From: Guillaume Nault <g.na...@alphalink.fr>
Date: Mon, 22 Jan 2018 18:06:37 +0100
> In pppoe_sendmsg(), reserving dev->hard_header_len bytes of headroom
> was probably fine before the introduction of ->needed_headroom in
> commit f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom").
>
> But now, virtual devices typically advertise the size of their overhead
> in dev->needed_headroom, so we must also take it into account in
> skb_reserve().
> Allocation size of skb is also updated to take dev->needed_tailroom
> into account and replace the arbitrary 32 bytes with the real size of
> a PPPoE header.
>
> This issue was discovered by syzbot, who connected a pppoe socket to a
> gre device which had dev->header_ops->create == ipgre_header and
> dev->hard_header_len == 0. Therefore, PPPoE didn't reserve any
> headroom, and dev_hard_header() crashed when ipgre_header() tried to
> prepend its header to skb->data.
...
> Admittedly PPPoE shouldn't be allowed to run on non Ethernet-like
> interfaces, but reserving space for ->needed_headroom is a more
> fundamental issue that needs to be addressed first.
>
> Same problem exists for __pppoe_xmit(), which also needs to take
> dev->needed_headroom into account in skb_cow_head().
>
> Fixes: f5184d267c1a ("net: Allow netdevices to specify needed head/tailroom")
> Reported-by:
> syzbot+ed0838d0fa4c4f2b528e20286e6dc63effc7c...@syzkaller.appspotmail.com
> Signed-off-by: Guillaume Nault <g.na...@alphalink.fr>
Applied, thanks Guillaume.
