From: Dave Jones
Date: Thu, 22 Dec 2016 11:16:22 -0500
> By setting certain socket options on ipv6 raw sockets, we can confuse the
> length calculation in rawv6_push_pending_frames triggering a BUG_ON.
...
> Signed-off-by: Dave Jones
Applied and queued up for -stable, thanks Dave.
By setting certain socket options on ipv6 raw sockets, we can confuse the
length calculation in rawv6_push_pending_frames triggering a BUG_ON.
RIP: 0010:[] [] rawv6_sendmsg+0xc30/0xc40
RSP: 0018:881f6c4a7c18 EFLAGS: 00010282
RAX: fff2 RBX: 881f6c681680 RCX: 0002
RD
From: Dave Jones
Date: Wed, 21 Dec 2016 20:40:19 -0500
> On Wed, Dec 21, 2016 at 10:33:20PM +0100, Hannes Frederic Sowa wrote:
>
> > > Given all of this, I think the best thing to do is validate the offset
> > > after the queue walks, which is pretty much what Dave Jones's original
> > > patc
On Wed, Dec 21, 2016 at 10:33:20PM +0100, Hannes Frederic Sowa wrote:
> > Given all of this, I think the best thing to do is validate the offset
> > after the queue walks, which is pretty much what Dave Jones's original
> > patch was doing.
>
> I think both approaches protect against the bug
On Wed, 2016-12-21 at 14:04 -0500, David Miller wrote:
> From: Hannes Frederic Sowa
> Date: Wed, 21 Dec 2016 13:41:13 +0100
>
> > On Wed, 2016-12-21 at 13:27 +0100, Hannes Frederic Sowa wrote:
> >> @@ -555,8 +566,8 @@ static int rawv6_push_pending_frames(struct sock *sk,
> >> struct flowi6 *fl6
From: Hannes Frederic Sowa
Date: Wed, 21 Dec 2016 13:41:13 +0100
> On Wed, 2016-12-21 at 13:27 +0100, Hannes Frederic Sowa wrote:
>> @@ -555,8 +566,8 @@ static int rawv6_push_pending_frames(struct sock *sk,
>> struct flowi6 *fl6,
>> goto out;
>>
>> offset = rp->offset;
On Wed, 2016-12-21 at 13:27 +0100, Hannes Frederic Sowa wrote:
> @@ -555,8 +566,8 @@ static int rawv6_push_pending_frames(struct sock *sk,
> struct flowi6 *fl6,
> goto out;
>
> offset = rp->offset;
> - total_len = inet_sk(sk)->cork.base.length;
> - if (offset
On Tue, 2016-12-20 at 22:09 -0800, Cong Wang wrote:
> On Tue, Dec 20, 2016 at 2:12 PM, Dave Jones wrote:
> > fd = socket(AF_INET6, SOCK_RAW, 7);
> >
> > setsockopt(fd, SOL_IPV6, IPV6_CHECKSUM, &zero, 4);
> > setsockopt(fd, SOL_IPV6, IPV6_DSTOPTS, &buf, LEN);
> >
>
> Inte
On Tue, Dec 20, 2016 at 2:12 PM, Dave Jones wrote:
> fd = socket(AF_INET6, SOCK_RAW, 7);
>
> setsockopt(fd, SOL_IPV6, IPV6_CHECKSUM, &zero, 4);
> setsockopt(fd, SOL_IPV6, IPV6_DSTOPTS, &buf, LEN);
>
Interesting, you set the checksum offset to be 0, but the packet size
is a
On Tue, Dec 20, 2016 at 11:31:38AM -0800, Cong Wang wrote:
> On Tue, Dec 20, 2016 at 10:17 AM, Dave Jones wrote:
> > On Mon, Dec 19, 2016 at 08:36:23PM -0500, David Miller wrote:
> > > From: Dave Jones
> > > Date: Mon, 19 Dec 2016 19:40:13 -0500
> > >
> > > > On Mon, Dec 19, 2016 at 07:
On Tue, Dec 20, 2016 at 01:28:13PM -0500, David Miller wrote:
> This has to do with the SKB buffer layout and geometry, not whether
> the packet is "fragmented" in the protocol sense.
>
> So no, this isn't a criteria for packets being filtered out by this
> point.
