linux/net/ipv6/netfilter
Taehee Yoo 5d407b071d ip: frags: fix crash in ip_do_fragment()
A kernel crash occurrs when defragmented packet is fragmented
in ip_do_fragment().
In defragment routine, skb_orphan() is called and
skb->ip_defrag_offset is set. but skb->sk and
skb->ip_defrag_offset are same union member. so that
frag->sk is not NULL.
Hence crash occurrs in skb->sk check routine in ip_do_fragment() when
defragmented packet is fragmented.

test commands:
   %iptables -t nat -I POSTROUTING -j MASQUERADE
   %hping3 192.168.4.2 -s 1000 -p 2000 -d 60000

splat looks like:
[  261.069429] kernel BUG at net/ipv4/ip_output.c:636!
[  261.075753] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
[  261.083854] CPU: 1 PID: 1349 Comm: hping3 Not tainted 4.19.0-rc2+ #3
[  261.100977] RIP: 0010:ip_do_fragment+0x1613/0x2600
[  261.106945] Code: e8 e2 38 e3 fe 4c 8b 44 24 18 48 8b 74 24 08 e9 92 f6 ff ff 80 3c 02 00 0f 85 da 07 00 00 48 8b b5 d0 00 00 00 e9 25 f6 ff ff <0f> 0b 0f 0b 44 8b 54 24 58 4c 8b 4c 24 18 4c 8b 5c 24 60 4c 8b 6c
[  261.127015] RSP: 0018:ffff8801031cf2c0 EFLAGS: 00010202
[  261.134156] RAX: 1ffff1002297537b RBX: ffffed0020639e6e RCX: 0000000000000004
[  261.142156] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880114ba9bd8
[  261.150157] RBP: ffff880114ba8a40 R08: ffffed0022975395 R09: ffffed0022975395
[  261.158157] R10: 0000000000000001 R11: ffffed0022975394 R12: ffff880114ba9ca4
[  261.166159] R13: 0000000000000010 R14: ffff880114ba9bc0 R15: dffffc0000000000
[  261.174169] FS:  00007fbae2199700(0000) GS:ffff88011b400000(0000) knlGS:0000000000000000
[  261.183012] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  261.189013] CR2: 00005579244fe000 CR3: 0000000119bf4000 CR4: 00000000001006e0
[  261.198158] Call Trace:
[  261.199018]  ? dst_output+0x180/0x180
[  261.205011]  ? save_trace+0x300/0x300
[  261.209018]  ? ip_copy_metadata+0xb00/0xb00
[  261.213034]  ? sched_clock_local+0xd4/0x140
[  261.218158]  ? kill_l4proto+0x120/0x120 [nf_conntrack]
[  261.223014]  ? rt_cpu_seq_stop+0x10/0x10
[  261.227014]  ? find_held_lock+0x39/0x1c0
[  261.233008]  ip_finish_output+0x51d/0xb50
[  261.237006]  ? ip_fragment.constprop.56+0x220/0x220
[  261.243011]  ? nf_ct_l4proto_register_one+0x5b0/0x5b0 [nf_conntrack]
[  261.250152]  ? rcu_is_watching+0x77/0x120
[  261.255010]  ? nf_nat_ipv4_out+0x1e/0x2b0 [nf_nat_ipv4]
[  261.261033]  ? nf_hook_slow+0xb1/0x160
[  261.265007]  ip_output+0x1c7/0x710
[  261.269005]  ? ip_mc_output+0x13f0/0x13f0
[  261.273002]  ? __local_bh_enable_ip+0xe9/0x1b0
[  261.278152]  ? ip_fragment.constprop.56+0x220/0x220
[  261.282996]  ? nf_hook_slow+0xb1/0x160
[  261.287007]  raw_sendmsg+0x21f9/0x4420
[  261.291008]  ? dst_output+0x180/0x180
[  261.297003]  ? sched_clock_cpu+0x126/0x170
[  261.301003]  ? find_held_lock+0x39/0x1c0
[  261.306155]  ? stop_critical_timings+0x420/0x420
[  261.311004]  ? check_flags.part.36+0x450/0x450
[  261.315005]  ? _raw_spin_unlock_irq+0x29/0x40
[  261.320995]  ? _raw_spin_unlock_irq+0x29/0x40
[  261.326142]  ? cyc2ns_read_end+0x10/0x10
[  261.330139]  ? raw_bind+0x280/0x280
[  261.334138]  ? sched_clock_cpu+0x126/0x170
[  261.338995]  ? check_flags.part.36+0x450/0x450
[  261.342991]  ? __lock_acquire+0x4500/0x4500
[  261.348994]  ? inet_sendmsg+0x11c/0x500
[  261.352989]  ? dst_output+0x180/0x180
[  261.357012]  inet_sendmsg+0x11c/0x500
[ ... ]

