forked from Minki/linux
38f88c4540
syzbot managed to send an IPX packet through bond_alb_xmit()
and af_packet and triggered a use-after-free.
First, bond_alb_xmit() was using ipx_hdr() helper to reach
the IPX header, but ipx_hdr() was using the transport offset
instead of the network offset. In the particular syzbot
report transport offset was 0xFFFF
This patch removes ipx_hdr() since it was only (mis)used from bonding.
Then we need to make sure IPv4/IPv6/IPX headers are pulled
in skb->head before dereferencing anything.
BUG: KASAN: use-after-free in bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
Read of size 2 at addr ffff8801ce56dfff by task syz-executor.2/18108
(if (ipx_hdr(skb)->ipx_checksum != IPX_NO_CHECKSUM) ...)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
[<ffffffff8441fc42>] __dump_stack lib/dump_stack.c:17 [inline]
[<ffffffff8441fc42>] dump_stack+0x14d/0x20b lib/dump_stack.c:53
[<ffffffff81a7dec4>] print_address_description+0x6f/0x20b mm/kasan/report.c:282
[<ffffffff81a7e0ec>] kasan_report_error mm/kasan/report.c:380 [inline]
[<ffffffff81a7e0ec>] kasan_report mm/kasan/report.c:438 [inline]
[<ffffffff81a7e0ec>] kasan_report.cold+0x8c/0x2a0 mm/kasan/report.c:422
[<ffffffff81a7dc4f>] __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:469
[<ffffffff82c8c00a>] bond_alb_xmit+0x153a/0x1590 drivers/net/bonding/bond_alb.c:1452
[<ffffffff82c60c74>] __bond_start_xmit drivers/net/bonding/bond_main.c:4199 [inline]
[<ffffffff82c60c74>] bond_start_xmit+0x4f4/0x1570 drivers/net/bonding/bond_main.c:4224
[<ffffffff83baa558>] __netdev_start_xmit include/linux/netdevice.h:4525 [inline]
[<ffffffff83baa558>] netdev_start_xmit include/linux/netdevice.h:4539 [inline]
[<ffffffff83baa558>] xmit_one net/core/dev.c:3611 [inline]
[<ffffffff83baa558>] dev_hard_start_xmit+0x168/0x910 net/core/dev.c:3627
[<ffffffff83bacf35>] __dev_queue_xmit+0x1f55/0x33b0 net/core/dev.c:4238
[<ffffffff83bae3a8>] dev_queue_xmit+0x18/0x20 net/core/dev.c:4278
[<ffffffff84339189>] packet_snd net/packet/af_packet.c:3226 [inline]
[<ffffffff84339189>] packet_sendmsg+0x4919/0x70b0 net/packet/af_packet.c:3252
[<ffffffff83b1ac0c>] sock_sendmsg_nosec net/socket.c:673 [inline]
[<ffffffff83b1ac0c>] sock_sendmsg+0x12c/0x160 net/socket.c:684
[<ffffffff83b1f5a2>] __sys_sendto+0x262/0x380 net/socket.c:1996
[<ffffffff83b1f700>] SYSC_sendto net/socket.c:2008 [inline]
[<ffffffff83b1f700>] SyS_sendto+0x40/0x60 net/socket.c:2004
Fixes: 1da177e4c3
("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Jay Vosburgh <j.vosburgh@gmail.com>
Cc: Veaceslav Falico <vfalico@gmail.com>
Cc: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
172 lines
4.3 KiB
C
172 lines
4.3 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef _NET_INET_IPX_H_
|
|
#define _NET_INET_IPX_H_
|
|
/*
|
|
* The following information is in its entirety obtained from:
|
|
*
|
|
* Novell 'IPX Router Specification' Version 1.10
|
|
* Part No. 107-000029-001
|
|
*
|
|
* Which is available from ftp.novell.com
|
|
*/
|
|
|
|
#include <linux/netdevice.h>
|
|
#include <net/datalink.h>
|
|
#include <linux/ipx.h>
|
|
#include <linux/list.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/refcount.h>
|
|
|
|
struct ipx_address {
|
|
__be32 net;
|
|
__u8 node[IPX_NODE_LEN];
|
|
__be16 sock;
|
|
};
|
|
|
|
#define ipx_broadcast_node "\377\377\377\377\377\377"
|
|
#define ipx_this_node "\0\0\0\0\0\0"
|
|
|
|
#define IPX_MAX_PPROP_HOPS 8
|
|
|
|
struct ipxhdr {
|
|
__be16 ipx_checksum __packed;
|
|
#define IPX_NO_CHECKSUM cpu_to_be16(0xFFFF)
|
|
__be16 ipx_pktsize __packed;
|
|
__u8 ipx_tctrl;
|
|
__u8 ipx_type;
|
|
#define IPX_TYPE_UNKNOWN 0x00
|
|
#define IPX_TYPE_RIP 0x01 /* may also be 0 */
|
|
#define IPX_TYPE_SAP 0x04 /* may also be 0 */
|
|
#define IPX_TYPE_SPX 0x05 /* SPX protocol */
