[4.9,05/90] gre: fix uninit-value in __iptunnel_pull_header

From: Eric Dumazet <edumazet@google.com>

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 17c25cafd4d3e74c83dce56b158843b19c40b414 ]

syzbot found an interesting case of the kernel reading
an uninit-value [1]

Problem is in the handling of ETH_P_WCCP in gre_parse_header()

We look at the byte following GRE options to eventually decide
if the options are four bytes longer.

Use skb_header_pointer() to not pull bytes if we found
that no more bytes were needed.

All callers of gre_parse_header() are properly using pskb_may_pull()
anyway before proceeding to next header.

[1]
BUG: KMSAN: uninit-value in pskb_may_pull include/linux/skbuff.h:2303 [inline]
BUG: KMSAN: uninit-value in __iptunnel_pull_header+0x30c/0xbd0 net/ipv4/ip_tunnel_core.c:94
CPU: 1 PID: 11784 Comm: syz-executor940 Not tainted 5.6.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
 pskb_may_pull include/linux/skbuff.h:2303 [inline]
 __iptunnel_pull_header+0x30c/0xbd0 net/ipv4/ip_tunnel_core.c:94
 iptunnel_pull_header include/net/ip_tunnels.h:411 [inline]
 gre_rcv+0x15e/0x19c0 net/ipv6/ip6_gre.c:606
 ip6_protocol_deliver_rcu+0x181b/0x22c0 net/ipv6/ip6_input.c:432
 ip6_input_finish net/ipv6/ip6_input.c:473 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ip6_input net/ipv6/ip6_input.c:482 [inline]
 ip6_mc_input+0xdf2/0x1460 net/ipv6/ip6_input.c:576
 dst_input include/net/dst.h:442 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
 NF_HOOK include/linux/netfilter.h:307 [inline]
 ipv6_rcv+0x683/0x710 net/ipv6/ip6_input.c:306
 __netif_receive_skb_one_core net/core/dev.c:5198 [inline]
 __netif_receive_skb net/core/dev.c:5312 [inline]
 netif_receive_skb_internal net/core/dev.c:5402 [inline]
 netif_receive_skb+0x66b/0xf20 net/core/dev.c:5461
 tun_rx_batched include/linux/skbuff.h:4321 [inline]
 tun_get_user+0x6aef/0x6f60 drivers/net/tun.c:1997
 tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2026
 call_write_iter include/linux/fs.h:1901 [inline]
 new_sync_write fs/read_write.c:483 [inline]
 __vfs_write+0xa5a/0xca0 fs/read_write.c:496
 vfs_write+0x44a/0x8f0 fs/read_write.c:558
 ksys_write+0x267/0x450 fs/read_write.c:611
 __do_sys_write fs/read_write.c:623 [inline]
 __se_sys_write fs/read_write.c:620 [inline]
 __ia32_sys_write+0xdb/0x120 fs/read_write.c:620
 do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
 do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
 entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f62d99
Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
RSP: 002b:00000000fffedb2c EFLAGS: 00000217 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020002580
RDX: 0000000000000fca RSI: 0000000000000036 RDI: 0000000000000004
RBP: 0000000000008914 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
 kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
 kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
 kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
 slab_alloc_node mm/slub.c:2793 [inline]
 __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
 __kmalloc_reserve net/core/skbuff.c:142 [inline]
 __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
 alloc_skb include/linux/skbuff.h:1051 [inline]
 alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766
 sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242
 tun_alloc_skb drivers/net/tun.c:1529 [inline]
 tun_get_user+0x10ae/0x6f60 drivers/net/tun.c:1843
 tun_chr_write_iter+0x1f2/0x360 drivers/net/tun.c:2026
 call_write_iter include/linux/fs.h:1901 [inline]
 new_sync_write fs/read_write.c:483 [inline]
 __vfs_write+0xa5a/0xca0 fs/read_write.c:496
 vfs_write+0x44a/0x8f0 fs/read_write.c:558
 ksys_write+0x267/0x450 fs/read_write.c:611
 __do_sys_write fs/read_write.c:623 [inline]
 __se_sys_write fs/read_write.c:620 [inline]
 __ia32_sys_write+0xdb/0x120 fs/read_write.c:620
 do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
 do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
 entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139

