• Stefano Brivio's avatar
    ipv6: Check available headroom in ip6_xmit() even without options · 66033f47
    Stefano Brivio authored
    Even if we send an IPv6 packet without options, MAX_HEADER might not be
    enough to account for the additional headroom required by alignment of
    hardware headers.
    
    On a configuration without HYPERV_NET, WLAN, AX25, and with IPV6_TUNNEL,
    sending short SCTP packets over IPv4 over L2TP over IPv6, we start with
    100 bytes of allocated headroom in sctp_packet_transmit(), end up with 54
    bytes after l2tp_xmit_skb(), and 14 bytes in ip6_finish_output2().
    
    Those would be enough to append our 14 bytes header, but we're going to
    align that to 16 bytes, and write 2 bytes out of the allocated slab in
    neigh_hh_output().
    
    KASan says:
    
    [  264.967848] ==================================================================
    [  264.967861] BUG: KASAN: slab-out-of-bounds in ip6_finish_output2+0x1aec/0x1c70
    [  264.967866] Write of size 16 at addr 000000006af1c7fe by task netperf/6201
    [  264.967870]
    [  264.967876] CPU: 0 PID: 6201 Comm: netperf Not tainted 4.20.0-rc4+ #1
    [  264.967881] Hardware name: IBM 2827 H43 400 (z/VM 6.4.0)
    [  264.967887] Call Trace:
    [  264.967896] ([<00000000001347d6>] show_stack+0x56/0xa0)
    [  264.967903]  [<00000000017e379c>] dump_stack+0x23c/0x290
    [  264.967912]  [<00000000007bc594>] print_address_description+0xf4/0x290
    [  264.967919]  [<00000000007bc8fc>] kasan_report+0x13c/0x240
    [  264.967927]  [<000000000162f5e4>] ip6_finish_output2+0x1aec/0x1c70
    [  264.967935]  [<000000000163f890>] ip6_finish_output+0x430/0x7f0
    [  264.967943]  [<000000000163fe44>] ip6_output+0x1f4/0x580
    [  264.967953]  [<000000000163882a>] ip6_xmit+0xfea/0x1ce8
    [  264.967963]  [<00000000017396e2>] inet6_csk_xmit+0x282/0x3f8
    [  264.968033]  [<000003ff805fb0ba>] l2tp_xmit_skb+0xe02/0x13e0 [l2tp_core]
    [  264.968037]  [<000003ff80631192>] l2tp_eth_dev_xmit+0xda/0x150 [l2tp_eth]
    [  264.968041]  [<0000000001220020>] dev_hard_start_xmit+0x268/0x928
    [  264.968069]  [<0000000001330e8e>] sch_direct_xmit+0x7ae/0x1350
    [  264.968071]  [<000000000122359c>] __dev_queue_xmit+0x2b7c/0x3478
    [  264.968075]  [<00000000013d2862>] ip_finish_output2+0xce2/0x11a0
    [  264.968078]  [<00000000013d9b14>] ip_finish_output+0x56c/0x8c8
    [  264.968081]  [<00000000013ddd1e>] ip_output+0x226/0x4c0
    [  264.968083]  [<00000000013dbd6c>] __ip_queue_xmit+0x894/0x1938
    [  264.968100]  [<000003ff80bc3a5c>] sctp_packet_transmit+0x29d4/0x3648 [sctp]
    [  264.968116]  [<000003ff80b7bf68>] sctp_outq_flush_ctrl.constprop.5+0x8d0/0xe50 [sctp]
    [  264.968131]  [<000003ff80b7c716>] sctp_outq_flush+0x22e/0x7d8 [sctp]
    [  264.968146]  [<000003ff80b35c68>] sctp_cmd_interpreter.isra.16+0x530/0x6800 [sctp]
    [  264.968161]  [<000003ff80b3410a>] sctp_do_sm+0x222/0x648 [sctp]
    [  264.968177]  [<000003ff80bbddac>] sctp_primitive_ASSOCIATE+0xbc/0xf8 [sctp]
    [  264.968192]  [<000003ff80b93328>] __sctp_connect+0x830/0xc20 [sctp]
    [  264.968208]  [<000003ff80bb11ce>] sctp_inet_connect+0x2e6/0x378 [sctp]
    [  264.968212]  [<0000000001197942>] __sys_connect+0x21a/0x450
    [  264.968215]  [<000000000119aff8>] sys_socketcall+0x3d0/0xb08
    [  264.968218]  [<000000000184ea7a>] system_call+0x2a2/0x2c0
    
    [...]
    
    Just like ip_finish_output2() does for IPv4, check that we have enough
    headroom in ip6_xmit(), and reallocate it if we don't.
    
    This issue is older than git history.
    Reported-by: default avatarJianlin Shi <jishi@redhat.com>
    Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    66033f47
ip6_output.c 45.1 KB