linux/net/ipv6
Dave Jones a98f917589 ipv6: handle -EFAULT from skb_copy_bits
By setting certain socket options on ipv6 raw sockets, we can confuse the
length calculation in rawv6_push_pending_frames triggering a BUG_ON.

RIP: 0010:[<ffffffff817c6390>] [<ffffffff817c6390>] rawv6_sendmsg+0xc30/0xc40
RSP: 0018:ffff881f6c4a7c18  EFLAGS: 00010282
RAX: 00000000fffffff2 RBX: ffff881f6c681680 RCX: 0000000000000002
RDX: ffff881f6c4a7cf8 RSI: 0000000000000030 RDI: ffff881fed0f6a00
RBP: ffff881f6c4a7da8 R08: 0000000000000000 R09: 0000000000000009
R10: ffff881fed0f6a00 R11: 0000000000000009 R12: 0000000000000030
R13: ffff881fed0f6a00 R14: ffff881fee39ba00 R15: ffff881fefa93a80

Call Trace:
 [<ffffffff8118ba23>] ? unmap_page_range+0x693/0x830
 [<ffffffff81772697>] inet_sendmsg+0x67/0xa0
 [<ffffffff816d93f8>] sock_sendmsg+0x38/0x50
 [<ffffffff816d982f>] SYSC_sendto+0xef/0x170
 [<ffffffff816da27e>] SyS_sendto+0xe/0x10
 [<ffffffff81002910>] do_syscall_64+0x50/0xa0
 [<ffffffff817f7cbc>] entry_SYSCALL64_slow_path+0x25/0x25

Handle by jumping to the failure path if skb_copy_bits gets an EFAULT.

Reproducer:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

#define LEN 504

int main(int argc, char* argv[])
{
	int fd;
	int zero = 0;
	char buf[LEN];

	memset(buf, 0, LEN);

	fd = socket(AF_INET6, SOCK_RAW, 7);

	setsockopt(fd, SOL_IPV6, IPV6_CHECKSUM, &zero, 4);
	setsockopt(fd, SOL_IPV6, IPV6_DSTOPTS, &buf, LEN);