|
|
#define IPX_TYPE_NCP 0x11 /* $lots for docs on this (SPIT) */
|
|
#define IPX_TYPE_PPROP 0x14 /* complicated flood fill brdcast */
|
|
struct ipx_address ipx_dest __packed;
|
|
struct ipx_address ipx_source __packed;
|
|
};
|
|
|
|
/* From af_ipx.c */
|
|
extern int sysctl_ipx_pprop_broadcasting;
|
|
|
|
struct ipx_interface {
|
|
/* IPX address */
|
|
__be32 if_netnum;
|
|
unsigned char if_node[IPX_NODE_LEN];
|
|
refcount_t refcnt;
|
|
|
|
/* physical device info */
|
|
struct net_device *if_dev;
|
|
struct datalink_proto *if_dlink;
|
|
__be16 if_dlink_type;
|
|
|
|
/* socket support */
|
|
unsigned short if_sknum;
|
|
struct hlist_head if_sklist;
|
|
spinlock_t if_sklist_lock;
|
|
|
|
/* administrative overhead */
|
|
int if_ipx_offset;
|
|
unsigned char if_internal;
|
|
unsigned char if_primary;
|
|
|
|
struct list_head node; /* node in ipx_interfaces list */
|
|
};
|
|
|
|
struct ipx_route {
|
|
__be32 ir_net;
|
|
struct ipx_interface *ir_intrfc;
|
|
unsigned char ir_routed;
|
|
unsigned char ir_router_node[IPX_NODE_LEN];
|
|
struct list_head node; /* node in ipx_routes list */
|
|
refcount_t refcnt;
|
|
};
|
|
|
|
struct ipx_cb {
|
|
u8 ipx_tctrl;
|
|
__be32 ipx_dest_net;
|
|
__be32 ipx_source_net;
|
|
struct {
|
|
__be32 netnum;
|
|
int index;
|
|
} last_hop;
|
|
};
|
|
|
|
#include <net/sock.h>
|
|
|
|
struct ipx_sock {
|
|
/* struct sock has to be the first member of ipx_sock */
|
|
struct sock sk;
|
|
struct ipx_address dest_addr;
|
|
struct ipx_interface *intrfc;
|
|
__be16 port;
|
|
#ifdef CONFIG_IPX_INTERN
|
|
unsigned char node[IPX_NODE_LEN];
|
|
#endif
|
|
unsigned short type;
|
|
/*
|
|
* To handle special ncp connection-handling sockets for mars_nwe,
|
|
* the connection number must be stored in the socket.
|
|
*/
|
|
unsigned short ipx_ncp_conn;
|
|
};
|
|
|
|
static inline struct ipx_sock *ipx_sk(struct sock *sk)
|
|
{
|
|
return (struct ipx_sock *)sk;
|
|
}
|
|
|
|
#define IPX_SKB_CB(__skb) ((struct ipx_cb *)&((__skb)->cb[0]))
|
|
|
|
#define IPX_MIN_EPHEMERAL_SOCKET 0x4000
|
|
#define IPX_MAX_EPHEMERAL_SOCKET 0x7fff
|
|
|
|
extern struct list_head ipx_routes;
|
|
extern rwlock_t ipx_routes_lock;
|
|
|
|
extern struct list_head ipx_interfaces;
|
|
struct ipx_interface *ipx_interfaces_head(void);
|
|
extern spinlock_t ipx_interfaces_lock;
|
|
|
|
extern struct ipx_interface *ipx_primary_net;
|
|
|
|
int ipx_proc_init(void);
|
|
void ipx_proc_exit(void);
|
|
|
|
const char *ipx_frame_name(__be16);
|
|
const char *ipx_device_name(struct ipx_interface *intrfc);
|
|
|
|
static __inline__ void ipxitf_hold(struct ipx_interface *intrfc)
|
|
{
|
|
refcount_inc(&intrfc->refcnt);
|
|
}
|
|
|
|
void ipxitf_down(struct ipx_interface *intrfc);
|
|
struct ipx_interface *ipxitf_find_using_net(__be32 net);
|
|
int ipxitf_send(struct ipx_interface *intrfc, struct sk_buff *skb, char *node);
|
|
__be16 ipx_cksum(struct ipxhdr *packet, int length);
|
|
int ipxrtr_add_route(__be32 network, struct ipx_interface *intrfc,
|
|
unsigned char *node);
|
|
void ipxrtr_del_routes(struct ipx_interface *intrfc);
|
|
int ipxrtr_route_packet(struct sock *sk, struct sockaddr_ipx *usipx,
|
|
struct msghdr *msg, size_t len, int noblock);
|
|
int ipxrtr_route_skb(struct sk_buff *skb);
|
|
struct ipx_route *ipxrtr_lookup(__be32 net);
|
|
int ipxrtr_ioctl(unsigned int cmd, void __user *arg);
|
|
|
|
static __inline__ void ipxitf_put(struct ipx_interface *intrfc)
|
|
{
|
|
if (refcount_dec_and_test(&intrfc->refcnt))
|
|
ipxitf_down(intrfc);
|
|
}
|
|
|
|
static __inline__ void ipxrtr_hold(struct ipx_route *rt)
|
|
{
|
|
refcount_inc(&rt->refcnt);
|
|
}
|
|
|
|
static __inline__ void ipxrtr_put(struct ipx_route *rt)
|
|
{
|
|
if (refcount_dec_and_test(&rt->refcnt))
|
|
kfree(rt);
|
|
}
|
|
#endif /* _NET_INET_IPX_H_ */
|