diff options
Diffstat (limited to 'macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch')
-rw-r--r-- | macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch | 170 |
1 files changed, 0 insertions, 170 deletions
diff --git a/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch b/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch deleted file mode 100644 index 00285b9..0000000 --- a/macvlan-do-not-assume-mac_header-is-set-in-macvlan_broadcast.patch +++ /dev/null @@ -1,170 +0,0 @@ -From foo@baz Sat 11 Jan 2020 09:44:46 AM CET -From: Eric Dumazet <edumazet@google.com> -Date: Mon, 6 Jan 2020 12:30:48 -0800 -Subject: macvlan: do not assume mac_header is set in macvlan_broadcast() - -From: Eric Dumazet <edumazet@google.com> - -[ Upstream commit 96cc4b69581db68efc9749ef32e9cf8e0160c509 ] - -Use of eth_hdr() in tx path is error prone. - -Many drivers call skb_reset_mac_header() before using it, -but others do not. - -Commit 6d1ccff62780 ("net: reset mac header in dev_start_xmit()") -attempted to fix this generically, but commit d346a3fae3ff -("packet: introduce PACKET_QDISC_BYPASS socket option") brought -back the macvlan bug. - -Lets add a new helper, so that tx paths no longer have -to call skb_reset_mac_header() only to get a pointer -to skb->data. - -Hopefully we will be able to revert 6d1ccff62780 -("net: reset mac header in dev_start_xmit()") and save few cycles -in transmit fast path. - -BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] -BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline] -BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 -Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579 - -CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0 -Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 -Call Trace: - __dump_stack lib/dump_stack.c:77 [inline] - dump_stack+0x197/0x210 lib/dump_stack.c:118 - print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 - __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 - kasan_report+0x12/0x20 mm/kasan/common.c:639 - __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145 - __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline] - mc_hash drivers/net/macvlan.c:251 [inline] - macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277 - macvlan_queue_xmit drivers/net/macvlan.c:520 [inline] - macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559 - __netdev_start_xmit include/linux/netdevice.h:4447 [inline] - netdev_start_xmit include/linux/netdevice.h:4461 [inline] - dev_direct_xmit+0x419/0x630 net/core/dev.c:4079 - packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240 - packet_snd net/packet/af_packet.c:2966 [inline] - packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991 - sock_sendmsg_nosec net/socket.c:639 [inline] - sock_sendmsg+0xd7/0x130 net/socket.c:659 - __sys_sendto+0x262/0x380 net/socket.c:1985 - __do_sys_sendto net/socket.c:1997 [inline] - __se_sys_sendto net/socket.c:1993 [inline] - __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993 - do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 - entry_SYSCALL_64_after_hwframe+0x49/0xbe -RIP: 0033:0x442639 -Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 -RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c -RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639 -RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003 -RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 -R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000 - -Allocated by task 9389: - save_stack+0x23/0x90 mm/kasan/common.c:72 - set_track mm/kasan/common.c:80 [inline] - __kasan_kmalloc mm/kasan/common.c:513 [inline] - __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 - kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527 - __do_kmalloc mm/slab.c:3656 [inline] - __kmalloc+0x163/0x770 mm/slab.c:3665 - kmalloc include/linux/slab.h:561 [inline] - tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252 - tomoyo_get_realpath security/tomoyo/file.c:151 [inline] - tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 - tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 - security_inode_getattr+0xf2/0x150 security/security.c:1222 - vfs_getattr+0x25/0x70 fs/stat.c:115 - vfs_statx_fd+0x71/0xc0 fs/stat.c:145 - vfs_fstat include/linux/fs.h:3265 [inline] - __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 - __se_sys_newfstat fs/stat.c:375 [inline] - __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 - do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -Freed by task 9389: - save_stack+0x23/0x90 mm/kasan/common.c:72 - set_track mm/kasan/common.c:80 [inline] - kasan_set_free_info mm/kasan/common.c:335 [inline] - __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 - kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 - __cache_free mm/slab.c:3426 [inline] - kfree+0x10a/0x2c0 mm/slab.c:3757 - tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289 - tomoyo_get_realpath security/tomoyo/file.c:151 [inline] - tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822 - tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129 - security_inode_getattr+0xf2/0x150 security/security.c:1222 - vfs_getattr+0x25/0x70 fs/stat.c:115 - vfs_statx_fd+0x71/0xc0 fs/stat.c:145 - vfs_fstat include/linux/fs.h:3265 [inline] - __do_sys_newfstat+0x9b/0x120 fs/stat.c:378 - __se_sys_newfstat fs/stat.c:375 [inline] - __x64_sys_newfstat+0x54/0x80 fs/stat.c:375 - do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 - entry_SYSCALL_64_after_hwframe+0x49/0xbe - -The buggy address belongs to the object at ffff8880a4932000 - which belongs to the cache kmalloc-4k of size 4096 -The buggy address is located 1025 bytes inside of - 4096-byte region [ffff8880a4932000, ffff8880a4933000) -The buggy address belongs to the page: -page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0 -raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000 -raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000 -page dumped because: kasan: bad access detected - -Memory state around the buggy address: - ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ->ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ^ - ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb - -Fixes: b863ceb7ddce ("[NET]: Add macvlan driver") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: syzbot <syzkaller@googlegroups.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - drivers/net/macvlan.c | 2 +- - include/linux/if_ether.h | 8 ++++++++ - 2 files changed, 9 insertions(+), 1 deletion(-) - ---- a/drivers/net/macvlan.c -+++ b/drivers/net/macvlan.c -@@ -233,7 +233,7 @@ static void macvlan_broadcast(struct sk_ - struct net_device *src, - enum macvlan_mode mode) - { -- const struct ethhdr *eth = eth_hdr(skb); -+ const struct ethhdr *eth = skb_eth_hdr(skb); - const struct macvlan_dev *vlan; - struct sk_buff *nskb; - unsigned int i; ---- a/include/linux/if_ether.h -+++ b/include/linux/if_ether.h -@@ -28,6 +28,14 @@ static inline struct ethhdr *eth_hdr(con - return (struct ethhdr *)skb_mac_header(skb); - } - -+/* Prefer this version in TX path, instead of -+ * skb_reset_mac_header() + eth_hdr() -+ */ -+static inline struct ethhdr *skb_eth_hdr(const struct sk_buff *skb) -+{ -+ return (struct ethhdr *)skb->data; -+} -+ - int eth_header_parse(const struct sk_buff *skb, unsigned char *haddr); - - extern ssize_t sysfs_format_mac(char *buf, const unsigned char *addr, int len); |