Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-11 06:31:49 +00:00
Code Issues Packages Projects Releases Wiki Activity
af6514f2f3
linux/net/ipv6
History
David Lebrun 84a53580c5 ipv6: sr: fix out-of-bounds read when setting HMAC data. 
The SRv6 layer allows defining HMAC data that can later be used to sign IPv6
Segment Routing Headers. This configuration is realised via netlink through
four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and
SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual
length of the SECRET attribute, it is possible to provide invalid combinations
(e.g., secret = "", secretlen = 64). This case is not checked in the code and
with an appropriately crafted netlink message, an out-of-bounds read of up
to 64 bytes (max secret length) can occur past the skb end pointer and into
skb_shared_info:

Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208
208		memcpy(hinfo->secret, secret, slen);
(gdb) bt
 #0  seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208
 #1  0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,
    extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>,
    family=<optimized out>) at net/netlink/genetlink.c:731
 #2  0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,
    family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775
 #3  genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792
 #4  0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>)
    at net/netlink/af_netlink.c:2501
 #5  0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803
 #6  0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)
    at net/netlink/af_netlink.c:1319
 #7  netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>)
    at net/netlink/af_netlink.c:1345
 #8  0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921
...
(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end
$1 = 0xffff88800b1b76c0
(gdb) p/x secret
$2 = 0xffff88800b1b76c0
(gdb) p slen
$3 = 64 '@'

The OOB data can then be read back from userspace by dumping HMAC state. This
commit fixes this by ensuring SECRETLEN cannot exceed the actual length of
SECRET.

