kernel / kernel-source

Clone
Source Code
GIT

Blame patches.suse/ipv6-fix-kernel-infoleak-in-ipv6_local_error.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   85c41564e973e9646278bbcfb81ef881d1f109bb
  2.   patches.suse
  3.   ipv6-fix-kernel-infoleak-in-ipv6_local_error.patch
Blob History Raw
Jiri Slaby bb6022 
From: Eric Dumazet <edumazet@google.com>
Jiri Slaby bb6022 
Date: Tue, 8 Jan 2019 04:06:14 -0800
Jiri Slaby bb6022 
Subject: ipv6: fix kernel-infoleak in ipv6_local_error()
Jiri Slaby bb6022 
Git-commit: 7d033c9f6a7fd3821af75620a0257db87c2b552a
Jiri Slaby bb6022 
Patch-mainline: v5.0-rc3
Jiri Slaby bb6022 
References: networking-stable-19_01_20
Jiri Slaby bb6022
Jiri Slaby bb6022 
This patch makes sure the flow label in the IPv6 header
Jiri Slaby bb6022 
forged in ipv6_local_error() is initialized.
Jiri Slaby bb6022
Jiri Slaby bb6022 
BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
Jiri Slaby bb6022 
CPU: 1 PID: 24675 Comm: syz-executor1 Not tainted 4.20.0-rc7+ #4
Jiri Slaby bb6022 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Jiri Slaby bb6022 
Call Trace:
Jiri Slaby bb6022 
 __dump_stack lib/dump_stack.c:77 [inline]
Jiri Slaby bb6022 
 dump_stack+0x173/0x1d0 lib/dump_stack.c:113
Jiri Slaby bb6022 
 kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
Jiri Slaby bb6022 
 kmsan_internal_check_memory+0x455/0xb00 mm/kmsan/kmsan.c:675
Jiri Slaby bb6022 
 kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
Jiri Slaby bb6022 
 _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
Jiri Slaby bb6022 
 copy_to_user include/linux/uaccess.h:177 [inline]
Jiri Slaby bb6022 
 move_addr_to_user+0x2e9/0x4f0 net/socket.c:227
Jiri Slaby bb6022 
 ___sys_recvmsg+0x5d7/0x1140 net/socket.c:2284
Jiri Slaby bb6022 
 __sys_recvmsg net/socket.c:2327 [inline]
Jiri Slaby bb6022 
 __do_sys_recvmsg net/socket.c:2337 [inline]
Jiri Slaby bb6022 
 __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334
Jiri Slaby bb6022 
 __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334
Jiri Slaby bb6022 
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
Jiri Slaby bb6022 
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
Jiri Slaby bb6022 
RIP: 0033:0x457ec9
Jiri Slaby bb6022 
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
Jiri Slaby bb6022 
RSP: 002b:00007f8750c06c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
Jiri Slaby bb6022 
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
Jiri Slaby bb6022 
RDX: 0000000000002000 RSI: 0000000020000400 RDI: 0000000000000005
Jiri Slaby bb6022 
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
Jiri Slaby bb6022 
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8750c076d4
Jiri Slaby bb6022 
R13: 00000000004c4a60 R14: 00000000004d8140 R15: 00000000ffffffff
Jiri Slaby bb6022
Jiri Slaby bb6022 
Uninit was stored to memory at:
Jiri Slaby bb6022 
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
Jiri Slaby bb6022 
 kmsan_save_stack mm/kmsan/kmsan.c:219 [inline]
Jiri Slaby bb6022 
 kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:439
Jiri Slaby bb6022 
 __msan_chain_origin+0x70/0xe0 mm/kmsan/kmsan_instr.c:200
Jiri Slaby bb6022 
 ipv6_recv_error+0x1e3f/0x1eb0 net/ipv6/datagram.c:475
Jiri Slaby bb6022 
 udpv6_recvmsg+0x398/0x2ab0 net/ipv6/udp.c:335
Jiri Slaby bb6022 
 inet_recvmsg+0x4fb/0x600 net/ipv4/af_inet.c:830
Jiri Slaby bb6022 
 sock_recvmsg_nosec net/socket.c:794 [inline]