>
> Can you try to capt
On Tue, Dec 20, 2016 at 10:17 AM, Dave Jones wrote:
> On Mon, Dec 19, 2016 at 08:36:23PM -0500, David Miller wrote:
> > From: Dave Jones
> > Date: Mon, 19 Dec 2016 19:40:13 -0500
> >
> > > On Mon, Dec 19, 2016 at 07:31:44PM -0500, Dave Jones wrote:
> > >
> > > > Unfortunately, this made no
From: Dave Jones
Date: Tue, 20 Dec 2016 13:17:28 -0500
> On Mon, Dec 19, 2016 at 08:36:23PM -0500, David Miller wrote:
> > From: Dave Jones
> > Date: Mon, 19 Dec 2016 19:40:13 -0500
> >
> > > On Mon, Dec 19, 2016 at 07:31:44PM -0500, Dave Jones wrote:
> > >
> > > > Unfortunately, this m
On Mon, Dec 19, 2016 at 08:36:23PM -0500, David Miller wrote:
> From: Dave Jones
> Date: Mon, 19 Dec 2016 19:40:13 -0500
>
> > On Mon, Dec 19, 2016 at 07:31:44PM -0500, Dave Jones wrote:
> >
> > > Unfortunately, this made no difference. I spent some time today trying
> > > to make a be
From: Dave Jones
Date: Mon, 19 Dec 2016 19:40:13 -0500
> On Mon, Dec 19, 2016 at 07:31:44PM -0500, Dave Jones wrote:
>
> > Unfortunately, this made no difference. I spent some time today trying
> > to make a better reproducer, but failed. I'll revisit again tomorrow.
> >
> > Maybe I need >
On Mon, Dec 19, 2016 at 07:31:44PM -0500, Dave Jones wrote:
> Unfortunately, this made no difference. I spent some time today trying
> to make a better reproducer, but failed. I'll revisit again tomorrow.
>
> Maybe I need >1 process/thread to trigger this. That would explain why
> I can tr
On Mon, Dec 19, 2016 at 02:48:48PM -0500, David Miller wrote:
> One thing that's interesting is that if the user picks "IPPROTO_RAW"
> as the value of 'protocol' we set inet->hdrincl to 1.
>
> The user can also set inet->hdrincl to 1 or 0 via setsockopt().
>
> I think this is part of the p
From: Dave Jones
Date: Mon, 19 Dec 2016 12:03:20 -0500
> On Sat, Dec 17, 2016 at 10:41:20AM -0500, David Miller wrote:
>
> > > It seems to be possible to craft a packet for sendmsg that triggers
> > > the -EFAULT path in skb_copy_bits resulting in a BUG_ON that looks like:
> > >
> > > RIP:
On Sat, Dec 17, 2016 at 10:41:20AM -0500, David Miller wrote:
> > It seems to be possible to craft a packet for sendmsg that triggers
> > the -EFAULT path in skb_copy_bits resulting in a BUG_ON that looks like:
> >
> > RIP: 0010:[] []
> > rawv6_sendmsg+0xc30/0xc40
> > RSP: 0018:881f6c4
On Sat, Dec 17, 2016 at 10:41:20AM -0500, David Miller wrote:
> From: Dave Jones
> Date: Wed, 14 Dec 2016 10:47:29 -0500
>
> > It seems to be possible to craft a packet for sendmsg that triggers
> > the -EFAULT path in skb_copy_bits resulting in a BUG_ON that looks like:
> >
> > RIP: 0010
From: Dave Jones
Date: Wed, 14 Dec 2016 10:47:29 -0500
> It seems to be possible to craft a packet for sendmsg that triggers
> the -EFAULT path in skb_copy_bits resulting in a BUG_ON that looks like:
>
> RIP: 0010:[] [] rawv6_sendmsg+0xc30/0xc40
> RSP: 0018:881f6c4a7c18 EFLAGS: 00010282
> R
It seems to be possible to craft a packet for sendmsg that triggers
the -EFAULT path in skb_copy_bits resulting in a BUG_ON that looks like:
RIP: 0010:[] [] rawv6_sendmsg+0xc30/0xc40
RSP: 0018:881f6c4a7c18 EFLAGS: 00010282
RAX: fff2 RBX: 881f6c681680 RCX: 0002
RDX:
22 matches
Mail list logo
