On Wed, Oct 7, 2020 at 9:22 PM Cong Wang <xiyou.wangc...@gmail.com> wrote: > > GRE tunnel has its own header_ops, ipgre_header_ops, and sets it > conditionally. When it is set, it assumes the outer IP header is > already created before ipgre_xmit(). > > This is not true when we send packets through a raw packet socket, > where L2 headers are supposed to be constructed by user. Packet > socket calls dev_validate_header() to validate the header. But > GRE tunnel does not set dev->hard_header_len, so that check can > be simply bypassed, therefore uninit memory could be passed down > to ipgre_xmit(). > > Fix this by setting dev->hard_header_len whenever sets header_ops, > as dev->hard_header_len is supposed to be the length of the header > created by dev->header_ops->create() anyway. > > Reported-and-tested-by: syzbot+4a2c52677a8a1aa28...@syzkaller.appspotmail.com > Cc: William Tu <u9012...@gmail.com> > Cc: Willem de Bruijn <willemdebruijn.ker...@gmail.com> > Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
Acked-by: Willem de Bruijn <will...@google.com> > The syzbot report has the information for both of your questions: > https://syzkaller.appspot.com/text?tag=CrashReport&x=11845568500000 > > It clearly shows packet_snd() and ipgre_xmit(). Thanks. I hadn't thought to check that (clearly).