Jiri Slaby bb6022 
 sock_recvmsg+0x1d1/0x230 net/socket.c:801
Jiri Slaby bb6022 
 ___sys_recvmsg+0x4d5/0x1140 net/socket.c:2278
Jiri Slaby bb6022 
 __sys_recvmsg net/socket.c:2327 [inline]
Jiri Slaby bb6022 
 __do_sys_recvmsg net/socket.c:2337 [inline]
Jiri Slaby bb6022 
 __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334
Jiri Slaby bb6022 
 __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334
Jiri Slaby bb6022 
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
Jiri Slaby bb6022 
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
Jiri Slaby bb6022
Jiri Slaby bb6022 
Uninit was created at:
Jiri Slaby bb6022 
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
Jiri Slaby bb6022 
 kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
Jiri Slaby bb6022 
 kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
Jiri Slaby bb6022 
 kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
Jiri Slaby bb6022 
 slab_post_alloc_hook mm/slab.h:446 [inline]
Jiri Slaby bb6022 
 slab_alloc_node mm/slub.c:2759 [inline]
Jiri Slaby bb6022 
 __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
Jiri Slaby bb6022 
 __kmalloc_reserve net/core/skbuff.c:137 [inline]
Jiri Slaby bb6022 
 __alloc_skb+0x309/0xa20 net/core/skbuff.c:205
Jiri Slaby bb6022 
 alloc_skb include/linux/skbuff.h:998 [inline]
Jiri Slaby bb6022 
 ipv6_local_error+0x1a7/0x9e0 net/ipv6/datagram.c:334
Jiri Slaby bb6022 
 __ip6_append_data+0x129f/0x4fd0 net/ipv6/ip6_output.c:1311
Jiri Slaby bb6022 
 ip6_make_skb+0x6cc/0xcf0 net/ipv6/ip6_output.c:1775
Jiri Slaby bb6022 
 udpv6_sendmsg+0x3f8e/0x45d0 net/ipv6/udp.c:1384
Jiri Slaby bb6022 
 inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
Jiri Slaby bb6022 
 sock_sendmsg_nosec net/socket.c:621 [inline]
Jiri Slaby bb6022 
 sock_sendmsg net/socket.c:631 [inline]
Jiri Slaby bb6022 
 __sys_sendto+0x8c4/0xac0 net/socket.c:1788
Jiri Slaby bb6022 
 __do_sys_sendto net/socket.c:1800 [inline]
Jiri Slaby bb6022 
 __se_sys_sendto+0x107/0x130 net/socket.c:1796
Jiri Slaby bb6022 
 __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
Jiri Slaby bb6022 
 do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
Jiri Slaby bb6022 
 entry_SYSCALL_64_after_hwframe+0x63/0xe7
Jiri Slaby bb6022
Jiri Slaby bb6022 
Bytes 4-7 of 28 are uninitialized
Jiri Slaby bb6022 
Memory access of size 28 starts at ffff8881937bfce0
Jiri Slaby bb6022 
Data copied to user address 0000000020000000
Jiri Slaby bb6022
Jiri Slaby bb6022 
Signed-off-by: Eric Dumazet <edumazet@google.com>
Jiri Slaby bb6022 
Reported-by: syzbot <syzkaller@googlegroups.com>
Jiri Slaby bb6022 
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Slaby bb6022 
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Jiri Slaby bb6022 
---
Jiri Slaby bb6022 
 net/ipv6/datagram.c |    1 +
Jiri Slaby bb6022 
 1 file changed, 1 insertion(+)
Jiri Slaby bb6022
Jiri Slaby bb6022 
--- a/net/ipv6/datagram.c
Jiri Slaby bb6022 
+++ b/net/ipv6/datagram.c
Jiri Slaby bb6022 
@@ -349,6 +349,7 @@ void ipv6_local_error(struct sock *sk, i
Jiri Slaby bb6022 
 	skb_reset_network_header(skb);
Jiri Slaby bb6022 
 	iph = ipv6_hdr(skb);
Jiri Slaby bb6022 
 	iph->daddr = fl6->daddr;
Jiri Slaby bb6022 
+	ip6_flow_hdr(iph, 0, 0);
Jiri Slaby bb6022
Jiri Slaby bb6022 
 	serr = SKB_EXT_ERR(skb);
Jiri Slaby bb6022 
 	serr->ee.ee_errno = err;
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.