On Fri, Nov 4, 2022 at 10:31 AM Pavel Machek <pavel@xxxxxxx> wrote: > > Hi! > > > > > [ Upstream commit d89d7ff01235f218dad37de84457717f699dee79 ] > > > > > > > > Another syzbot report [1] with no reproducer hints > > > > at a bug in ip6_gre tunnel (dev:ip6gretap0) > > > > > > > > Since ipv6 mcast code makes sure to read dev->mtu once > > > > and applies a sanity check on it (see commit b9b312a7a451 > > > > "ipv6: mcast: better catch silly mtu values"), a remaining > > > > possibility is that a layer is able to set dev->mtu to > > > > an underflowed value (high order bit set). > > > > > > > > This could happen indeed in ip6gre_tnl_link_config_route(), > > > > ip6_tnl_link_config() and ipip6_tunnel_bind_dev() > > > > > > > > Make sure to sanitize mtu value in a local variable before > > > > it is written once on dev->mtu, as lockless readers could > > > > catch wrong temporary value. > > > > > > Ok, but now types seem to be confused: > > > > > > > diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c > > > > index 3a2741569b84..0d4cab94c5dd 100644 > > > > --- a/net/ipv6/ip6_tunnel.c > > > > +++ b/net/ipv6/ip6_tunnel.c > > > > @@ -1476,8 +1476,8 @@ static void ip6_tnl_link_config(struct ip6_tnl *t) > > > > struct net_device *tdev = NULL; > > > > struct __ip6_tnl_parm *p = &t->parms; > > > > struct flowi6 *fl6 = &t->fl.u.ip6; > > > > - unsigned int mtu; > > > > int t_hlen; > > > > + int mtu; > > > > > > > > memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr)); > > > > memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr)); > > > > @@ -1524,12 +1524,13 @@ static void ip6_tnl_link_config(struct ip6_tnl *t) > > > > dev->hard_header_len = tdev->hard_header_len + t_hlen; > > > > mtu = min_t(unsigned int, tdev->mtu, IP6_MAX_MTU); > > > > > > mtu is now signed, but we still do min_t on unsigned types. > > > > > > > - dev->mtu = mtu - t_hlen; > > > > + mtu = mtu - t_hlen; > > > > if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT)) > > > > - dev->mtu -= 8; > > > > + mtu -= 8; > > > > > > > > > > I don't see overflow potential right away, but it may be worth fixing. > > > > > > > This was intended ( part of the fix) so that the following check is > > going to catch 'negative' mtu > > > > [1] > > if (mtu < IPV6_MIN_MTU) > > mtu = IPV6_MIN_MTU; > > > > Otherwise, if a fuzzer succeeds to get mtu = 0xFFFFFFC0, > > sanity test [1] leaves the problematic mtu in dev->mtu. > > This is the line I'm complaining about (1525 in 5.10): > > mtu = min_t(unsigned int, tdev->mtu, IP6_MAX_MTU); > > I don't think it does any harm, but it looks wrong/confusing. > So you are confused by : some_integer_var = some_unsigned_int_expression; I do not see any issue with that. Thanks.
