diff options
| author | Eric Dumazet <[email protected]> | 2019-01-04 11:00:00 -0800 |
|---|---|---|
| committer | David S. Miller <[email protected]> | 2019-01-04 13:40:03 -0800 |
| commit | 8d933670452107e41165bea70a30dffbd281bef1 (patch) | |
| tree | 425c7c700f094383c2cf4dc84c19ed814b2d7494 /lib/lockref.c | |
| parent | 3271a4821882a64214acc1bd7b173900ec70c9bf (diff) | |
ipv6: make icmp6_send() robust against null skb->dev
syzbot was able to crash one host with the following stack trace :
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 8625 Comm: syz-executor4 Not tainted 4.20.0+ #8
RIP: 0010:dev_net include/linux/netdevice.h:2169 [inline]
RIP: 0010:icmp6_send+0x116/0x2d30 net/ipv6/icmp.c:426
icmpv6_send
smack_socket_sock_rcv_skb
security_sock_rcv_skb
sk_filter_trim_cap
__sk_receive_skb
dccp_v6_do_rcv
release_sock
This is because a RX packet found socket owned by user and
was stored into socket backlog. Before leaving RCU protected section,
skb->dev was cleared in __sk_receive_skb(). When socket backlog
was finally handled at release_sock() time, skb was fed to
smack_socket_sock_rcv_skb() then icmp6_send()
We could fix the bug in smack_socket_sock_rcv_skb(), or simply
make icmp6_send() more robust against such possibility.
In the future we might provide to icmp6_send() the net pointer
instead of infering it.
Fixes: d66a8acbda92 ("Smack: Inform peer that IPv6 traffic has been blocked")
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Piotr Sawicki <[email protected]>
Cc: Casey Schaufler <[email protected]>
Reported-by: syzbot <[email protected]>
Acked-by: Casey Schaufler <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Diffstat (limited to 'lib/lockref.c')
0 files changed, 0 insertions, 0 deletions