On Thu, Oct 11, 2018 at 10:33:57PM +0300, Leon Romanovsky wrote: > From: Denis Drozdov <denisd@xxxxxxxxxxxx> > > IPCB should be cleared before icmp_send, since it may contain data > from previous layers and the data could be misinterpreted as ip > header options, which later caused the ihl to be set to an invalid > value and resulted in the following stack corruption: > > [ 1083.031512] ib0: packet len 57824 (> 2048) too long to send, dropping > [ 1083.031843] ib0: packet len 37904 (> 2048) too long to send, dropping > [ 1083.032004] ib0: packet len 4040 (> 2048) too long to send, dropping > [ 1083.032253] ib0: packet len 63800 (> 2048) too long to send, dropping > [ 1083.032481] ib0: packet len 23960 (> 2048) too long to send, dropping > [ 1083.033149] ib0: packet len 63800 (> 2048) too long to send, dropping > [ 1083.033439] ib0: packet len 63800 (> 2048) too long to send, dropping > [ 1083.033700] ib0: packet len 63800 (> 2048) too long to send, dropping > [ 1083.034124] ib0: packet len 63800 (> 2048) too long to send, dropping > [ 1083.034387] ================================================================== > [ 1083.034602] BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0xf08/0x1310 > [ 1083.034798] Write of size 4 at addr ffff880353457c5f by task kworker/u16:0/7 > [ 1083.034990] > [ 1083.035104] CPU: 7 PID: 7 Comm: kworker/u16:0 Tainted: G O 4.19.0-rc5+ #1 > [ 1083.035316] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu2 04/01/2014 > [ 1083.035573] Workqueue: ipoib_wq ipoib_cm_skb_reap [ib_ipoib] > [ 1083.035750] Call Trace: > [ 1083.035888] dump_stack+0x9a/0xeb > [ 1083.036031] print_address_description+0xe3/0x2e0 > [ 1083.036213] kasan_report+0x18a/0x2e0 > [ 1083.036356] ? __ip_options_echo+0xf08/0x1310 > [ 1083.036522] __ip_options_echo+0xf08/0x1310 > [ 1083.036688] icmp_send+0x7b9/0x1cd0 > [ 1083.036843] ? icmp_route_lookup.constprop.9+0x1070/0x1070 > [ 1083.037018] ? netif_schedule_queue+0x5/0x200 > [ 1083.037180] ? debug_show_all_locks+0x310/0x310 > [ 1083.037341] ? rcu_dynticks_curr_cpu_in_eqs+0x85/0x120 > [ 1083.037519] ? debug_locks_off+0x11/0x80 > [ 1083.037673] ? debug_check_no_obj_freed+0x207/0x4c6 > [ 1083.037841] ? check_flags.part.27+0x450/0x450 > [ 1083.037995] ? debug_check_no_obj_freed+0xc3/0x4c6 > [ 1083.038169] ? debug_locks_off+0x11/0x80 > [ 1083.038318] ? skb_dequeue+0x10e/0x1a0 > [ 1083.038476] ? ipoib_cm_skb_reap+0x2b5/0x650 [ib_ipoib] > [ 1083.038642] ? netif_schedule_queue+0xa8/0x200 > [ 1083.038820] ? ipoib_cm_skb_reap+0x544/0x650 [ib_ipoib] > [ 1083.038996] ipoib_cm_skb_reap+0x544/0x650 [ib_ipoib] > [ 1083.039174] process_one_work+0x912/0x1830 > [ 1083.039336] ? wq_pool_ids_show+0x310/0x310 > [ 1083.039491] ? lock_acquire+0x145/0x3a0 > [ 1083.042312] worker_thread+0x87/0xbb0 > [ 1083.045099] ? process_one_work+0x1830/0x1830 > [ 1083.047865] kthread+0x322/0x3e0 > [ 1083.050624] ? kthread_create_worker_on_cpu+0xc0/0xc0 > [ 1083.053354] ret_from_fork+0x3a/0x50 > > For instance __ip_options_echo should is failing to proceed with invalid > srr and optlen passed from another layer via IPCB > [ 762.139568] IPv4: __ip_options_echo rr=0 ts=0 srr=43 cipso=0 > [ 762.139720] IPv4: ip_options_build: IPCB 00000000f3cd969e opt 000000002ccb3533 > [ 762.139838] IPv4: __ip_options_echo in srr: optlen 197 soffset 84 > [ 762.139852] IPv4: ip_options_build srr=0 is_frag=0 rr_needaddr=0 ts_needaddr=0 ts_needtime=0 rr=0 ts=0 > [ 762.140269] ================================================================== > [ 762.140713] IPv4: __ip_options_echo rr=0 ts=0 srr=0 cipso=0 > [ 762.141078] BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0x12ec/0x1680 > [ 762.141087] Write of size 4 at addr ffff880353457c7f by task kworker/u16:0/7 > > Signed-off-by: Denis Drozdov <denisd@xxxxxxxxxxxx> > Reviewed-by: Erez Shitrit <erezsh@xxxxxxxxxxxx> > Reviewed-by: Feras Daoud <ferasda@xxxxxxxxxxxx> > Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx> > --- > drivers/infiniband/ulp/ipoib/ipoib_cm.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) Applied to for-next Thanks, Jason
