|
Michal Kubecek |
796ee5 |
From: Alexey Kodanev <alexey.kodanev@oracle.com>
|
|
Michal Kubecek |
796ee5 |
Date: Tue, 12 Sep 2017 14:53:46 +0300
|
|
Michal Kubecek |
796ee5 |
Subject: vti: fix NULL dereference in xfrm_input()
|
|
Michal Kubecek |
796ee5 |
Patch-mainline: v4.14-rc5
|
|
Michal Kubecek |
796ee5 |
Git-commit: 23e9fcfef1f3d10675acce023592796851bcaf1a
|
|
Michal Kubecek |
796ee5 |
References: bsc#1076830
|
|
Michal Kubecek |
796ee5 |
|
|
Michal Kubecek |
796ee5 |
Can be reproduced with LTP tests:
|
|
Michal Kubecek |
796ee5 |
# icmp-uni-vti.sh -p ah -a sha256 -m tunnel -S fffffffe -k 1 -s 10
|
|
Michal Kubecek |
796ee5 |
|
|
Michal Kubecek |
796ee5 |
IPv4:
|
|
Michal Kubecek |
796ee5 |
RIP: 0010:xfrm_input+0x7f9/0x870
|
|
Michal Kubecek |
796ee5 |
...
|
|
Michal Kubecek |
796ee5 |
Call Trace:
|
|
Michal Kubecek |
796ee5 |
<IRQ>
|
|
Michal Kubecek |
796ee5 |
vti_input+0xaa/0x110 [ip_vti]
|
|
Michal Kubecek |
796ee5 |
? skb_free_head+0x21/0x40
|
|
Michal Kubecek |
796ee5 |
vti_rcv+0x33/0x40 [ip_vti]
|
|
Michal Kubecek |
796ee5 |
xfrm4_ah_rcv+0x33/0x60
|
|
Michal Kubecek |
796ee5 |
ip_local_deliver_finish+0x94/0x1e0
|
|
Michal Kubecek |
796ee5 |
ip_local_deliver+0x6f/0xe0
|
|
Michal Kubecek |
796ee5 |
? ip_route_input_noref+0x28/0x50
|
|
Michal Kubecek |
796ee5 |
...
|
|
Michal Kubecek |
796ee5 |
|
|
Michal Kubecek |
796ee5 |
# icmp-uni-vti.sh -6 -p ah -a sha256 -m tunnel -S fffffffe -k 1 -s 10
|
|
Michal Kubecek |
796ee5 |
IPv6:
|
|
Michal Kubecek |
796ee5 |
RIP: 0010:xfrm_input+0x7f9/0x870
|
|
Michal Kubecek |
796ee5 |
...
|
|
Michal Kubecek |
796ee5 |
Call Trace:
|
|
Michal Kubecek |
796ee5 |
<IRQ>
|
|
Michal Kubecek |
796ee5 |
xfrm6_rcv_tnl+0x3c/0x40
|
|
Michal Kubecek |
796ee5 |
vti6_rcv+0xd5/0xe0 [ip6_vti]
|
|
Michal Kubecek |
796ee5 |
xfrm6_ah_rcv+0x33/0x60
|
|
Michal Kubecek |
796ee5 |
ip6_input_finish+0xee/0x460
|
|
Michal Kubecek |
796ee5 |
ip6_input+0x3f/0xb0
|
|
Michal Kubecek |
796ee5 |
ip6_rcv_finish+0x45/0xa0
|
|
Michal Kubecek |
796ee5 |
ipv6_rcv+0x34b/0x540
|
|
Michal Kubecek |
796ee5 |
|
|
Michal Kubecek |
796ee5 |
xfrm_input() invokes xfrm_rcv_cb() -> vti_rcv_cb(), the last callback
|
|
Michal Kubecek |
796ee5 |
might call skb_scrub_packet(), which in turn can reset secpath.
|
|
Michal Kubecek |
796ee5 |
|
|
Michal Kubecek |
796ee5 |
Fix it by adding a check that skb->sp is not NULL.
|
|
Michal Kubecek |
796ee5 |
|
|
Michal Kubecek |
796ee5 |
Fixes: 7e9e9202bccc ("xfrm: Clear RX SKB secpath xfrm_offload")
|
|
Michal Kubecek |
796ee5 |
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
|
|
Michal Kubecek |
796ee5 |
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
|
|
Michal Kubecek |
796ee5 |
Acked-by: Michal Kubecek <mkubecek@suse.cz>
|
|
Michal Kubecek |
796ee5 |
|
|
Michal Kubecek |
796ee5 |
---
|
|
Michal Kubecek |
796ee5 |
net/xfrm/xfrm_input.c | 6 ++++--
|
|
Michal Kubecek |
796ee5 |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
Michal Kubecek |
796ee5 |
|
|
Michal Kubecek |
796ee5 |
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
|
|
Michal Kubecek |
796ee5 |
index 43e002347618..b1acfcb9edf7 100644
|
|
Michal Kubecek |
796ee5 |
--- a/net/xfrm/xfrm_input.c
|
|
Michal Kubecek |
796ee5 |
+++ b/net/xfrm/xfrm_input.c
|
|
Michal Kubecek |
796ee5 |
@@ -450,7 +450,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
|
|
Michal Kubecek |
796ee5 |
nf_reset(skb);
|
|
Michal Kubecek |
796ee5 |
|
|
Michal Kubecek |
796ee5 |
if (decaps) {
|
|
Michal Kubecek |
796ee5 |
- skb->sp->olen = 0;
|
|
Michal Kubecek |
796ee5 |
+ if (skb->sp)
|
|
Michal Kubecek |
796ee5 |
+ skb->sp->olen = 0;
|
|
Michal Kubecek |
796ee5 |
skb_dst_drop(skb);
|
|
Michal Kubecek |
796ee5 |
gro_cells_receive(&gro_cells, skb);
|
|
Michal Kubecek |
796ee5 |
return 0;
|
|
Michal Kubecek |
796ee5 |
@@ -461,7 +462,8 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
|
|
Michal Kubecek |
796ee5 |
|
|
Michal Kubecek |
796ee5 |
err = x->inner_mode->afinfo->transport_finish(skb, xfrm_gro || async);
|
|
Michal Kubecek |
796ee5 |
if (xfrm_gro) {
|
|
Michal Kubecek |
796ee5 |
- skb->sp->olen = 0;
|
|
Michal Kubecek |
796ee5 |
+ if (skb->sp)
|
|
Michal Kubecek |
796ee5 |
+ skb->sp->olen = 0;
|
|
Michal Kubecek |
796ee5 |
skb_dst_drop(skb);
|
|
Michal Kubecek |
796ee5 |
gro_cells_receive(&gro_cells, skb);
|
|
Michal Kubecek |
796ee5 |
return err;
|
|
Michal Kubecek |
796ee5 |
--
|
|
Michal Kubecek |
796ee5 |
2.16.0
|
|
Michal Kubecek |
796ee5 |
|