Re: [PATCH 5.10 69/91] ipv6: ensure sane device mtu in tunnels

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Nov 4, 2022 at 10:11 AM Pavel Machek <pavel@xxxxxxx> wrote:
>
> Hi!
>
> > [ Upstream commit d89d7ff01235f218dad37de84457717f699dee79 ]
> >
> > Another syzbot report [1] with no reproducer hints
> > at a bug in ip6_gre tunnel (dev:ip6gretap0)
> >
> > Since ipv6 mcast code makes sure to read dev->mtu once
> > and applies a sanity check on it (see commit b9b312a7a451
> > "ipv6: mcast: better catch silly mtu values"), a remaining
> > possibility is that a layer is able to set dev->mtu to
> > an underflowed value (high order bit set).
> >
> > This could happen indeed in ip6gre_tnl_link_config_route(),
> > ip6_tnl_link_config() and ipip6_tunnel_bind_dev()
> >
> > Make sure to sanitize mtu value in a local variable before
> > it is written once on dev->mtu, as lockless readers could
> > catch wrong temporary value.
>
> Ok, but now types seem to be confused:
>
> > diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
> > index 3a2741569b84..0d4cab94c5dd 100644
> > --- a/net/ipv6/ip6_tunnel.c
> > +++ b/net/ipv6/ip6_tunnel.c
> > @@ -1476,8 +1476,8 @@ static void ip6_tnl_link_config(struct ip6_tnl *t)
> >       struct net_device *tdev = NULL;
> >       struct __ip6_tnl_parm *p = &t->parms;
> >       struct flowi6 *fl6 = &t->fl.u.ip6;
> > -     unsigned int mtu;
> >       int t_hlen;
> > +     int mtu;
> >
> >       memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr));
> >       memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr));
> > @@ -1524,12 +1524,13 @@ static void ip6_tnl_link_config(struct ip6_tnl *t)
> >                       dev->hard_header_len = tdev->hard_header_len + t_hlen;
> >                       mtu = min_t(unsigned int, tdev->mtu, IP6_MAX_MTU);
>
> mtu is now signed, but we still do min_t on unsigned types.
>
> > -                     dev->mtu = mtu - t_hlen;
> > +                     mtu = mtu - t_hlen;
> >                       if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT))
> > -                             dev->mtu -= 8;
> > +                             mtu -= 8;
> >
>
> I don't see overflow potential right away, but it may be worth fixing.
>

This was intended ( part of the fix) so that the following check is
going to catch 'negative' mtu

[1]
if (mtu < IPV6_MIN_MTU)
    mtu = IPV6_MIN_MTU;

Otherwise, if a fuzzer succeeds to get mtu = 0xFFFFFFC0,
sanity test [1] leaves the problematic mtu in dev->mtu.

Thanks.
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux