> Hi Eric, > > The crash happens when the kernel tries to access shadow for nonmapped memory. > > The issue here is an integer overflow which happens in neigh_resolve_output(). > skb_network_offset(skb) can return negative number, but __skb_pull() > accepts unsigned int as len. > As a result, the least significat bit in higher 32 bits of skb->data > gets set and we get an out-of-bounds with offset of 4 GB. > > I've attached a short reproducer, but you either need KASAN or to add > a BUG_ON to see the crash. > In this reproducer skb_network_offset() becomes negative after merging > two ipv6 fragments. > > I actually see multiple places where skb_network_offset() is used as > an argument to skb_pull(). > So I guess every place can potentially be buggy.
Well, I think the intent is to accept a negative number. This definitely was assumed by commit e1f165032c8bade authors ! I guess they were using a 32bit kernel for their tests.
