Patch "Fix write to cloned skb in ipv6_hop_ioam()" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 26 Feb 2024 17:31:08 -0500

This is a note to let you know that I've just added the patch titled

    Fix write to cloned skb in ipv6_hop_ioam()

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     fix-write-to-cloned-skb-in-ipv6_hop_ioam.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f3965c5130b701a3ddc909f39a7aa82659fdc325
Author: Justin Iurman <justin.iurman@xxxxxxxxx>
Date:   Mon Feb 19 14:52:54 2024 +0100

    Fix write to cloned skb in ipv6_hop_ioam()
    
    [ Upstream commit f198d933c2e4f8f89e0620fbaf1ea7eac384a0eb ]
    
    ioam6_fill_trace_data() writes inside the skb payload without ensuring
    it's writeable (e.g., not cloned). This function is called both from the
    input and output path. The output path (ioam6_iptunnel) already does the
    check. This commit provides a fix for the input path, inside
    ipv6_hop_ioam(). It also updates ip6_parse_tlv() to refresh the network
    header pointer ("nh") when returning from ipv6_hop_ioam().
    
    Fixes: 9ee11f0fff20 ("ipv6: ioam: Data plane support for Pre-allocated Trace")
    Reported-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Justin Iurman <justin.iurman@xxxxxxxxx>
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c
index 4952ae7924505..02e9ffb63af19 100644
--- a/net/ipv6/exthdrs.c
+++ b/net/ipv6/exthdrs.c
@@ -177,6 +177,8 @@ static bool ip6_parse_tlv(bool hopbyhop,
 				case IPV6_TLV_IOAM:
 					if (!ipv6_hop_ioam(skb, off))
 						return false;
+
+					nh = skb_network_header(skb);
 					break;
 				case IPV6_TLV_JUMBO:
 					if (!ipv6_hop_jumbo(skb, off))
@@ -943,6 +945,14 @@ static bool ipv6_hop_ioam(struct sk_buff *skb, int optoff)
 		if (!skb_valid_dst(skb))
 			ip6_route_input(skb);
 
+		/* About to mangle packet header */
+		if (skb_ensure_writable(skb, optoff + 2 + hdr->opt_len))
+			goto drop;
+
+		/* Trace pointer may have changed */
+		trace = (struct ioam6_trace_hdr *)(skb_network_header(skb)
+						   + optoff + sizeof(*hdr));
+
 		ioam6_fill_trace_data(skb, ns, trace, true);
 		break;
 	default:







