On Thu, Feb 18, 2021 at 9:25 PM Jason A. Donenfeld <ja...@zx2c4.com> wrote: > > The icmp{,v6}_send functions make all sorts of use of skb->cb, casting > it with IPCB or IP6CB, assuming the skb to have come directly from the > inet layer. But when the packet comes from the ndo layer, especially > when forwarded, there's no telling what might be in skb->cb at that > point. As a result, the icmp sending code risks reading bogus memory > contents, which can result in nasty stack overflows such as this one > reported by a user: > > panic+0x108/0x2ea > __stack_chk_fail+0x14/0x20 > __icmp_send+0x5bd/0x5c0 > icmp_ndo_send+0x148/0x160 > > In icmp_send, skb->cb is cast with IPCB and an ip_options struct is read > from it. The optlen parameter there is of particular note, as it can > induce writes beyond bounds. There are quite a few ways that can happen > in __ip_options_echo. For example: > > // sptr/skb are attacker-controlled skb bytes > sptr = skb_network_header(skb); > // dptr/dopt points to stack memory allocated by __icmp_send > dptr = dopt->__data; > // sopt is the corrupt skb->cb in question > if (sopt->rr) { > optlen = sptr[sopt->rr+1]; // corrupt skb->cb + skb->data > soffset = sptr[sopt->rr+2]; // corrupt skb->cb + skb->data > // this now writes potentially attacker-controlled data, over > // flowing the stack: > memcpy(dptr, sptr+sopt->rr, optlen); > } > > In the icmpv6_send case, the story is similar, but not as dire, as only > IP6CB(skb)->iif and IP6CB(skb)->dsthao are used. The dsthao case is > worse than the iif case, but it is passed to ipv6_find_tlv, which does > a bit of bounds checking on the value. > > This is easy to simulate by doing a `memset(skb->cb, 0x41, > sizeof(skb->cb));` before calling icmp{,v6}_ndo_send, and it's only by > good fortune and the rarity of icmp sending from that context that we've > avoided reports like this until now. For example, in KASAN: > > BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0xa0e/0x12b0 > Write of size 38 at addr ffff888006f1f80e by task ping/89 > CPU: 2 PID: 89 Comm: ping Not tainted 5.10.0-rc7-debug+ #5 > Call Trace: > dump_stack+0x9a/0xcc > print_address_description.constprop.0+0x1a/0x160 > __kasan_report.cold+0x20/0x38 > kasan_report+0x32/0x40 > check_memory_region+0x145/0x1a0 > memcpy+0x39/0x60 > __ip_options_echo+0xa0e/0x12b0 > __icmp_send+0x744/0x1700 > > Actually, out of the 4 drivers that do this, only gtp zeroed the cb for > the v4 case, while the rest did not. So this commit actually removes the > gtp-specific zeroing, while putting the code where it belongs in the > shared infrastructure of icmp{,v6}_ndo_send. > > This commit fixes the issue by passing an empty IPCB or IP6CB along to > the functions that actually do the work. For the icmp_send, this was > already trivial, thanks to __icmp_send providing the plumbing function. > For icmpv6_send, this required a tiny bit of refactoring to make it > behave like the v4 case, after which it was straight forward. > > Fixes: a2b78e9b2cac ("sunvnet: generate ICMP PTMUD messages for smaller port > MTUs") > Reported-by: SinYu <liux...@gmail.com> > Cc: Willem de Bruijn <will...@google.com> > Cc: David L Stevens <david.stev...@oracle.com> > Cc: David S. Miller <da...@davemloft.net> > Link: > https://lore.kernel.org/netdev/CAF=yd-lof116ahub6rme8vb8zpnrrnotdqhobex+bvoa8as...@mail.gmail.com/T/ > Signed-off-by: Jason A. Donenfeld <ja...@zx2c4.com>
Reviewed-by: Willem de Bruijn <will...@google.com> Thanks adding more context, Jason.