Message ID | 20230708014327.87547-1-kuniyu@amazon.com (mailing list archive) |
---|---|
State | Accepted |
Commit | 2aaa8a15de73874847d62eb595c6683bface80fd |
Delegated to: | Netdev Maintainers |
Headers | show |
Series | [v3,net] icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev(). | expand |
On Sat, Jul 8, 2023 at 3:43 AM Kuniyuki Iwashima <kuniyu@amazon.com> wrote: > > With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that > has the link-local address as src and dst IP and will be forwarded to > an external IP in the IPv6 Ext Hdr. > > For example, the script below generates a packet whose src IP is the > link-local address and dst is updated to 11::. > > # for f in $(find /proc/sys/net/ -name *seg6_enabled*); do echo 1 > $f; done > # python3 > >>> from socket import * > >>> from scapy.all import * > >>> > >>> SRC_ADDR = DST_ADDR = "fe80::5054:ff:fe12:3456" > >>> > >>> pkt = IPv6(src=SRC_ADDR, dst=DST_ADDR) > >>> pkt /= IPv6ExtHdrSegmentRouting(type=4, addresses=["11::", "22::"], segleft=1) > >>> > >>> sk = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW) > >>> sk.sendto(bytes(pkt), (DST_ADDR, 0)) > > For such a packet, we call ip6_route_input() to look up a route for the > next destination in these three functions depending on the header type. > > * ipv6_rthdr_rcv() > * ipv6_rpl_srh_rcv() > * ipv6_srh_rcv() > > If no route is found, ip6_null_entry is set to skb, and the following > dst_input(skb) calls ip6_pkt_drop(). > > Finally, in icmp6_dev(), we dereference skb_rt6_info(skb)->rt6i_idev->dev > as the input device is the loopback interface. Then, we have to check if > skb_rt6_info(skb)->rt6i_idev is NULL or not to avoid NULL pointer deref > for ip6_null_entry. > > > Fixes: 4832c30d5458 ("net: ipv6: put host and anycast routes on device with address") > Reported-by: Wang Yufen <wangyufen@huawei.com> > Closes: https://lore.kernel.org/netdev/c41403a9-c2f6-3b7e-0c96-e1901e605cd0@huawei.com/ > Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> > Reviewed-by: David Ahern <dsahern@kernel.org> > --- > v3: > * Fix Closes: link > > v2: https://lore.kernel.org/netdev/20230708002145.64069-1-kuniyu@amazon.com/ > * Add Reviewed-by > * s/fib6_null_entry/ip6_null_entry/g > > v1: https://lore.kernel.org/netdev/20230706233024.63730-1-kuniyu@amazon.com/ > --- > net/ipv6/icmp.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c > index 9edf1f45b1ed..65fa5014bc85 100644 > --- a/net/ipv6/icmp.c > +++ b/net/ipv6/icmp.c > @@ -424,7 +424,10 @@ static struct net_device *icmp6_dev(const struct sk_buff *skb) > if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { > const struct rt6_info *rt6 = skb_rt6_info(skb); > > - if (rt6) > + /* The destination could be an external IP in Ext Hdr (SRv6, RPL, etc.), > + * and ip6_null_entry could be set to skb if no route is found. > + */ > + if (rt6 && rt6->rt6i_idev) > dev = rt6->rt6i_idev->dev; > } Reviewed-by: Eric Dumazet <edumazet@google.com>
Hello: This patch was applied to netdev/net.git (main) by David S. Miller <davem@davemloft.net>: On Fri, 7 Jul 2023 18:43:27 -0700 you wrote: > With some IPv6 Ext Hdr (RPL, SRv6, etc.), we can send a packet that > has the link-local address as src and dst IP and will be forwarded to > an external IP in the IPv6 Ext Hdr. > > For example, the script below generates a packet whose src IP is the > link-local address and dst is updated to 11::. > > [...] Here is the summary with links: - [v3,net] icmp6: Fix null-ptr-deref of ip6_null_entry->rt6i_idev in icmp6_dev(). https://git.kernel.org/netdev/net/c/2aaa8a15de73 You are awesome, thank you!
diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c index 9edf1f45b1ed..65fa5014bc85 100644 --- a/net/ipv6/icmp.c +++ b/net/ipv6/icmp.c @@ -424,7 +424,10 @@ static struct net_device *icmp6_dev(const struct sk_buff *skb) if (unlikely(dev->ifindex == LOOPBACK_IFINDEX || netif_is_l3_master(skb->dev))) { const struct rt6_info *rt6 = skb_rt6_info(skb); - if (rt6) + /* The destination could be an external IP in Ext Hdr (SRv6, RPL, etc.), + * and ip6_null_entry could be set to skb if no route is found. + */ + if (rt6 && rt6->rt6i_idev) dev = rt6->rt6i_idev->dev; }