	sendto(fd, buf, 1, 0, (struct sockaddr *) buf, 110);
}

Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-12-23 12:20:39 -05:00
..
ila ila: Fix crash caused by rhashtable changes 2016-11-02 15:26:02 -04:00
netfilter netfilter: nft_fib: convert htonl to ntohl properly 2016-12-06 21:42:20 +01:00
addrconf_core.c
addrconf.c ipv6 addrconf: Implemented enhanced DAD (RFC7527) 2016-12-03 23:21:37 -05:00
addrlabel.c ipv6/addrlabel: fix ip6addrlbl_get() 2015-12-22 15:57:54 -05:00
af_inet6.c bpf: Add new cgroup attach type to enable sock modifications 2016-12-02 13:46:08 -05:00
ah6.c net: inet: Support UID-based routing in IP protocols. 2016-11-04 14:45:23 -04:00
anycast.c
calipso.c calipso: fix resource leak on calipso_genopt failure 2016-08-13 14:56:17 -07:00
datagram.c inet: fix IP(V6)_RECVORIGDSTADDR for udp sockets 2016-12-23 12:19:18 -05:00
esp6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-12-03 12:29:53 -05:00
exthdrs_core.c ipv6: constify the skb pointer of ipv6_find_tlv(). 2016-06-27 15:06:15 -04:00
exthdrs_offload.c
exthdrs.c ipv6: sr: add support for SRH injection through setsockopt 2016-11-09 20:40:06 -05:00
fib6_rules.c net: flow: Add l3mdev flow update 2016-09-10 23:12:51 -07:00
fou6.c fou: add Kconfig options for IPv6 support 2016-05-29 22:24:21 -07:00
icmp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-12-03 12:29:53 -05:00
inet6_connection_sock.c inet: Fix get port to handle zero port number with soreuseport set 2016-12-17 11:13:19 -05:00
inet6_hashtables.c inet: Fix missing return value in inet6_hash 2016-10-29 12:01:49 -04:00
ip6_checksum.c ipv6: fix checksum annotation in udp6_csum_init 2016-06-14 15:26:42 -04:00
ip6_fib.c ipv6: report NLM_F_CREATE and NLM_F_EXCL flags in RTM_NEWROUTE events 2016-09-09 16:50:23 -07:00
ip6_flowlabel.c ipv6: add new struct ipcm6_cookie 2016-05-03 16:08:14 -04:00
ip6_gre.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
ip6_icmp.c ipv6: icmp: add a force_saddr param to icmp6_send() 2016-06-18 22:11:38 -07:00
ip6_input.c net: vrf: ipv6 support for local traffic to local addresses 2016-06-08 00:25:38 -07:00
ip6_offload.c ip6_offload: check segs for NULL in ipv6_gso_segment. 2016-12-02 13:34:58 -05:00
ip6_offload.h udp: Add GRO functions to UDP socket 2016-04-07 16:53:29 -04:00
ip6_output.c net: ipv4, ipv6: run cgroup eBPF egress programs 2016-11-25 16:26:04 -05:00
ip6_tunnel.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-12-03 12:29:53 -05:00
ip6_udp_tunnel.c ip6_udp_tunnel: remove unused IPCB related codes 2016-11-02 15:18:36 -04:00
ip6_vti.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-12-03 12:29:53 -05:00
ip6mr.c net: pim: add all RFC7761 message types 2016-10-31 16:18:30 -04:00
ipcomp6.c net: inet: Support UID-based routing in IP protocols. 2016-11-04 14:45:23 -04:00
ipv6_sockglue.c ipv6: sr: add support for SRH injection through setsockopt 2016-11-09 20:40:06 -05:00
Kconfig ipv6: sr: add option to control lwtunnel support 2016-11-16 11:29:46 -05:00
Makefile ipv6: sr: add option to control lwtunnel support 2016-11-16 11:29:46 -05:00
mcast_snoop.c
mcast.c ipv6: fix a potential deadlock in do_ipv6_setsockopt() 2016-10-21 11:29:02 -04:00
mip6.c
ndisc.c ipv6 addrconf: Implemented enhanced DAD (RFC7527) 2016-12-03 23:21:37 -05:00
netfilter.c net: inet: Support UID-based routing in IP protocols. 2016-11-04 14:45:23 -04:00
output_core.c ipv6: Set skb->protocol properly for local output 2016-12-02 12:34:22 -05:00
ping.c net: inet: Support UID-based routing in IP protocols. 2016-11-04 14:45:23 -04:00
proc.c proc: Reduce cache miss in snmp6_seq_show 2016-09-30 01:50:44 -04:00
protocol.c
raw.c ipv6: handle -EFAULT from skb_copy_bits 2016-12-23 12:20:39 -05:00
reassembly.c ipv6: on reassembly, record frag_max_size 2016-11-03 15:41:11 -04:00
route.c net: ipv6: check route protocol when deleting routes 2016-12-17 21:37:06 -05:00
seg6_hmac.c ipv6: sr: add core files for SR HMAC support 2016-11-09 20:40:06 -05:00
seg6_iptunnel.c ipv6: sr: add calls to verify and insert HMAC signatures 2016-11-09 20:40:06 -05:00
seg6.c ipv6: sr: add option to control lwtunnel support 2016-11-16 11:29:46 -05:00
sit.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
syncookies.c tcp: randomize tcp timestamp offsets for each connection 2016-12-02 12:49:59 -05:00
sysctl_net_ipv6.c calipso: Add a label cache. 2016-06-27 15:06:17 -04:00
tcp_ipv6.c tcp: tsq: move tsq_flags close to sk_wmem_alloc 2016-12-05 13:32:24 -05:00
tcpv6_offload.c
tunnel6.c ipv6: fix tunnel error handling 2015-11-03 10:52:13 -05:00
udp_impl.h udplite: call proper backlog handlers 2016-11-24 15:32:14 -05:00
udp_offload.c gso: Remove arbitrary checks for unsupported GSO 2016-05-20 18:03:15 -04:00
udp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-11-26 23:42:21 -05:00
udplite.c udplite: call proper backlog handlers 2016-11-24 15:32:14 -05:00
xfrm6_input.c vti6: fix input path 2016-09-21 10:09:14 +02:00
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c ipv6: update skb->csum when CE mark is propagated 2016-01-15 15:07:23 -05:00
xfrm6_output.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2015-10-24 06:54:12 -07:00
xfrm6_policy.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-09-12 15:52:44 -07:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00