| Message ID | 20211117181610.2731938-1-jordy@pwning.systems (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | Kees Cook |
| Headers | show |
| Series | ipv6: check return value of ipv6_skip_exthdr | expand |
On Wed, Nov 17, 2021 at 07:16:10PM +0100, Jordy Zomer wrote: > The offset value is used in pointer math on skb->data. > Since ipv6_skip_exthdr may return -1 the pointer to uh and th > may not point to the actual udp and tcp headers and potentially > overwrite other stuff. This is why I think this should be checked. > > Signed-off-by: Jordy Zomer <jordy@pwning.systems> > --- > net/ipv6/esp6.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c > index ed2f061b8768..dc4251655df9 100644 > --- a/net/ipv6/esp6.c > +++ b/net/ipv6/esp6.c > @@ -808,6 +808,11 @@ int esp6_input_done2(struct sk_buff *skb, int err) > struct tcphdr *th; > > offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); > + > + if (offset < 0) > + err = -EINVAL; > + goto out; > + Ew. Yeah, it seems like ipv6_skip_exthdr() needs to be checked in a lot of places. If this is part of protocol decoding, I'm surprised fuzzers haven't found this? Is this state reachable? I assume so, as there have been similar fixes in the past: https://git.kernel.org/linus/92c6058024e87087cf1b99b0389d67c0a886360e > uh = (void *)(skb->data + offset); > th = (void *)(skb->data + offset); > hdr_len += offset; > -- > 2.27.0 >
On Wed, Nov 17, 2021 at 07:16:10PM +0100, Jordy Zomer wrote: > The offset value is used in pointer math on skb->data. > Since ipv6_skip_exthdr may return -1 the pointer to uh and th > may not point to the actual udp and tcp headers and potentially > overwrite other stuff. This is why I think this should be checked. > > Signed-off-by: Jordy Zomer <jordy@pwning.systems> > --- > net/ipv6/esp6.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c > index ed2f061b8768..dc4251655df9 100644 > --- a/net/ipv6/esp6.c > +++ b/net/ipv6/esp6.c > @@ -808,6 +808,11 @@ int esp6_input_done2(struct sk_buff *skb, int err) > struct tcphdr *th; > > offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); > + > + if (offset < 0) > + err = -EINVAL; > + goto out; > + Oh, and, this needs { }s. The CI noticed too: https://patchwork.kernel.org/project/netdevbpf/patch/20211117181610.2731938-1-jordy@pwning.systems/ > uh = (void *)(skb->data + offset); > th = (void *)(skb->data + offset); > hdr_len += offset; > -- > 2.27.0 >
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index ed2f061b8768..dc4251655df9 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c @@ -808,6 +808,11 @@ int esp6_input_done2(struct sk_buff *skb, int err) struct tcphdr *th; offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); + + if (offset < 0) + err = -EINVAL; + goto out; + uh = (void *)(skb->data + offset); th = (void *)(skb->data + offset); hdr_len += offset;
The offset value is used in pointer math on skb->data. Since ipv6_skip_exthdr may return -1 the pointer to uh and th may not point to the actual udp and tcp headers and potentially overwrite other stuff. This is why I think this should be checked. Signed-off-by: Jordy Zomer <jordy@pwning.systems> --- net/ipv6/esp6.c | 5 +++++ 1 file changed, 5 insertions(+)