From: Eric Dumazet <eric.duma...@gmail.com> Date: Sat, 21 Oct 2017 12:26:23 -0700
> From: Eric Dumazet <eduma...@google.com> > > When syzkaller team brought us a C repro for the crash [1] that > had been reported many times in the past, I finally could find > the root cause. > > If FlowLabel info is merged by fl6_merge_options(), we leave > part of the opt_space storage provided by udp/raw/l2tp with random value > in opt_space.tot_len, unless a control message was provided at sendmsg() > time. > > Then ip6_setup_cork() would use this random value to perform a kzalloc() > call. Undefined behavior and crashes. > > Fix is to properly set tot_len in fl6_merge_options() > > At the same time, we can also avoid consuming memory and cpu cycles > to clear it, if every option is copied via a kmemdup(). This is the > change in ip6_setup_cork(). Nice detective work. Applied and queued up for -stable.
