releases/4.9.94/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Wed Apr 11 10:26:56 CEST 2018
 From: Eric Dumazet <edumazet@google.com>
 Date: Mon, 26 Mar 2018 08:08:07 -0700
 Subject: net: fix possible out-of-bound read in skb_network_protocol()

 From: Eric Dumazet <edumazet@google.com>


 [ Upstream commit 1dfe82ebd7d8fd43dba9948fdfb31f145014baa0 ]

 skb mac header is not necessarily set at the time skb_network_protocol()
 is called. Use skb->data instead.

 BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
 Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242

 CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x24d lib/dump_stack.c:53
  print_address_description+0x73/0x250 mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report+0x23c/0x360 mm/kasan/report.c:412
  __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
  skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
  harmonize_features net/core/dev.c:2924 [inline]
  netif_skb_features+0x509/0x9b0 net/core/dev.c:3011
  validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084
  validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142
  packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256
  packet_snd net/packet/af_packet.c:2944 [inline]
  packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
  sock_sendmsg_nosec net/socket.c:629 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:639
  ___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
  __sys_sendmsg+0xe5/0x210 net/socket.c:2081

 Fixes: 19acc327258a ("gso: Handle Trans-Ether-Bridging protocol in skb_network_protocol()")
 Signed-off-by: Eric Dumazet <edumazet@google.com>
 Cc: Pravin B Shelar <pshelar@ovn.org>
 Reported-by: Reported-by: syzbot <syzkaller@googlegroups.com>
 Signed-off-by: David S. Miller <davem@davemloft.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/core/dev.c |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 --- a/net/core/dev.c
 +++ b/net/core/dev.c
 @@ -2667,7 +2667,7 @@ __be16 skb_network_protocol(struct sk_bu
  		if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr))))
  			return 0;

 -		eth = (struct ethhdr *)skb_mac_header(skb);
 +		eth = (struct ethhdr *)skb->data;
  		type = eth->h_proto;
  	}
	From foo@baz Wed Apr 11 10:26:56 CEST 2018
	From: Eric Dumazet <edumazet@google.com>
	Date: Mon, 26 Mar 2018 08:08:07 -0700
	Subject: net: fix possible out-of-bound read in skb_network_protocol()

	From: Eric Dumazet <edumazet@google.com>


	[ Upstream commit 1dfe82ebd7d8fd43dba9948fdfb31f145014baa0 ]

	skb mac header is not necessarily set at the time skb_network_protocol()
	is called. Use skb->data instead.

	BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
	Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242

	CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	Call Trace:
	__dump_stack lib/dump_stack.c:17 [inline]
	dump_stack+0x194/0x24d lib/dump_stack.c:53
	print_address_description+0x73/0x250 mm/kasan/report.c:256
	kasan_report_error mm/kasan/report.c:354 [inline]
	kasan_report+0x23c/0x360 mm/kasan/report.c:412
	__asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
	skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
	harmonize_features net/core/dev.c:2924 [inline]
	netif_skb_features+0x509/0x9b0 net/core/dev.c:3011
	validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084
	validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142
	packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256
	packet_snd net/packet/af_packet.c:2944 [inline]
	packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
	sock_sendmsg_nosec net/socket.c:629 [inline]
	sock_sendmsg+0xca/0x110 net/socket.c:639
	___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
	__sys_sendmsg+0xe5/0x210 net/socket.c:2081

	Fixes: 19acc327258a ("gso: Handle Trans-Ether-Bridging protocol in skb_network_protocol()")
	Signed-off-by: Eric Dumazet <edumazet@google.com>
	Cc: Pravin B Shelar <pshelar@ovn.org>
	Reported-by: Reported-by: syzbot <syzkaller@googlegroups.com>
	Signed-off-by: David S. Miller <davem@davemloft.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/core/dev.c \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	--- a/net/core/dev.c
	+++ b/net/core/dev.c
	@@ -2667,7 +2667,7 @@ __be16 skb_network_protocol(struct sk_bu
	if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr))))
	return 0;

	- eth = (struct ethhdr *)skb_mac_header(skb);
	+ eth = (struct ethhdr *)skb->data;
	type = eth->h_proto;
	}