diff mbox series

ipv6: check return value of ipv6_skip_exthdr

Message ID 20211117181610.2731938-1-jordy@pwning.systems (mailing list archive)
State Changes Requested
Delegated to: Kees Cook
Headers show
Series ipv6: check return value of ipv6_skip_exthdr | expand

Commit Message

Jordy Zomer Nov. 17, 2021, 6:16 p.m. UTC
The offset value is used in pointer math on skb->data.
Since ipv6_skip_exthdr may return -1 the pointer to uh and th
may not point to the actual udp and tcp headers and potentially
overwrite other stuff. This is why I think this should be checked.

Signed-off-by: Jordy Zomer <jordy@pwning.systems>
---
 net/ipv6/esp6.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Kees Cook Nov. 17, 2021, 6:44 p.m. UTC | #1
On Wed, Nov 17, 2021 at 07:16:10PM +0100, Jordy Zomer wrote:
> The offset value is used in pointer math on skb->data.
> Since ipv6_skip_exthdr may return -1 the pointer to uh and th
> may not point to the actual udp and tcp headers and potentially
> overwrite other stuff. This is why I think this should be checked.
> 
> Signed-off-by: Jordy Zomer <jordy@pwning.systems>
> ---
>  net/ipv6/esp6.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
> index ed2f061b8768..dc4251655df9 100644
> --- a/net/ipv6/esp6.c
> +++ b/net/ipv6/esp6.c
> @@ -808,6 +808,11 @@ int esp6_input_done2(struct sk_buff *skb, int err)
>  		struct tcphdr *th;
>  
>  		offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
> +
> +		if (offset < 0)
> +			err = -EINVAL;
> +			goto out;
> +

Ew. Yeah, it seems like ipv6_skip_exthdr() needs to be checked in a lot
of places. If this is part of protocol decoding, I'm surprised fuzzers
haven't found this? Is this state reachable?

I assume so, as there have been similar fixes in the past:
https://git.kernel.org/linus/92c6058024e87087cf1b99b0389d67c0a886360e

>  		uh = (void *)(skb->data + offset);
>  		th = (void *)(skb->data + offset);
>  		hdr_len += offset;
> -- 
> 2.27.0
>
Kees Cook Nov. 17, 2021, 6:46 p.m. UTC | #2
On Wed, Nov 17, 2021 at 07:16:10PM +0100, Jordy Zomer wrote:
> The offset value is used in pointer math on skb->data.
> Since ipv6_skip_exthdr may return -1 the pointer to uh and th
> may not point to the actual udp and tcp headers and potentially
> overwrite other stuff. This is why I think this should be checked.
> 
> Signed-off-by: Jordy Zomer <jordy@pwning.systems>
> ---
>  net/ipv6/esp6.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
> index ed2f061b8768..dc4251655df9 100644
> --- a/net/ipv6/esp6.c
> +++ b/net/ipv6/esp6.c
> @@ -808,6 +808,11 @@ int esp6_input_done2(struct sk_buff *skb, int err)
>  		struct tcphdr *th;
>  
>  		offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
> +
> +		if (offset < 0)
> +			err = -EINVAL;
> +			goto out;
> +

Oh, and, this needs { }s. The CI noticed too:
https://patchwork.kernel.org/project/netdevbpf/patch/20211117181610.2731938-1-jordy@pwning.systems/

>  		uh = (void *)(skb->data + offset);
>  		th = (void *)(skb->data + offset);
>  		hdr_len += offset;
> -- 
> 2.27.0
>
diff mbox series

Patch

diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index ed2f061b8768..dc4251655df9 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -808,6 +808,11 @@  int esp6_input_done2(struct sk_buff *skb, int err)
 		struct tcphdr *th;
 
 		offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
+
+		if (offset < 0)
+			err = -EINVAL;
+			goto out;
+
 		uh = (void *)(skb->data + offset);
 		th = (void *)(skb->data + offset);
 		hdr_len += offset;