v2:
 - clear skb->sk at reassembly routine.(Eric Dumarzet)

Fixes: fa0f527358 ("ip: use rb trees for IP frag queue.")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-09 14:50:56 -07:00
..
ip6_tables.c netfilter: x_tables: set module owner for icmp(6) matches 2018-07-05 11:45:11 +02:00
ip6t_ah.c
ip6t_eui64.c
ip6t_frag.c
ip6t_hbh.c
ip6t_ipv6header.c netfilter: remove unnecessary break after return 2014-07-15 16:27:00 -07:00
ip6t_MASQUERADE.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
ip6t_mh.c
ip6t_NPT.c xtables: extend matches and targets with .usersize 2017-01-09 17:24:55 +01:00
ip6t_REJECT.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
ip6t_rpfilter.c netfilter: ip6t_rpfilter: set F_IFACE for linklocal addresses 2018-08-16 19:36:58 +02:00
ip6t_rt.c
ip6t_srh.c netfilter: ip6t_srh: extend SRH matching for previous, next and last SID 2018-05-06 23:33:03 +02:00
ip6t_SYNPROXY.c netfilter: ctnetlink: synproxy support 2018-03-20 14:39:31 +01:00
ip6table_filter.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ip6table_mangle.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ip6table_nat.c netfilter: nf_nat: add nat type hooks to nat core 2018-05-23 09:14:06 +02:00
ip6table_raw.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
ip6table_security.c net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
Kconfig netfilter: conntrack: remove l3proto abstraction 2018-07-17 15:27:49 +02:00
Makefile netfilter: conntrack: remove l3proto abstraction 2018-07-17 15:27:49 +02:00
nf_conntrack_reasm.c ip: frags: fix crash in ip_do_fragment() 2018-09-09 14:50:56 -07:00
nf_defrag_ipv6_hooks.c ipv6: remove dependency of nf_defrag_ipv6 on ipv6 module 2018-07-18 11:26:53 +02:00
nf_dup_ipv6.c netfilter: kill the fake untracked conntrack objects 2017-04-15 11:47:57 +02:00
nf_flow_table_ipv6.c netfilter: nf_flow_table: move init code to nf_flow_table_core.c 2018-04-24 10:28:45 +02:00
nf_log_ipv6.c netfilter: check if the socket netns is correct. 2018-06-28 22:21:32 +09:00
nf_nat_l3proto_ipv6.c netfilter: nf_nat: add nat type hooks to nat core 2018-05-23 09:14:06 +02:00
nf_nat_masquerade_ipv6.c netfilter: nat: merge ipv4/ipv6 masquerade code into main nat module 2018-05-29 00:25:36 +02:00
nf_nat_proto_icmpv6.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
nf_reject_ipv6.c networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
nf_socket_ipv6.c netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6} 2018-03-24 21:17:14 +01:00
nf_tproxy_ipv6.c netfilter: nf_tproxy: fix possible non-linear access to transport header 2018-07-06 14:32:44 +02:00
nft_chain_nat_ipv6.c netfilter: nf_nat: add nat type hooks to nat core 2018-05-23 09:14:06 +02:00
nft_chain_route_ipv6.c netfilter: nf_tables: nft_register_chain_type() returns void 2018-03-30 11:29:18 +02:00
nft_dup_ipv6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-11-15 10:54:36 -05:00
nft_fib_ipv6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-03-06 01:20:46 -05:00
nft_masq_ipv6.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
nft_redir_ipv6.c netfilter: add NAT support for shifted portmap ranges 2018-04-24 10:29:12 +02:00
nft_reject_ipv6.c netfilter: nf_tables: use hook state from xt_action_param structure 2016-11-03 11:52:34 +01:00