[PATCH net] ip: in cmsg IP(V6)_ORIGDSTADDR do not read beyond headlen

Sun, 22 Jul 2018 17:44:05 -0700 

From: Willem de Bruijn <will...@google.com>

Syzbot reported a read beyond the end of the skb head when returning
IPV6_ORIGDSTADDR:

  BUG: KMSAN: kernel-infoleak in put_cmsg+0x5ef/0x860 net/core/scm.c:242
  CPU: 0 PID: 4501 Comm: syz-executor128 Not tainted 4.17.0+ #9
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
  Google 01/01/2011
  Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x185/0x1d0 lib/dump_stack.c:113
    kmsan_report+0x188/0x2a0 mm/kmsan/kmsan.c:1125
    kmsan_internal_check_memory+0x138/0x1f0 mm/kmsan/kmsan.c:1219
    kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1261
    copy_to_user include/linux/uaccess.h:184 [inline]
    put_cmsg+0x5ef/0x860 net/core/scm.c:242
    ip6_datagram_recv_specific_ctl+0x1cf3/0x1eb0 net/ipv6/datagram.c:719
    ip6_datagram_recv_ctl+0x41c/0x450 net/ipv6/datagram.c:733
    rawv6_recvmsg+0x10fb/0x1460 net/ipv6/raw.c:521
    [..]

This logic and its ipv4 counterpart read the destination port from
the packet at skb_transport_offset(skb) + 4.

With MSG_MORE and a local SOCK_RAW sender, syzbot was able to cook a
packet that stores headers exactly up to skb_transport_offset(skb) in
the head and the remainder in a frag.

Avoid reading beyond skb->tail by testing skb_headlen(skb) instead of
skb->len when trying to access this field.

Link: 
http://lkml.kernel.org/r/CAF=yd-lejwzj5a1-baaj2oy_hkmgygv6rsj_woraynv-fna...@mail.gmail.com
Reported-by: syzbot+9adb4b567003cac78...@syzkaller.appspotmail.com
Signed-off-by: Willem de Bruijn <will...@google.com>
---
 net/ipv4/ip_sockglue.c | 2 +-
 net/ipv6/datagram.c    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 64c76dcf7386..5f228d641d9b 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -152,7 +152,7 @@ static void ip_cmsg_recv_dstaddr(struct msghdr *msg, struct 
sk_buff *skb)
        const struct iphdr *iph = ip_hdr(skb);
        __be16 *ports = (__be16 *)skb_transport_header(skb);
 
-       if (skb_transport_offset(skb) + 4 > (int)skb->len)
+       if (skb_transport_offset(skb) + 4 > (int)skb_headlen(skb))
                return;
 
        /* All current transport protocols have the port numbers in the
diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
index 2ee08b6a86a4..fd43810aacd2 100644
--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -702,7 +702,7 @@ void ip6_datagram_recv_specific_ctl(struct sock *sk, struct 
msghdr *msg,
                struct sockaddr_in6 sin6;
                __be16 *ports = (__be16 *) skb_transport_header(skb);
 
-               if (skb_transport_offset(skb) + 4 <= (int)skb->len) {
+               if (skb_transport_offset(skb) + 4 <= (int)skb_headlen(skb)) {
                        /* All current transport protocols have the port 
numbers in the
                         * first four bytes of the transport header and this 
function is
                         * written with this assumption in mind.
-- 
2.18.0.233.g985f88cf7e-goog

Reply via email to