linux/net/core
Eric Dumazet a4270d6795 net-gro: fix use-after-free read in napi_gro_frags()
If a network driver provides to napi_gro_frags() an
skb with a page fragment of exactly 14 bytes, the call
to gro_pull_from_frag0() will 'consume' the fragment
by calling skb_frag_unref(skb, 0), and the page might
be freed and reused.

Reading eth->h_proto at the end of napi_frags_skb() might
read mangled data, or crash under specific debugging features.

BUG: KASAN: use-after-free in napi_frags_skb net/core/dev.c:5833 [inline]
BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
Read of size 2 at addr ffff88809366840c by task syz-executor599/8957

CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:142
 napi_frags_skb net/core/dev.c:5833 [inline]
 napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
 tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991
 tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037
 call_write_iter include/linux/fs.h:1872 [inline]
 do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
 do_iter_write fs/read_write.c:970 [inline]
 do_iter_write+0x184/0x610 fs/read_write.c:951
 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
 do_writev+0x15b/0x330 fs/read_write.c:1058

Fixes: a50e233c50 ("net-gro: restore frag0 optimization")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-05-30 14:52:14 -07:00
..
bpf_sk_storage.c bpf: Use PTR_ERR_OR_ZERO in bpf_fd_sk_storage_update_elem() 2019-05-04 23:20:58 -07:00
datagram.c datagram: remove rendundant 'peeked' argument 2019-04-08 09:51:54 -07:00
datagram.h net/core: Allow the compiler to verify declaration and definition consistency 2019-03-27 13:49:44 -07:00
dev_addr_lists.c net: dev: Issue NETDEV_PRE_CHANGEADDR 2018-12-13 18:41:38 -08:00
dev_ioctl.c net/core: Document all dev_ioctl() arguments 2019-03-27 13:49:43 -07:00
dev.c net-gro: fix use-after-free read in napi_gro_frags() 2019-05-30 14:52:14 -07:00
devlink.c devlink: Change devlink health locking mechanism 2019-05-01 11:07:03 -04:00
drop_monitor.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
dst_cache.c net: core: dst_cache_set_ip6: Rename 'addr' parameter to 'saddr' for consistency 2018-03-05 12:52:45 -05:00
dst.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
ethtool.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-04-05 14:14:19 -07:00
failover.c failover: allow name change on IFF_UP slave interfaces 2019-04-10 22:12:26 -07:00
fib_notifier.c net: Fix fib notifer to return errno 2018-03-29 14:10:30 -04:00
fib_rules.c fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied 2019-05-08 09:32:10 -07:00
filter.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2019-04-28 08:42:41 -04:00
flow_dissector.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
flow_offload.c flow_offload: support CVLAN match 2019-05-16 12:02:42 -07:00
gen_estimator.c net: core: protect rate estimator statistics pointer with lock 2018-08-11 12:37:10 -07:00
gen_stats.c Revert: "net: sched: put back q.qlen into a single location" 2019-04-10 12:20:46 -07:00
gro_cells.c gro_cells: make sure device is up in gro_cells_receive() 2019-03-10 11:07:14 -07:00
hwbm.c
link_watch.c net: linkwatch: add check for netdevice being present to linkwatch_do_dev 2018-09-19 21:06:46 -07:00
lwt_bpf.c netlink: make validation more configurable for future strictness 2019-04-27 17:07:21 -04:00
lwtunnel.c netlink: make nla_nest_start() add NLA_F_NESTED flag 2019-04-27 17:03:44 -04:00
Makefile bpf: Introduce bpf sk local storage 2019-04-27 09:07:04 -07:00
neighbour.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-05-07 17:22:09 -07:00
net_namespace.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
net-procfs.c treewide: Switch printk users from %pf and %pF to %ps and %pS, respectively 2019-04-09 14:19:06 +02:00
net-sysfs.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-05-07 22:03:58 -07:00
net-sysfs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
net-traces.c trace: events: add a few neigh tracepoints 2019-02-17 10:33:39 -08:00
netclassid_cgroup.c cgroup, netclassid: add a preemption point to write_classid 2018-10-23 12:58:17 -07:00
netevent.c
netpoll.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
netprio_cgroup.c cgroup: net: remove left over MODULE_LICENSE tag 2019-04-22 21:50:54 -07:00
page_pool.c page_pool: use DMA_ATTR_SKIP_CPU_SYNC for DMA mappings 2019-02-13 22:00:16 -08:00
pktgen.c xfrm: remove output indirection from xfrm_mode 2019-04-08 09:14:28 +02:00
ptp_classifier.c net/core: work around section mismatch warning for ptp_classifier 2019-04-16 20:46:17 -07:00
request_sock.c
rtnetlink.c rtnetlink: always put IFLA_LINK for links with a link-netnsid 2019-05-14 15:40:01 -07:00
scm.c socket: Add SO_TIMESTAMPING_NEW 2019-02-03 11:17:31 -08:00
secure_seq.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00
skbuff.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2019-04-22 21:35:55 -07:00
skmsg.c bpf: sockmap fix msg->sg.size account on ingress skb 2019-05-14 01:31:43 +02:00
sock_diag.c net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() 2018-08-14 10:01:24 -07:00
sock_map.c bpf: skmsg, fix psock create on existing kcm/tls port 2018-10-20 00:40:45 +02:00
sock_reuseport.c net/core: Document reuseport_add_sock() bind_inany argument 2019-03-27 13:49:43 -07:00
sock.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2019-04-28 08:42:41 -04:00
stream.c tcp: reduce POLLOUT events caused by TCP_NOTSENT_LOWAT 2018-12-04 21:21:18 -08:00
sysctl_net_core.c net: convert rps_needed and rfs_needed to new static branch api 2019-03-23 21:57:38 -04:00
timestamping.c
tso.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
utils.c net: Remove some unneeded semicolon 2018-08-04 13:05:39 -07:00
xdp.c xdp: remove redundant variable 'headroom' 2018-09-01 01:35:53 +02:00