Reported-by: Lucas Leong <wmliang.tw@gmail.com>
Tested: verified that EINVAL is correctly returned when secretlen > len(secret)
Fixes: 4f4853dc1c ("ipv6: sr: implement API to control SR HMAC structure")
Signed-off-by: David Lebrun <dlebrun@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-09-05 10:33:34 +01:00
..
ila net: ipv6: check return value of rhashtable_init 2021-09-28 12:59:24 +01:00
netfilter netfilter: nf_defrag_ipv6: allow nf_conntrack_frag6_high_thresh increases 2022-08-24 08:06:44 +02:00
addrconf_core.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
addrconf.c bonding: add all node mcast address when slave up 2022-09-05 10:07:05 +01:00
addrlabel.c ipv6: addrlabel: fix possible memory leak in ip6addrlbl_net_init 2020-11-25 11:20:16 -08:00
af_inet6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-07-21 13:03:39 -07:00
ah6.c ipv6: ah6: use swap() to make code cleaner 2021-11-18 12:00:15 +00:00
anycast.c
calipso.c cipso,calipso: resolve a number of problems with the DOI refcounts 2021-03-04 15:26:57 -08:00
datagram.c net: annotate races around sk->sk_bound_dev_if 2022-05-16 10:31:05 +01:00
esp6_offload.c net: Fix esp GSO on inter address family tunnels. 2022-03-07 13:14:04 +01:00
esp6.c esp6: Fix spelling mistake 2022-07-04 10:20:11 +02:00
exthdrs_core.c
exthdrs_offload.c
exthdrs.c net: ipv6: add skb drop reasons to TLV parse 2022-04-13 13:09:57 +01:00
fib6_notifier.c
fib6_rules.c ipv6: change fib6_rules_net_exit() to batch mode 2022-02-08 20:41:34 -08:00
fou6.c
icmp.c icmp: Fix data-races around sysctl_icmp_echo_enable_probe. 2022-07-13 12:56:49 +01:00
inet6_connection_sock.c lsm,selinux: pass flowi_common instead of flowi to the LSM hooks 2020-11-23 18:36:21 -05:00
inet6_hashtables.c ipv6: add READ_ONCE(sk->sk_bound_dev_if) in INET6_MATCH() 2022-05-16 10:31:06 +01:00
ioam6_iptunnel.c ipv6: ioam: Insertion frequency in lwtunnel output 2022-02-04 20:24:45 -08:00
ioam6.c net: ipv6: Get rcv timestamp if needed when handling hop-by-hop IOAM option 2022-03-03 14:38:48 +00:00
ip6_checksum.c
ip6_fib.c ipv6: annotate accesses to fn->fn_sernum 2022-01-20 20:18:37 -08:00
ip6_flowlabel.c ipv6: per-netns exclusive flowlabel checks 2022-02-16 20:37:47 -08:00
ip6_gre.c ip6_gre: use actual protocol to select xmit 2022-07-13 12:10:22 +01:00
ip6_icmp.c net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending 2021-02-23 11:29:52 -08:00
ip6_input.c tcp/udp: Make early_demux back namespacified. 2022-07-15 18:50:35 -07:00
ip6_offload.c ipv6/gro: insert temporary HBH/jumbo header 2022-05-16 10:18:56 +01:00
ip6_offload.h
ip6_output.c ipv6: do not use RT_TOS for IPv6 flowlabel 2022-08-09 22:19:21 -07:00
ip6_tunnel.c ip6_tunnel: Fix the type of functions 2022-08-13 10:27:36 +01:00
ip6_udp_tunnel.c
ip6_vti.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
ip6mr.c ip6mr: remove stray rcu_read_unlock() from ip6_mr_forward() 2022-07-26 19:59:18 -07:00
ipcomp6.c xfrm: remove hdr_offset indirection 2021-06-11 14:48:50 +02:00
ipv6_sockglue.c net: Fix data-races around sysctl_optmem_max. 2022-08-24 13:46:57 +01:00
Kconfig crypto: lib - make the sha1 library optional 2022-07-15 16:43:59 +08:00
Makefile net: ipv6: use ipv6-y directly instead of ipv6-objs 2021-09-28 13:13:40 +01:00
mcast_snoop.c net: bridge: mcast: fix broken length + header check for MRDv6 Adv. 2021-04-27 14:02:06 -07:00
mcast.c net: mld: fix reference count leak in mld_{query | report}_work() 2022-07-25 12:33:59 +01:00
mip6.c xfrm: ipv6: move mip6_rthdr_offset into xfrm core 2021-06-11 14:48:50 +02:00
ndisc.c net: fix potential refcount leak in ndisc_router_discovery() 2022-08-15 11:40:28 +01:00
netfilter.c netfilter: Use l3mdev flow key when re-routing mangled packets 2022-05-16 13:03:29 +02:00
output_core.c ipv6: use prandom_u32() for ID generation 2021-05-31 22:12:08 -07:00
ping.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-07-28 18:21:16 -07:00
proc.c net: udp: introduce UDP_MIB_MEMERRORS for udp_mem 2020-11-09 15:34:44 -08:00
protocol.c
raw.c raw: remove unused variables from raw6_icmp_error() 2022-06-22 18:48:08 -07:00
reassembly.c net: ipv6: Handle delivery_time in ipv6 defrag 2022-03-03 14:38:48 +00:00
route.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-07-14 15:27:35 -07:00
rpl_iptunnel.c net: ipv6: rpl_iptunnel: simplify the return expression of rpl_do_srh() 2020-12-08 16:22:54 -08:00
rpl.c net: ipv6: rpl*: Fix strange kerneldoc warnings due to bad header 2020-10-30 12:12:52 -07:00
seg6_hmac.c net: ipv6: unexport __init-annotated seg6_hmac_net_init() 2022-06-28 21:23:30 -07:00
seg6_iptunnel.c seg6: add support for SRv6 H.L2Encaps.Red behavior 2022-07-29 12:14:03 +01:00
seg6_local.c net: seg6: initialize induction variable to first valid array index 2022-08-05 19:34:54 -07:00
seg6.c ipv6: sr: fix out-of-bounds read when setting HMAC data. 2022-09-05 10:33:34 +01:00
sit.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-06-30 16:31:00 -07:00
syncookies.c tcp: Fix data-races around sysctl_tcp_syncookies. 2022-07-18 12:21:54 +01:00
sysctl_net_ipv6.c net: sysctl: introduce sysctl SYSCTL_THREE 2022-05-03 10:15:06 +02:00
tcp_ipv6.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-07-28 18:21:16 -07:00
tcpv6_offload.c net: move gro definitions to include/net/gro.h 2021-11-16 13:16:54 +00:00
tunnel6.c
udp_impl.h net: remove noblock parameter from recvmsg() entities 2022-04-12 15:00:25 +02:00
udp_offload.c gro: remove rcu_read_lock/rcu_read_unlock from gro_receive handlers 2021-11-24 17:21:42 -08:00
udp.c rxrpc: Fix ICMP/ICMP6 error handling 2022-09-01 11:42:12 +01:00
udplite.c net: add per_cpu_fw_alloc field to struct proto 2022-06-10 16:21:26 -07:00
xfrm6_input.c
xfrm6_output.c xfrm: fix tunnel model fragmentation behavior 2022-03-01 12:08:40 +01:00
xfrm6_policy.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c xfrm: remove description from xfrm_type struct 2021-06-09 09:38:52 +02:00