From: Craig Gallek <kraigatg...@gmail.com> Date: Tue, 16 May 2017 14:36:23 -0400
> From: Craig Gallek <kr...@google.com> > > The KASAN warning repoted below was discovered with a syzkaller > program. The reproducer is basically: > int s = socket(AF_INET6, SOCK_RAW, NEXTHDR_HOP); > send(s, &one_byte_of_data, 1, MSG_MORE); > send(s, &more_than_mtu_bytes_data, 2000, 0); > > The socket() call sets the nexthdr field of the v6 header to > NEXTHDR_HOP, the first send call primes the payload with a non zero > byte of data, and the second send call triggers the fragmentation path. > > The fragmentation code tries to parse the header options in order > to figure out where to insert the fragment option. Since nexthdr points > to an invalid option, the calculation of the size of the network header > can made to be much larger than the linear section of the skb and data > is read outside of it. > > This fix makes ip6_find_1stfrag return an error if it detects > running out-of-bounds. ... > Reported-by: Andrey Konovalov <andreyk...@google.com> > Signed-off-by: Craig Gallek <kr...@google.com> Since this is a reasonably serious bug I'm going to apply this to 'net' and queue it up for -stable. Thanks.
