xfrm6_policy.c net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2019-12-24 22:28:54 -08:00
xfrm6_protocol.c xfrm: add support for UDPv6 encapsulation of ESP 2020-04-28 11:28:36 +02:00
xfrm6_state.c xfrm: remove output_finish indirection from xfrm_state_afinfo 2020-05-06 09:40:08 +02:00
xfrm6_tunnel.c ipv6: xfrm6_tunnel.c: Use built-in RCU list checking 2020-02-27 10:17:41 +01:00