Fixes: 95f5c64c3c13 ("gre: Move utility functions to common headers")
Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/gre_demux.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

Message ID	20200319123930.212855115@linuxfoundation.org
State	New
Headers	show Return-Path: <SRS0=1QoN=5E=vger.kernel.org=stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Eric Dumazet <edumazet@google.com>, syzbot <syzkaller@googlegroups.com>, "David S. Miller" <davem@davemloft.net> Subject: [PATCH 4.9 05/90] gre: fix uninit-value in __iptunnel_pull_header Date: Thu, 19 Mar 2020 13:59:27 +0100 Message-Id: <20200319123930.212855115@linuxfoundation.org> In-Reply-To: <20200319123928.635114118@linuxfoundation.org> References: <20200319123928.635114118@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk
Series	None \| expand [4.9,02/90] phy: Revert toggling reset changes. [4.9,04/90] cgroup, netclassid: periodically release file_lock on classid updating [4.9,05/90] gre: fix uninit-value in __iptunnel_pull_header [4.9,08/90] net: nfc: fix bounds checking bugs on "pipe" [4.9,09/90] r8152: check disconnect status after long sleep [4.9,11/90] fib: add missing attribute validation for tun_id [4.9,12/90] nl802154: add missing attribute validation [4.9,15/90] net: fq: add missing attribute validation for orphan mask [4.9,16/90] team: add missing attribute validation for port ifindex [4.9,17/90] team: add missing attribute validation for array index [4.9,18/90] nfc: add missing attribute validation for SE API [4.9,19/90] nfc: add missing attribute validation for vendor subcommand [4.9,21/90] ipvlan: do not add hardware address of master to its unicast filter list [4.9,22/90] ipvlan: egress mcast packets are not exceptional [4.9,27/90] slip: make slhc_compress() more robust against malicious packets [4.9,30/90] net: phy: fix MDIO bus PM PHY resuming [4.9,31/90] virtio-blk: fix hw_queue stopped on arbitrary error [4.9,32/90] iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint [4.9,37/90] KVM: x86: clear stale x86_emulate_ctxt->intercept value [4.9,39/90] efi: Fix a race and a buffer overflow while reading efivars via sysfs [4.9,42/90] nl80211: add missing attribute validation for critical protocol indication [4.9,44/90] nl80211: add missing attribute validation for channel switch [4.9,45/90] netfilter: cthelper: add missing attribute validation for cthelper [4.9,48/90] iommu/vt-d: Ignore devices with out-of-spec domain number [4.9,51/90] batman-adv: Fix double free during fragment merge error [4.9,54/90] batman-adv: Fix rx packet/bytes stats on local ARP reply [4.9,56/90] batman-adv: Accept only filled wifi station info [4.9,58/90] batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation [4.9,60/90] batman-adv: Fix check of retrieved orig_gw in batadv_v_gw_is_eligible [4.9,62/90] batman-adv: Fix internal interface indices types [4.9,66/90] batman-adv: Fix debugfs path for renamed hardif [4.9,72/90] batman-adv: Avoid free/alloc race when handling OGM2 buffer [4.9,77/90] batman-adv: Use explicit tvlv padding for ELP packets [4.9,78/90] perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag [4.9,80/90] HID: apple: Add support for recent firmware on Magic Keyboards [4.9,82/90] cfg80211: check reg_rule for NULL in handle_channel_custom() [4.9,84/90] mac80211: rx: avoid RCU list traversal under mutex [4.9,86/90] jbd2: fix data races at struct journal_head [4.9,87/90] ARM: 8957/1: VDSO: Match ARMv8 timer in cntvct_functional() [4.9,88/90] ARM: 8958/1: rename missed uaccess .fixup section

[4.9,05/90] gre: fix uninit-value in __iptunnel_pull_header

Commit Message

Patch