On Wed, Apr 24, 2019 at 11:05 AM Eric Dumazet <eduma...@google.com> wrote:
>
> Before calling __ip_options_compile(), we need to ensure the network
> header is a an IPv4 one, and that it is already pulled in skb->head.
>
> RAW sockets going through a tunnel can end up calling ipv4_link_failure()
> with total garbage in the skb, or arbitrary lengthes.
>
> syzbot report :
>
> BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:355 [inline]
> BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0x294/0x1120
> net/ipv4/ip_options.c:123
> Write of size 69 at addr ffff888096abf068 by task syz-executor.4/9204
>
> CPU: 0 PID: 9204 Comm: syz-executor.4 Not tainted 5.1.0-rc5+ #77
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x172/0x1f0 lib/dump_stack.c:113
> print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
> kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
> check_memory_region_inline mm/kasan/generic.c:185 [inline]
> check_memory_region+0x123/0x190 mm/kasan/generic.c:191
> memcpy+0x38/0x50 mm/kasan/common.c:133
> memcpy include/linux/string.h:355 [inline]
> __ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123
> __icmp_send+0x725/0x1400 net/ipv4/icmp.c:695
> ipv4_link_failure+0x29f/0x550 net/ipv4/route.c:1204
> dst_link_failure include/net/dst.h:427 [inline]
[...]
>
> Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Cc: Stephen Suryaputra <ssuryae...@gmail.com>
Acked-by: Willem de Bruijn <will...@google.com>
