| From 5e34af4142ffe68f01c8a9acae83300f8911e20c Mon Sep 17 00:00:00 2001 |
| From: Tadeusz Struk <tadeusz.struk@linaro.org> |
| Date: Thu, 10 Mar 2022 15:25:38 -0800 |
| Subject: net: ipv6: fix skb_over_panic in __ip6_append_data |
| |
| From: Tadeusz Struk <tadeusz.struk@linaro.org> |
| |
| commit 5e34af4142ffe68f01c8a9acae83300f8911e20c upstream. |
| |
| Syzbot found a kernel bug in the ipv6 stack: |
| LINK: https://syzkaller.appspot.com/bug?id=205d6f11d72329ab8d62a610c44c5e7e25415580 |
| The reproducer triggers it by sending a crafted message via sendmmsg() |
| call, which triggers skb_over_panic, and crashes the kernel: |
| |
| skbuff: skb_over_panic: text:ffffffff84647fb4 len:65575 put:65575 |
| head:ffff888109ff0000 data:ffff888109ff0088 tail:0x100af end:0xfec0 |
| dev:<NULL> |
| |
| Update the check that prevents an invalid packet with MTU equal |
| to the fregment header size to eat up all the space for payload. |
| |
| The reproducer can be found here: |
| LINK: https://syzkaller.appspot.com/text?tag=ReproC&x=1648c83fb00000 |
| |
| Reported-by: syzbot+e223cf47ec8ae183f2a0@syzkaller.appspotmail.com |
| Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org> |
| Acked-by: Willem de Bruijn <willemb@google.com> |
| Link: https://lore.kernel.org/r/20220310232538.1044947-1-tadeusz.struk@linaro.org |
| Signed-off-by: Jakub Kicinski <kuba@kernel.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ipv6/ip6_output.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/net/ipv6/ip6_output.c |
| +++ b/net/ipv6/ip6_output.c |
| @@ -1500,8 +1500,8 @@ static int __ip6_append_data(struct sock |
| sizeof(struct frag_hdr) : 0) + |
| rt->rt6i_nfheader_len; |
| |
| - if (mtu < fragheaderlen || |
| - ((mtu - fragheaderlen) & ~7) + fragheaderlen < sizeof(struct frag_hdr)) |
| + if (mtu <= fragheaderlen || |
| + ((mtu - fragheaderlen) & ~7) + fragheaderlen <= sizeof(struct frag_hdr)) |
| goto emsgsize; |
| |
| maxfraglen = ((mtu - fragheaderlen) & ~7) + fragheaderlen - |