Patch "net: fix possible out-of-bound read in skb_network_protocol()" has been added to the 4.14-stable tree - Linux-stable-mirror

10 Apr 2018

This is a note to let you know that I've just added the patch titled
net: fix possible out-of-bound read in skb_network_protocol()
to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git%3Ba=su...
The filename of the patch is:
     net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let stable@vger.kernel.org know about it.
...
From foo@baz Tue Apr 10 23:20:08 CEST 2018
From: Eric Dumazet edumazet@google.com
Date: Mon, 26 Mar 2018 08:08:07 -0700
Subject: net: fix possible out-of-bound read in skb_network_protocol()
From: Eric Dumazet edumazet@google.com
[ Upstream commit 1dfe82ebd7d8fd43dba9948fdfb31f145014baa0 ]
skb mac header is not necessarily set at the time skb_network_protocol()
is called. Use skb->data instead.
BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242
CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23c/0x360 mm/kasan/report.c:412
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
 skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
 harmonize_features net/core/dev.c:2924 [inline]
 netif_skb_features+0x509/0x9b0 net/core/dev.c:3011
 validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084
 validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142
 packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256
 packet_snd net/packet/af_packet.c:2944 [inline]
 packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:639
 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
 __sys_sendmsg+0xe5/0x210 net/socket.c:2081
Fixes: 19acc327258a ("gso: Handle Trans-Ether-Bridging protocol in skb_network_protocol()")
Signed-off-by: Eric Dumazet edumazet@google.com
Cc: Pravin B Shelar pshelar@ovn.org
Reported-by: Reported-by: syzbot syzkaller@googlegroups.com
Signed-off-by: David S. Miller davem@davemloft.net
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 net/core/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2696,7 +2696,7 @@ __be16 skb_network_protocol(struct sk_bu
    	if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr))))
    		return 0;
-		eth = (struct ethhdr *)skb_mac_header(skb);
+		eth = (struct ethhdr *)skb->data;
    	type = eth->h_proto;
    }
Patches currently in stable-queue which might be from edumazet@google.com are
queue-4.14/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch
queue-4.14/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch
queue-4.14/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch
queue-4.14/net-fool-proof-dev_valid_name.patch
queue-4.14/ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch
queue-4.14/vti6-better-validate-user-provided-tunnel-names.patch
queue-4.14/ipv6-sit-better-validate-user-provided-tunnel-names.patch
queue-4.14/ip6_tunnel-better-validate-user-provided-tunnel-names.patch
queue-4.14/sctp-do-not-leak-kernel-memory-to-user-space.patch
queue-4.14/ip_tunnel-better-validate-user-provided-tunnel-names.patch
queue-4.14/netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch
queue-4.14/ip6_gre-better-validate-user-provided-tunnel-names.patch

    